IBM MaaS360 v2.3.x MDM Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V1R1

Published: 2016-02-24

Updated At: 2018-09-23 02:53:40

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-80121r1_rule M360-01-000100 CCI-000048 LOW Before establishing a user session, the MaaS360 Server must display an administrator-specified advisory notice and consent warning message regarding use of the MaaS360 Server. Note: The advisory notice and consent warning message is not required if the General Purpose OS or Network Device displays an advisory notice and consent warning message when the administrator logs on to the General Purpose OS or Network Device prior to
    SV-80123r1_rule M360-01-000700 CCI-000366 MEDIUM The MaaS360 Server must be configured with the Administrator roles: a. MD user; b. Server primary administrator; c. Security configuration administrator; d. Device user group administrator; e. Auditor. Having several roles for the MaaS360 Server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group.
    SV-80125r1_rule M360-01-003800 CCI-000129 MEDIUM The MaaS360 Server must be configured to enable all required audit events: Failure to push a new application on a managed mobile device. Failure to generate these audit records makes it more difficult to identify or investigate attempted or successful compromises, potentially causing incidents to last longer than necessary. SFR ID: FAU_GEN.1.1(2) Refinement
    SV-80127r1_rule M360-01-003850 CCI-000129 MEDIUM The MaaS360 Server must be configured to enable all required audit events: Failure to update an existing application on a managed mobile device. Failure to generate these audit records makes it more difficult to identify or investigate attempted or successful compromises, potentially causing incidents to last longer than necessary. SFR ID: FAU_GEN.1.1(2) Refinement
    SV-80129r1_rule M360-01-005300 CCI-000015 MEDIUM The MaaS360 Server must leverage the MDM Platform user accounts and groups for MaaS360 Server user identification and authentication. A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MaaS360 Server infrastructure is
    SV-80131r1_rule M360-01-010400 CCI-000057 MEDIUM The MaaS360 server platform must be protected by a DoD-approved firewall. Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Unneeded services and processes provide
    SV-80133r1_rule M360-01-010500 CCI-001749 MEDIUM The firewall protecting the MaaS360 server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support MDM server and platform functions. Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations. Since MDM server is a critical compon
    SV-80135r1_rule M360-01-020400 CCI-002699 MEDIUM The MaaS360 Agent must be configured to alert via the trusted channel to the MaaS360 Server for the following event: change in enrollment status. Alerts providing notification of a change in enrollment state facilitate verification of the correct operation of security functions. When a MaaS360 Server receives such an alert from a MaaS360 Agent, it indicates that the security policy may no longer be