Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Perform the following procedure to limit concurrent sessions per privileged users: On the Admin page for each privileged user, verify Actions Edit Role select "Enforce single session (all spaces)" is selected. If "Enforce single session (all spaces)" is not selected for each user, this is a finding.
Use the following procedure to limit the number of concurrent sessions: In the Admin Portal, go to "Admin" Actions edit Roles "Enforce single session (all spaces)".
Verify the session timeout is set to 15 minutes or less. In the Admin Portal, go to Settings >> General >> Timeout. Verify the session timeout is set to 5, 10, or 15. If the session timeout is not set to 5, 10, or 15, this is a finding.
Configure the session timeout with this procedure: In the Admin Portal, go to Settings >> General >> Timeout. From the dropdown menu, choose a timeout value of 5, 10, or 15 minutes.
Verify the Ivanti EPMM server is configured to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. In the Core server, navigate to the following: Settings >> Security >> Password Policy. Verify the number of failed attempts is set to 3 and Auto-Lock Time is set to 900 seconds. If the number of failed attempts is not set to 3 and Auto-Lock Time is not set to 900 seconds, this is a finding.
Configure the Ivanti EPMM server to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. Go to Settings >> Security >> Password Policy. Set Number of Failed attempts to 3 and set Auto-Lock Time to 900 seconds.
Review MDM server documentation and configuration settings to determine if the MDM server is using the warning banner and the wording of the banner is the required text. On the MDM console, do the following: 1. Connect to the MobileIron Core Server using SSH. 2. Type in a user name and press enter. 3. Verify the required banner is displayed before the password prompt. The required text is found in the Vulnerability Discussion. If the required banner is not presented, this is a finding. 1. Connect to the MobileIron Core Server system manager portal using a web browser. 2. Verify the required banner is displayed on the web page. The required text is found in the Vulnerability Discussion. If the required banner is not presented, this is a finding. 1. Connect to the MobileIron Core Server administrator portal using a web browser. 2. Verify the required banner is displayed on the web page. If the required banner is not presented, this is a finding.
Configure the MDM server to display the appropriate warning banner text. On the MDM console, do the following: 1. Log in to the MobileIron Core Server administrator portal as a user with the security configuration administrator role using a web browser. 2. Select Settings on the web page. 3. Select General on the web page. 4. Select Login on the web page. 5. Check the "Enable Login Text Box" on the web page. 6. Type the required banner text in the "Text to Display" dialog on the web page. 7. Select "Save" on the web page.
Verify Core is configured to alert the ISSO and SA in the event of an audit processing failure: In the Core console, go to Logs >> Event Settings >> Add New System Event. Verify System Storage Threshold has been reached is checked. If System Storage Threshold has been reached is not checked, this is a finding.
Configure Core to alert the ISSO and SA in the event of an audit processing failure: Logs >> Event Settings >> Add New System Event >> ensure System Storage Threshold has been reached is checked.
Verify that Splunk is configured for automated log export. Step 1: Verify the Splunk Forwarder is enabled. 1. Log in to System Manager. 2. Go to Settings >> Services. 3. Verify that the "Enable" toggle is ON and "Running" is displayed. If "Enable" toggle is not ON or "Running" is not displayed, this is a finding. Step 2: Verify that Splunk Indexer is configured. 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Indexer. 3. Verify that there is an entry and the Status is "Connected". If there is no entry for Splunk Indexer or the Status is "Not Connected", this is a finding. Step 3: Verify "Audit Log" is enabled in the Splunk "data to index". 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Data to open the "Data to Index" window. 3. Verify "Audit Log" is included in the "Data To Index". If "Audit Log" is not included in the "Data To Index", this is a finding. Note: Syslog can be used instead of Splunk.
Complete the following activities to configure the transfer of MobileIron Core 10 server logs: Configure Splunk for automated log export: Step 1: Enable Core to turn on the Splunk Forwarder so it can push data to the Splunk Indexer. To enable the Splunk Forwarder: 1. Log in to System Manager. 2. Go to Settings >> Services. 3. Select "Enable" next to Splunk Forwarder. 4. Click Apply >> OK to save the changes. Step 2: Add a Splunk Indexer to configure which external Splunk Indexer will receive and manipulate the data from the Splunk Forwarder. To add a Splunk Indexer: 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Indexer. 3. Click "Add" to open the Add Splunk Indexer window. 4. Modify the fields as necessary in the "Add Splunk Indexer" window. The following are fields and descriptions in the Add Splunk Indexer window: - Splunk Indexer - Add the IP address of your Splunk Enterprise Server. - Port - Add the port of your Splunk Enterprise Server. - Enable SSL - Click this check box to enable SSL. 5. Click Apply >> OK to save the changes. Step 3: Configure Splunk Data to configure which data Splunk Forwarder sends to the Splunk Indexer. To configure Splunk Data: 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Data to open the "Data to Index" window. 3. Modify the fields as necessary. - Click "Show/Hide Advanced Options" to further customize which data to send to Splunk. - Check "Audit Log" at a minimum. 4. Click Apply >> OK. 5. Restart the Splunk Forwarder by disabling it and then enabling it again. a. Go to Settings >> Services. b. Select "Disable" next to Splunk Forwarder. c. Click Apply >> OK. d. Select "Enable" next to Splunk Forwarder. 6. Click Apply >> OK to save the changes. Note: Syslog can be used instead of Splunk.
On the MDM console, do the following: 1. Log in to the MobileIron Core Server administrator portal as a user with the security configuration administrator role using a web browser. 2. Select "Services" on the web page. 3. Select "LDAP" on the web page. 4. Click the edit icon on an existing LDAP configuration to be tested. 5. Select "Test" on the LDAP server configuration dialog. 6. Enter a valid LDAP user ID and select "Submit". 7. Verify the LDAP query is successful and shows user attributes in a dialog box. Note: All administrator accounts must be configured for LDAP authentication unless a select number of local accounts have been approved by the AO. Verify AO approval if local accounts (not using LDAP authentication) are configured on the Core server. If the MDM server does not leverage the MDM platform user accounts and groups for MDM server user identification and authentication, this is a finding.
Configure the MDM server to leverage the MDM platform user accounts and groups for MDM server user identification and authentication. On the MDM console, do the following: 1. Log in to the MobileIron Core Server administrator portal as a user with the security configuration administrator role using a web browser. 2. Select "Services" on the web page. 3. Select "LDAP" on the web page. 4. Select "Add New" (or click the edit icon on an existing LDAP configuration). 5. Complete the LDAP configuration dialog providing the URL for the LDAP server, alternate URL if there is a backup LDAP server, user ID and password for the LDAP server, and for additional settings see "Configuring LDAP Servers" section in the On-Premise Installation Guide. 6. Select "Save" to save the LDAP configuration. Note: All administrator accounts will be configured to use LDAP-based authentication, unless there is an operational need for a select number of local accounts, with the approval of the AO.
Verify a 15-character length for local user accounts has been configured: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Verify the Min Password Length is set to 15. If the Min Password Length is not set to 15, this is a finding.
Configure a 15-character length for local user accounts: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Set Min Password Length to 15.
Verify Core is configured to enforce password history reuse of four last passwords: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Verify "Enforce Password History (Last 4 passwords)" is enabled. If "Enforce Password History (Last 4 passwords)" is not enabled, this is a finding.
Configure Core to enforce password history reuse of four last passwords: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Check "Enable" for "Enforce Password History (Last 4 passwords)".
Verify the local user account uses at least one uppercase character: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Verify "Upper Case" is checked. If "Upper Case" is not checked, this is a finding.
Configure a password with at least one uppercase character: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Check "Upper Case".
Verify the local user account uses at least one lowercase character: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Verify "Lower Case" is checked. If "Lower Case" is not checked, this is a finding.
Configure a password with at least one lowercase character: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Check "Lower Case".
Verify the local user account uses at least one numeric character: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Verify "Numeric" is checked. If "Numeric" is not checked, this is a finding.
Configure a password with at least one numeric character: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Check "Numeric".
Verify the local user account uses at least one special character: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Verify "Special" is checked. If "Special" is not checked, this is a finding.
Configure a password with at least one special character: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Check "Special".
Verify MobileIron Core is in FIPS mode. ssh to command line console of the Core. Enable >> show fips. Verify FIPS mode is configured. If FIPS mode is not configured, this is a finding.
Configure Core to be in FIPS mode. ssh to command line console of the Core. Enable >> show fips. Configure fips >> reload.
Review the MDM server or platform configuration and verify the server is configured to lock after 15 minutes of inactivity. If, in the Admin Portal, Settings >> General >> Timeout is not set to 15 minutes or less, this is a finding. The current value for the session timeout will be displayed in minutes.
Configure the MDM server or platform to lock the server after 15 minutes of inactivity. In the Admin Portal, go to Settings >> General >> Timeout. From the dropdown menu, choose a timeout value of 5, 10, or 15 minutes.
Verify that Splunk is configured for automated log export. Step 1: Verify that the Splunk Forwarder is enabled. 1. Log in to System Manager. 2. Go to Settings >> Services. 3. Verify that the "Enable" toggle is ON and "Running" is displayed. If "Enable" toggle is not ON or "Running" is not displayed, this is a finding. Step 2: Verify that Splunk Indexer is configured. 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Indexer. 3. Verify that there is an entry and the Status is "Connected". If there is no entry for Splunk Indexer or the Status is "Not Connected", this is a finding. Step 3: Verify "Audit Log" is enabled in the Splunk "data to index". 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Data to open the "Data to Index" window. 3. Verify "Audit Log" is included in the "Data To Index". If "Audit Log" is not included in the "Data To Index", this is a finding. Note: Syslog can be used instead of Splunk.
Complete the following activities to configure the transfer of MobileIron Core 10 server logs: Configure Splunk for automated log export: Step 1: Enable Core to turn on the Splunk Forwarder so it can push data to the Splunk Indexer. To enable the Splunk Forwarder: 1. Log in to System Manager. 2. Go to Settings >> Services. 3. Select "Enable" next to Splunk Forwarder. 4. Click Apply >> OK to save the changes. Step 2: Add a Splunk Indexer to configure which external Splunk Indexer will receive and manipulate the data from the Splunk Forwarder. To add a Splunk Indexer: 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Indexer. 3. Click "Add" to open the Add Splunk Indexer window. 4. Modify the fields, as necessary, in the "Add Splunk Indexer" window. The following fields and descriptions are in the Add Splunk Indexer window: - Splunk Indexer - Add the IP address of your Splunk Enterprise Server. - Port - Add port of your Splunk Enterprise Server. - Enable SSL - Click this check box to enable SSL. 5. Click Apply >> OK to save the changes. Step 3: Configure Splunk Data to configure which data Splunk Forwarder sends to the Splunk Indexer. To configure Splunk Data: 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Data to open the "Data to Index" window. 3. Modify the fields, as necessary. - Click Show/Hide Advanced Options to further customize which data to send to Splunk. - Check "Audit Log" at a minimum. 4. Click Apply >> OK. 5. Restart the Splunk Forwarder by disabling it, then enabling it again. a. Go to Settings >> Services. b. Select Disable next to Splunk Forwarder. c. Click Apply >> OK. d. Select Enable next to Splunk Forwarder. 6. Click Apply >> OK to save the changes. Note: Syslog can be used instead of Splunk.
Verify MobileIron Core is in FIPS mode. ssh to command line console of the Core. Enable >> show fips. Verify FIPS mode is configured. If FIPS mode is not configured, this is a finding.
Configure Core to be in FIPS mode. ssh to command line console of the Core. Enable >> show fips. Configure fips >> reload.
Verify the MDM server is configured with TLS server certificate chain to a DOD certificate Authority. Go into the Certificate Manager >> System Manager >> Security >> Certificate Management >> Portal HTTPS. Verify DoD certificates are installed. If DoD digital certificates are not installed on Core, this is a finding.
Install DoD digital certificates. Configure the MDM server. System Manager >> Security >> Certificate Management >> Portal HTTPS. Install DOD certificate chain.
Verify the Core server version is a supported version. This requirement is Not Applicable for the cloud version of Core. Find the list of currently supported on-prem versions of Core server here: https://help.ivanti.com/mi/help/en_us/EML/3.16.1/rni/Content/EmailPlusiOSReleaseNotes/Support_and_compatibilit.htm Log onto the Core console and determine the installed version of Core: 1. Click on the round person icon in the top right corner of the Core console. 2. In the drop-down menu, select "About". 3. View the version of Core that is installed. 4. Verify the version is a supported version. If the installed version of the Core server is not a supported version, this is a finding.
Update Core to the most current version. If using the cloud version of Core, this requirement is automatically met.
Review the MDM server configuration settings and verify the server is configured with a periodicity for reachable events of six hours or less for the following commands to the agent: - query connectivity status; - query the current version of the MD firmware/software; - query the current version of the hardware model of the device; - query the current version of installed mobile applications; - read audit logs kept by the MD. Verify the sync interval for a device: 1. In the Admin Portal, go to Policies & Config >> Policies. 2. Select the default sync policy. 3. Verify that the Sync Interval is set to 360 minutes or less. If the Sync interval is not set to 360 minutes or less, this is a finding.
Configure the MDM server with a periodicity for reachable events of six hours or less for the following commands to the agent: - query connectivity status; - query the current version of the MD firmware/software; - query the current version of the hardware model of the device; - query the current version of installed mobile applications; -read audit logs kept by the MD. Configure the sync interval for a device: To configure the frequency for starting the synchronization process between a device in MobileIron Core: 1. In the Admin Portal, go to Policies & Config >> Policies. 2. Select the default sync policy. 3. Set Sync Interval to the number of minutes between synchronizations to be 360 minutes or less. 4. Click "Save".
On the MDM console, do the following: 1. SSH to MobileIron Core Server from any SSH client. 2. Enter the administrator credentials you set when you installed MobileIron Core. 3. Enter show fips. 4. Verify "FIPS 140 mode is enabled" is displayed. If the MobileIron Server Core does not report that FIPS mode is enabled, this is a finding.
Configure the MDM server to use a FIPS 140-2 validated cryptographic module. On the MDM console, do the following: 1. SSH to MobileIron Core Server from any SSH client. 2. Enter the administrator credentials you set when you installed MobileIron Core. 3. Enter enable. 4. When prompted, enter the enable secret you set when you installed MobileIron Core. 5. Enter configure terminal. 6. Enter the following command to enable FIPS: fips 7. Enter the following command to proceed with the necessary reload: do reload
Verify that Splunk is configured for automated log export. Step 1: Verify that the Splunk Forwarder is enabled. 1. Log in to System Manager. 2. Go to Settings >> Services. 3. Verify that the "Enable" toggle is ON and "Running" is displayed. If "Enable" toggle is not ON or "Running" is not displayed, this is a finding. Step 2: Verify that Splunk Indexer is configured. 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Indexer. 3. Verify that there is an entry and the Status is "Connected". If there is no entry for Splunk Indexer or the Status is "Not Connected", this is a finding. Step 3: Verify "Audit Log" is enabled in the Splunk "data to index". 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Data to open the "Data to Index" window. 3. Verify "Audit Log" is included in the "Data To Index". If "Audit Log" is not included in the "Data To Index", this is a finding.
Complete the following activities to configure the transfer of MobileIron Core 11 server logs: Configure Splunk for automated log export: Step 1: Enable Core to turn on the Splunk Forwarder so it can push data to the Splunk Indexer. To enable the Splunk Forwarder: 1. Log in to System Manager. 2. Go to Settings >> Services. 3. Select "Enable" next to Splunk Forwarder. 4. Click Apply >> OK to save the changes. Step 2: Add a Splunk Indexer to configure which external Splunk Indexer will receive and manipulate the data from the Splunk Forwarder. To add a Splunk Indexer: 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Indexer. 3. Click "Add" to open the Add Splunk Indexer window. 4. Modify the fields, as necessary, in the "Add Splunk Indexer" window. The following fields and descriptions are in the Add Splunk Indexer window: - Splunk Indexer - Add the IP address of your Splunk Enterprise Server. - Port - Add port of your Splunk Enterprise Server. - Enable SSL - Click this check box to enable SSL. 5. Click Apply >> OK to save the changes. Step 3: Configure Splunk Data to configure which data Splunk Forwarder sends to the Splunk Indexer. To configure Splunk Data: 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Data to open the "Data to Index" window. 3. Modify the fields, as necessary. - Click Show/Hide Advanced Options to further customize which data to send to Splunk. - Check "Audit Log" at a minimum. 4. Click Apply >> OK. 5. Restart the Splunk Forwarder by disabling it, then enabling it again. a. Go to Settings >> Services. b. Select Disable next to Splunk Forwarder. c. Click Apply >> OK. d. Select Enable next to Splunk Forwarder. 6. Click Apply >> OK to save the changes.
Review the MDM server documentation, Mobile Device Management Protection Profile Guide. If Core is not configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs, this is a finding.
Configure the MDM Server per the Mobile Device Management Protection Profile and this document.
On the MDM console, do the following: 1. SSH to MobileIron Core Server from any SSH client. 2. Enter the administrator credentials you set when you installed MobileIron Core. 3. Enter show fips. 4. Verify "FIPS 140 mode is enabled" is displayed. 5. If the MobileIron Server Core does not report that FIPS mode is enabled, this is a finding.
Configure the MDM server to use a FIPS 140-2 validated cryptographic module. On the MDM console, do the following: 1. SSH to MobileIron Core Server from any SSH client. 2. Enter the administrator credentials you set when you installed MobileIron Core. 3. Enter enable. 4. When prompted, enter the enable secret you set when you installed MobileIron Core. 5. Enter configure terminal. 6. Enter the following command to enable FIPS: fips 7. Enter the following command to proceed with the necessary reload: do reload.
Verify the Ivanti EPMM server has been configured to lock administrator accounts after three unsuccessful login attempts. Log in to the Core Admin Console >> Settings >> Security >> Password Policy. Verify "Number of Failed attempts" is set to "3". If the Ivanti EPMM server does not lock administrator accounts after three unsuccessful login attempts, this is a finding.
Configure the Ivanti EPMM server to lock administrator accounts after three unsuccessful login attempts. Log in to the Core Admin Console >> Settings >> Security >> Password Policy. Set "Number of Failed attempts" to "3".
Verify the Ivanti EPMM server has been configured to lock an administrator's account for at least 15 minutes after the account has been locked because the maximum number of unsuccessful login attempts has been exceeded. Log in to the Core Admin Console >> Settings >> Security >> Password Policy. Verify "Auto-Lock Time" is set to 15 minutes (900 seconds). If the Ivanti EPMM server does not lock an administrator's account for at least 15 minutes after the account has been locked because the maximum number of unsuccessful login attempts has been exceeded, this is a finding.
Configure the Ivanti EPMM server to lock an administrator's account for at least 15 minutes after the account has been locked because the maximum number of unsuccessful login attempts has been exceeded. Log in to the Core Admin Console >> Settings >> Security >> Password Policy. Set "Auto-Lock Time" to 15 minutes (900 seconds).