Mobile Application Management (MAM) Server Security Technical Implementation Guide (STIG)
Update existing CKLs to this version of the STIG
This STIG provides technical security controls required for the use of a MAM server to manage applications installed on mobile devices in the DoD environment.
The requirements listed in this benchmark apply to any DoD iOS implementation when iOS devices process sensitive DoD information, connect to a DoD network or network connected PC, or provide service to a DoD email system. The requirements can be implemented in an application server separate from the MDM server or included in the MDM server. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
The required mobile device management server version (or later) must be used.
Earlier versions of the MDM server may have security vulnerabilities or not have required security features implemented. Therefore, sensitive DoD data could be exposed if required security features are not implemented on site-managed mobile devices.System AdministratorECSC-1
The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Tomcat, IIS, etc.).
The host server where the mobile management server is installed must be compliant with the Windows STIG and applicable application STIGs to ensure the system is not vulnerable to attack resulting in a Denial of Service or compromise of the management server.System AdministratorInformation Assurance OfficerECSC-1
The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required.
A mobile device user could get access to unauthorized network resources (application and content servers, etc.) via the communications link between the mobile device and mobile management server if the server host firewall is not set up as required. HBSS is usually used to satisfy this requirement.System AdministratorInformation Assurance OfficerECSC-1
The PKI digital certificate installed on mobile management servers for server authentication must be a DoD PKI-issued certificate.
When a self-signed PKI certificate is used, a rogue mobile management server can impersonate the DoD mobile management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.System AdministratorIATS-1
Authentication on system administration accounts for mobile management servers must be configured to support CTO 07-15 Rev 1 requirements.
CTO 07-15 Rev 1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced. This is best enforced by requiring the server support AD authentication.System AdministratorInformation Assurance OfficerIAIA-1, IATS-1
The MAM server must be able to obtain applications from a DoD- managed application store.
Applications installed on the device must come from approved sources to ensure the security baseline of the device is not compromised by the application, otherwise sensitive DoD data and the enclave could be at risk of being compromised because the security baseline of the device has been compromised. If the MAM obtains applications from unauthorized sources, the application could contain malware and modify the security baseline of the mobile device, which may result in the exposure of sensitive DoD data.System AdministratorDCSQ-1
The MAM server must install required applications on managed mobile devices.
Some required applications are used to implement required security controls, which affect the security baseline of the device. If the security baseline is not maintained, sensitive DoD data and the enclave could be at risk of being compromised because the security baseline of the device has been compromised.
The MAM server must manage a list of authorized applications (white list) by device account and by group account.
Application white list enforcement ensures only authorized applications are installed on managed mobile devices. An unauthorized application could contain malware. In addition, the white list feature ensures malware from an email attachment or from a web site has not been installed on the device.System AdministratorDCPR-1
The MAM server must be configured to prohibit the removal of required applications on managed devices or alert and take a predefined action if required applications have been removed.
Some required applications are used to implement required security controls, which affect the security baseline of the device. If the security baseline is not maintained, sensitive DoD data and the enclave could be at risk of being compromised because the security baseline of the device has been compromised.System AdministratorDCPR-1
The MAM server must scan the list of installed applications on managed mobile devices every 6 hours or less to determine if unapproved applications are installed.
An unauthorized application could contain malware or be a malware application. System AdministratorECAT-1
The MAM server must manage the installation of updates and patches for installed applications on managed mobile devices.
Timely installation of application patches is a key mitigation action against compromise of an IT system by known attack methods.
The MAM server must allow the inspection of installed applications on managed mobile devices.
The MAM must be able to determine key attributes of managed applications to ensure only authorized applications are installed on the device.System AdministratorDCPR-1
The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed every 30 days or less.
There are two primary methods for generating the encryption key used to encrypt data between the management server and the server agent installed on the mobile device. The first method is to use a shared secret and the second is to generate the master encryption key based on PKI key generation. When a shared secret is used, if the master encryption key is not rotated periodically, and it is compromised, all future data sent between the mobile management server and the agent located on the mobile device would be compromised. Limiting the compromise to no more than a specific period of data is a security best practice.System AdministratorIAKM-1
The MAM server must take predefined actions if unapproved applications are found after a scan of managed mobile devices.
An unauthorized application could contain malware or be a malware application. If the malware is not removed in a timely manner, DoD data and the enclave could be at risk of being compromised because the security baseline of the device has been compromised.System AdministratorECAT-1