Mobile Device Management (MDM) Server Security Technical Implementation Guide (STIG)
Update existing CKLs to this version of the STIG
This STIG provides technical security controls required for the use of a MDM server to manage mobile devices in the DoD environment. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
The required mobile device management server version (or later) must be used.
Earlier versions of the MDM server may have security vulnerabilities or not have required security features implemented. Therefore, sensitive DoD data could be exposed if required security features are not implemented on site-managed mobile devices.System AdministratorECSC-1
The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Tomcat, IIS, etc.).
The host server where the mobile management server is installed must be compliant with the Windows STIG and applicable application STIGs to ensure the system is not vulnerable to attack resulting in a Denial of Service or compromise of the management server.System AdministratorInformation Assurance OfficerECSC-1
The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required.
A mobile device user could get access to unauthorized network resources (application and content servers, etc.) via the communications link between the mobile device and mobile management server if the server host firewall is not set up as required. HBSS is usually used to satisfy this requirement.System AdministratorInformation Assurance OfficerECSC-1
Security controls must be implemented on the MDM server for connections to back-office servers and applications by managed mobile devices.
The secure connection from the smartphone to the MDM server can be used by the mobile device to allow a user to connect to back-office servers and applications located on the enclave network. These connections bypass network authentication controls setup on the enclave. Strong access controls to back-office servers are required to ensure DoD data is not exposed to users of the smartphone system that are not authorized to access the back-office servers and applications. Many MDM servers have the capability to proxy the authentication credentials for the mobile device user to the network. (The network views the connection request as if it is coming from the MDM server, not the mobile device user, therefore the server must proxy network authentication on behalf of the user.) In the DoD environment where CAC authentication to the network is required, the MDM server must have the capability to proxy (pass to Active Directory) the user’s CAC authentication, but most MDM servers cannot support this capability; therefore connections to back-office servers via the MDM server must be disabled.System AdministratorInformation Assurance OfficerECSC-1
Mobile device accounts must not be assigned default and non-STIG compliant security/IT policies.
The mobile device default security/IT policy on the MDM does not include most DoD-required security policies for data encryption, authentication, and access control. Also, non-STIG compliant policy may not meet critical (CAT I and CAT II) security requirements. DoD enclaves are at risk of data exposure and hacker attack if devices are assigned default or other non-STIG compliant security/IT policies.System AdministratorInformation Assurance OfficerECSC-1
The timeout for the PKI certificate PIN cache must be set at 120 minutes or less. (Note: 15 minutes or less is the recommended setting.)
Most mobile devices have the capability to cache the digital certificate PIN so that it does not need to be entered every time the user’s digital certificate has to be accessed when a PKI encryption or authentication operation takes place. The PIN should only be cached for a limited time period; otherwise the user’s digital certificates could be exposed to unauthorized individuals if the mobile device is lost or stolen.System AdministratorECSC-1
The Over-The-Air (OTA) device provisioning password must have expiration set.
The time period that a device can be provisioned via Over-The-Air (OTA) provisioning needs to be controlled to ensure unauthorized individuals do not have the capability to set up rogue devices on the network. Note Active Directory credentials should not be utilized for the OTA provisioning password.
OTA Provisioning PIN reuse must not be allowed.
The reuse of the OTA PIN can allow a hacker to provision an unauthorized device on the system.System AdministratorECWN-1
The MDM server must enable an MDM security profile on each managed iOS device.
Sensitive DoD data could be compromised if an MDM security profile is not installed on DoD iOS devices. Other iOS profiles do not have access to all security APIs on the iOS device. If the iOS MDM security profile is removed access to the protected Government data inside the security container will not be allowed. The user must be forced to re-install the MDM security profile before gaining access. The mobile device will report the removal and implementation of the MDM security profile to the MDM management server.System AdministratorECWN-1
The MDM server must define the required mobile device hardware versions.
Older devices do not support required security features. Therefore, sensitive data could be at risk of being exposed if required security features are not available.System AdministratorECWN-1
The MDM server must implement jailbreak detection on managed mobile devices.
If a device is jailbroken, the user may have the ability to install unauthorized software that might disclose sensitive DoD information or attack other systems. The MDM should alert if there are indicators that the device has been jailbroken so actions, such as wiping the device, can be implemented to protect device data. For iOS, jailbreak detection by a third-party application is limited; therefore, this requirement is a defense-in-depth control to supplement iOS jailbreak controls. System AdministratorECWN-1
The PKI digital certificate installed on mobile management servers for server authentication must be a DoD PKI-issued certificate.
When a self-signed PKI certificate is used, a rogue mobile management server can impersonate the DoD mobile management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.System AdministratorIATS-1
S/MIME must be enabled on the server.
Sensitive DoD data could be exposed if the required setting is not configured on the Good server. If S/MIME support is not configured on the server, the user will not be able to view critical encrypted email or be able to encrypt email with sensitive DoD information.System AdministratorECCR-1
Authentication on system administration accounts for mobile management servers must be configured to support CTO 07-15 Rev 1 requirements.
CTO 07-15 Rev 1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced. This is best enforced by requiring the server support AD authentication.System AdministratorInformation Assurance OfficerIAIA-1, IATS-1
The MDM server must define the required MDM agent version.
Older software versions do not support required security features.System AdministratorECWN-1
The MDM agent must wipe a managed mobile device if the MDM agent does not connect to the MDM server in 90 days or less.
If a mobile device has not connected to the management server within the specified time period, this is an indication that the device is no longer being used, has been lost, or has been stolen. To protect possible sensitive data on the device from being compromised, the device should be wiped.
System AdministratorECWN-1, IAAC-1
The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed every 30 days or less.
There are two primary methods for generating the encryption key used to encrypt data between the management server and the server agent installed on the mobile device. The first method is to use a shared secret and the second is to generate the master encryption key based on PKI key generation. When a shared secret is used, if the master encryption key is not rotated periodically, and it is compromised, all future data sent between the mobile management server and the agent located on the mobile device would be compromised. Limiting the compromise to no more than a specific period of data is a security best practice.System AdministratorIAKM-1
The MDM server must be configured to display an alert to the administrator when handhelds have been inactive after a defined period of time.
An inactive mobile device is an indication that the device may have been lost or stolen. In addition, provisioned devices have monthly fees associated with them and management should consider reallocating inactive devices.System AdministratorIAAC-1
A valid Apple MDM certificate must be installed on the MDM server.
Without the Apple MDM certificate, the MDM server will not be able to manage a security policy on the iOS mobile device and DoD data will be at risk of compromise.System AdministratorECWN-1