Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Mobile Device Management (MDM) Server Security Technical Implementation Guide (STIG)

  • Version/Release: V1R2
  • Published: 2013-05-08
  • Released: 2013-05-09
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This STIG provides technical security controls required for the use of a MDM server to manage mobile devices in the DoD environment. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.
b
The required mobile device management server version (or later) must be used.
Medium - V-24972 - SV-30809r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-GD-001
Vuln IDs
  • V-24972
Rule IDs
  • SV-30809r2_rule
Earlier versions of the MDM server may have security vulnerabilities or not have required security features implemented. Therefore, sensitive DoD data could be exposed if required security features are not implemented on site-managed mobile devices.System AdministratorECSC-1
Checks: C-31225r6_chk

On the mobile device management server, determine the version number of the server. The exact procedure will vary, depending on the mobile device management product used. -Verify the server version is the latest available version and includes the latest patches available. Talk to the site system administrator and view the vendor's web site to determine the correct version number. -Mark as a finding if the server version is not as required.

Fix: F-27612r3_fix

Upgrade to required (or later) mobile device management server version.

b
The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Tomcat, IIS, etc.).
Medium - V-24973 - SV-30810r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-GD-002
Vuln IDs
  • V-24973
Rule IDs
  • SV-30810r2_rule
The host server where the mobile management server is installed must be compliant with the Windows STIG and applicable application STIGs to ensure the system is not vulnerable to attack resulting in a Denial of Service or compromise of the management server.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-31226r5_chk

Work with the OS Reviewer or check VMS for last review of each host server where a mobile management server is installed. This includes the host server for the MDM, MAM, MDIS, and MEM servers. The review should include the SQL server, Apache Tomcat, and IIS, if installed. Mark as a finding if the previous or current OS review of the Windows server did not include the SQL or other applications included with the management server.

Fix: F-27613r2_fix

Conduct required STIG reviews of the OS and all installed applications on the host server.

c
The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required.
High - V-24975 - SV-30812r2_rule
RMF Control
Severity
High
CCI
Version
WIR-WMS-GD-004
Vuln IDs
  • V-24975
Rule IDs
  • SV-30812r2_rule
A mobile device user could get access to unauthorized network resources (application and content servers, etc.) via the communications link between the mobile device and mobile management server if the server host firewall is not set up as required. HBSS is usually used to satisfy this requirement.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-31229r7_chk

The host server host-based or appliance firewall must be configured as required. The server firewall is configured with the following rules: -Deny all except when explicitly authorized. -Internal traffic from the server is limited to internal systems used to host the smartphone services (e.g., email and LDAP servers) and approved back-office application and content servers. Communications with other services, clients, and/or servers are not authorized. -Internet traffic from the server is limited to only specified services (e.g., Good NOC server, OCSP, SSL/TLS, HTTP, and LDAP). All outbound connections are initiated by the mobile management server and/or service. -Firewall settings listed in the STIG Technology Overview or the vendor's installation manual will be implemented, including blocking connections to web proxy servers and back-office application and content servers unless the server Internet Protocol (IP) address is on the firewall list of trusted IP addresses and subnets. Note: At a minimum, the IP address of the site Internet proxy server must be listed so the Good secure browser can connect to the Internet. Note: The HBSS firewall can be used to meet these requirements if one or more firewall rules have been set up on the firewall as described above. Check Procedures: -Verify the firewall configuration meets approved architecture configuration requirements (or have the Network Reviewer do the review of the firewall). -Verify the firewall is configured to block connections to internal servers unless the server IP address is included on the list of trusted networks. IP addresses of the enclave web proxy server and authorized back-office application and content servers the server connects to should be included on this list. - Mark as a finding if the IP addresses configured on the server host-based firewall are not on the list of trusted networks.

Fix: F-27616r2_fix

Install the management server host-based or appliance firewall and configure as required.

c
Security controls must be implemented on the MDM server for connections to back-office servers and applications by managed mobile devices.
High - V-24976 - SV-30814r2_rule
RMF Control
Severity
High
CCI
Version
WIR-WMS-GD-005
Vuln IDs
  • V-24976
Rule IDs
  • SV-30814r2_rule
The secure connection from the smartphone to the MDM server can be used by the mobile device to allow a user to connect to back-office servers and applications located on the enclave network. These connections bypass network authentication controls setup on the enclave. Strong access controls to back-office servers are required to ensure DoD data is not exposed to users of the smartphone system that are not authorized to access the back-office servers and applications. Many MDM servers have the capability to proxy the authentication credentials for the mobile device user to the network. (The network views the connection request as if it is coming from the MDM server, not the mobile device user, therefore the server must proxy network authentication on behalf of the user.) In the DoD environment where CAC authentication to the network is required, the MDM server must have the capability to proxy (pass to Active Directory) the user’s CAC authentication, but most MDM servers cannot support this capability; therefore connections to back-office servers via the MDM server must be disabled.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-31230r7_chk

Detailed Policy Requirements: Access to internal Intranet sites via the secure connection between the MDM server and MDM agent must be set as follows: -If CAC authentication of the user is not enforced either by the MDM agent on the mobile device, by the MDM server before the user gains access to back-office servers located on the NIPRNet, or by all servers the user would access on the NIPRNet, all connections to back-office servers must be blocked at the MDM server. Check Procedures: -Talk to the site administrator and review the site SSP to determine if CAC authentication is enforced, and if yes, where it is enforced in the mobile architecture. If CAC authentication is enforced, this is not a finding. -If CAC authentication is not enforced, the MDM server must be configured to block access by users to back-office servers on the NIPRNet. The procedures to verify this setting will vary by MDM product. Mark as a finding if a local security policy has not been set up on the MDM server to block access to Internet sites. If the Good Technology server is used, use the following procedure: 1. On the Windows host server for the Good Mobile Messaging Server, browse to Start Menu > Administrative Tools > Local Security Policies. 2. Within Local Security Policies right click on IP Security Policies on Local Computer. 3. Open the policy and verify the following setting has been configured: -Ensure the default response rule is unchecked. 4. Go to the properties of the security policy and verify the following rules are included: -Allow access from the GMM Server to the DNS Servers. -Allow access from the GMM Server to the Exchange Servers. -Allow access from remote workstations to GMM Server in case Terminal Services will be used to manage the server remotely. -Deny access to everything else. Verify the IP Security policy has been assigned to the Windows server. -Allow access from the GMM Server to the Default Gateway.

Fix: F-27617r4_fix

Set up required controls on the CMD management server for connections to back-office servers.

c
Mobile device accounts must not be assigned default and non-STIG compliant security/IT policies.
High - V-24978 - SV-30819r2_rule
RMF Control
Severity
High
CCI
Version
WIR-WMS-GD-007
Vuln IDs
  • V-24978
Rule IDs
  • SV-30819r2_rule
The mobile device default security/IT policy on the MDM does not include most DoD-required security policies for data encryption, authentication, and access control. Also, non-STIG compliant policy may not meet critical (CAT I and CAT II) security requirements. DoD enclaves are at risk of data exposure and hacker attack if devices are assigned default or other non-STIG compliant security/IT policies.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-31348r6_chk

Mobile device accounts will only be assigned a STIG-compliant security/IT policy. Determine which policy sets on the MDM server user accounts have been assigned to using the following procedures: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server by using the following procedures: --Log into the MDM console. --View all iOS policies on the server. -Note: STIG-compliant policies should be identified as such in the policy title. An example is STIG_iOS_Policy. It is recommended that all non-STIG policies be deleted. Note: Other checks will be used to verify the policy sets identified as STIG-compliant are configured correctly. Verify all devices are assigned to a STIG policy set. The exact procedure will depend on the MDM product being reviewed. Mark as a finding if any mobile device account is assigned a policy set identified as not STIG-compliant.

Fix: F-27619r6_fix

Only assign mobile device accounts a STIG-compliant security/IT policy.

a
The timeout for the PKI certificate PIN cache must be set at 120 minutes or less. (Note: 15 minutes or less is the recommended setting.)
Low - V-24987 - SV-30727r2_rule
RMF Control
Severity
Low
CCI
Version
WIR-GMMS-004
Vuln IDs
  • V-24987
Rule IDs
  • SV-30727r2_rule
Most mobile devices have the capability to cache the digital certificate PIN so that it does not need to be entered every time the user’s digital certificate has to be accessed when a PKI encryption or authentication operation takes place. The PIN should only be cached for a limited time period; otherwise the user’s digital certificates could be exposed to unauthorized individuals if the mobile device is lost or stolen.System AdministratorECSC-1
Checks: C-31142r6_chk

1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy. 2. Select each policy set users are assigned to and, in turn, verify the required settings are in the policy set. Verify the CAC PIN cache is set to timeout at 120 minutes or less. (Note: 15 minutes or less is the recommended setting.) -Note: If there is a finding, note the name of the policy set in the Findings Details section in VMS/Component Provided Tracking Database. Mark as a finding if the inactivity timeout is not set as required. For the Good Technology MDM: - Verify “Re-challenge for CAC PIN every” is checked and set to 120 minutes or less if “Smartcard PIN (requires S/MIME)” has been selected. - Verify “Re-challenge for password every” is checked and set to 120 minutes or less if “Password- protected (with or without soft token or S/MIME)” has been selected.

Fix: F-27628r3_fix

Enable the timeout for the PKI certificate PIN cache and set to 120 minutes or less.

b
The Over-The-Air (OTA) device provisioning password must have expiration set.
Medium - V-24998 - SV-30738r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-008
Vuln IDs
  • V-24998
Rule IDs
  • SV-30738r2_rule
The time period that a device can be provisioned via Over-The-Air (OTA) provisioning needs to be controlled to ensure unauthorized individuals do not have the capability to set up rogue devices on the network. Note Active Directory credentials should not be utilized for the OTA provisioning password. System AdministratorECWN-1
Checks: C-31148r9_chk

If the MDM agent uses OTA provisioning, use the following procedure: 1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy. 2. Select each security policy iOS devices are assigned to and, in turn, verify the required settings are in the policy. Verify the OTA PIN is set to expire in seven days or less. Mark as a finding if the OTA PIN is not set to expire in seven days or less. Note: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database. For the Good Technology MDM: -Verify “OTA Provisioning PIN expires after” is checked and is set to 7 days or less. -Verify “Allow OTA Provisioning PIN reuse” is unchecked.

Fix: F-27641r4_fix

Set the OTA device provisioning password expiration to seven days or less.

a
OTA Provisioning PIN reuse must not be allowed.
Low - V-24999 - SV-30739r2_rule
RMF Control
Severity
Low
CCI
Version
WIR-GMMS-009
Vuln IDs
  • V-24999
Rule IDs
  • SV-30739r2_rule
The reuse of the OTA PIN can allow a hacker to provision an unauthorized device on the system.System AdministratorECWN-1
Checks: C-31149r5_chk

This check is valid only with the Good Technology MDM server. It is Not Applicable (NA) for all other MDM servers. 1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy. 2. Select each policy set users are assigned to and, in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Verify “Allow OTA Provisioning PIN reuse” is unchecked. Mark as a finding if “Allow OTA Provisioning PIN reuse” is checked.

Fix: F-27642r2_fix

Disable (uncheck) “Allow OTA Provisioning PIN reuse” in the iOS policy on the MDM server.

b
The MDM server must enable an MDM security profile on each managed iOS device.
Medium - V-25000 - SV-30740r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-011
Vuln IDs
  • V-25000
Rule IDs
  • SV-30740r2_rule
Sensitive DoD data could be compromised if an MDM security profile is not installed on DoD iOS devices. Other iOS profiles do not have access to all security APIs on the iOS device. If the iOS MDM security profile is removed access to the protected Government data inside the security container will not be allowed. The user must be forced to re-install the MDM security profile before gaining access. The mobile device will report the removal and implementation of the MDM security profile to the MDM management server.System AdministratorECWN-1
Checks: C-31150r8_chk

1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy. 2. Select each security policy iOS devices are assigned to and, in turn, verify the required settings are in the policy. Verify the latest available version of the MDM agent is set in the compliance rule. -Verify “Enable MDM profile” is checked. -Verify all access rights for the MDM profile are enabled. This procedure will vary by MDM product. Here are examples of configuration settings that should be enabled, if available: ---Installation, removal, and inspection of configuration profiles. ---Installation, removal, and inspection of provisioning profiles. ---Inspection of installed applications. ---Query of device information. ---Query of network information. ---Restriction-related queries. ---Security-related queries. Note: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database. Mark as a finding if the MDM profile and required access rights are not set as required.

Fix: F-27643r2_fix

Configure the MDM server to enable an MDM security profile and access rights of the profile on each managed iOS device.

a
The MDM server must define the required mobile device hardware versions.
Low - V-25002 - SV-30743r2_rule
RMF Control
Severity
Low
CCI
Version
WIR-GMMS-010-01
Vuln IDs
  • V-25002
Rule IDs
  • SV-30743r2_rule
Older devices do not support required security features. Therefore, sensitive data could be at risk of being exposed if required security features are not available.System AdministratorECWN-1
Checks: C-42282r2_chk

1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy. 2. Select each security policy iOS devices are assigned to and, in turn, verify the required settings are in the policy. Verify the latest available version of the MDM agent is set in the compliance rule. Mark as a finding if the iOS security policy is not set up to enforce the required version of the MDM agent. Note: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database. For the Good Technology MDM: -On the left tab, select Compliance Manager. -Verify the “Device Hardware Verification” rule is listed. (Note that the rule title does not have to be exact.) -Open the rule by checking the box next to the rule, then click on Edit. -Verify the following are set: •Platform: iPhone •Check to run: Hardware model verification (title does not have to be exact) •Conditions: iPhone 4s, iPhone 5 , iPad 2 (all versions), New iPad (all versions) •Failure Action: set to “Quit Good for Enterprise” •Check Every: set to “6 hours”

Fix: F-27647r2_fix

Set up compliance rules in the MDM server defining required mobile device hardware versions.

a
The MDM server must implement jailbreak detection on managed mobile devices.
Low - V-25004 - SV-30748r2_rule
RMF Control
Severity
Low
CCI
Version
WIR-GMMS-010-03
Vuln IDs
  • V-25004
Rule IDs
  • SV-30748r2_rule
If a device is jailbroken, the user may have the ability to install unauthorized software that might disclose sensitive DoD information or attack other systems. The MDM should alert if there are indicators that the device has been jailbroken so actions, such as wiping the device, can be implemented to protect device data. For iOS, jailbreak detection by a third-party application is limited; therefore, this requirement is a defense-in-depth control to supplement iOS jailbreak controls. System AdministratorECWN-1
Checks: C-42283r2_chk

This requirement is only applicable to the Good Technology MDM server. 1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy. 2. Select each security policy iOS devices are assigned to and, in turn, verify the required settings are in the policy. Verify the latest available version of the MDM agent is set in the compliance rule. Verify that jailbreak detection has been turned on. Mark as a finding if the iOS security policy is not set up to enforce the required version of the MDM agent. Note: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database. For the Good Technology MDM: -On the left tab, select Compliance Manager. -Verify the “Good Client Version Verification” rule is listed. (Note that the rule title does not have to be exact.) -Open the rule by checking the box next to the rule, then click on Edit. -Verify the following are set: •Platform: iPhone •Check to run: Jailbreak/Rooted Detection •Application Name: “iOS Jailbreak detection” rule is listed. (Note that the rule title does not have to be exact.) •Failure Action: set to “Wipe Enterprise Data” •Verify "Check Every" is set to "1 hour"

Fix: F-27653r3_fix

Set up compliance rules in the MDM server implementing jailbreak detection and set up the rule to wipe the device if a jailbreak has been detected.

a
The PKI digital certificate installed on mobile management servers for server authentication must be a DoD PKI-issued certificate.
Low - V-25754 - SV-32013r2_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-GD-010
Vuln IDs
  • V-25754
Rule IDs
  • SV-32013r2_rule
When a self-signed PKI certificate is used, a rogue mobile management server can impersonate the DoD mobile management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.System AdministratorIATS-1
Checks: C-32242r9_chk

Verify a DoD server certificate has been installed on the mobile management server and that the self-signed certificate, available as an option during the setup of the wireless email management server, has not been installed. The check procedure will depend on the mobile management server product used. Mark as a finding if a DoD server certificate has not been installed on the mobile device management server. For the Good Technology server follow these procedures: -Ask the SA to access the Good server using Internet Explorer. Verify no certificate error occurs. -Click the Lock icon next to the address bar, then select “view certificates”. On the General tab, verify the “Issued to:” and “Issued by:” fields do not show the same value. Then on the Certification Path tab, verify the top certificate is a trusted DoD Root certificate authority (e.g., DoD Root CA 2) and the certificate status field states “This certificate is OK”. If a certificate error occurs, either the default self-signed certificate is still installed, the Good server has not been rebooted since the DoD-issued certificate has been installed, or the computer accessing the Good server does not have the DoD Root and Intermediate certificate authorities installed. The reviewer can select the “Continue to this website” option and follow the same procedure above. If the certificate is issued from an approved DoD PKI, ask the SA to run InstallRoot on the computer accessing the Good server. Otherwise, have the SA follow the procedures outlined in the STIG to request/install a certificate issued from a trusted DoD PKI.

Fix: F-28607r3_fix

Use a DoD-issued digital certificate on the mobile management server.

b
S/MIME must be enabled on the server.
Medium - V-26152 - SV-32858r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-012
Vuln IDs
  • V-26152
Rule IDs
  • SV-32858r2_rule
Sensitive DoD data could be exposed if the required setting is not configured on the Good server. If S/MIME support is not configured on the server, the user will not be able to view critical encrypted email or be able to encrypt email with sensitive DoD information.System AdministratorECCR-1
Checks: C-33609r4_chk

This check is valid only with the Good Technology MDM server. It is Not Applicable (NA) for all other MDM servers. -Log into the Good server management interface, select the Settings tab, and open the Secure Messaging (S/MIME) section. -Verify Enable Secure Messaging (S/MIME) is checked. Mark as a finding if Enable Secure Messaging (S/MIME) is not checked.

Fix: F-29209r1_fix

Enable S/MIME on the Good server.

c
Authentication on system administration accounts for mobile management servers must be configured to support CTO 07-15 Rev 1 requirements.
High - V-26564 - SV-33591r2_rule
RMF Control
Severity
High
CCI
Version
WIR-WMS-GD-011
Vuln IDs
  • V-26564
Rule IDs
  • SV-33591r2_rule
CTO 07-15 Rev 1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced. This is best enforced by requiring the server support AD authentication.System AdministratorInformation Assurance OfficerIAIA-1, IATS-1
Checks: C-34053r4_chk

Review the admin accounts settings on the mobile management server to verify CTO 07-15 Rev 1 required authentication is enabled for admin accounts. The check procedure will depend on the mobile management server product used. Mark as a finding if site admin accounts do not meet the requirements.

Fix: F-29731r2_fix

Configure required authentication on system administration accounts for mobile management servers.

a
The MDM server must define the required MDM agent version.
Low - V-26728 - SV-33971r2_rule
RMF Control
Severity
Low
CCI
Version
WIR-GMMS-010-04
Vuln IDs
  • V-26728
Rule IDs
  • SV-33971r2_rule
Older software versions do not support required security features.System AdministratorECWN-1
Checks: C-34841r20_chk

1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy. 2. Select each security policy iOS devices are assigned to and, in turn, verify the required settings are in the policy. Verify the latest available version of the MDM agent is set in the compliance rule. Mark as a finding if the iOS security policy is not set up to enforce the required version of the MDM agent. Note: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database. For the Good Technology MDM: -On the left tab, select Compliance Manager. -Verify the “Good Client Version Verification” rule is listed. (Note that the rule title does not have to be exact.) -Open the rule by checking the box next to the rule, then click on Edit. -Verify the following are set: •Platform: iPhone Check to Run: Good Version Verification •Verify the client version checked is at least 2.0.2 •Verify "Failure Action" is set to "Quit Good for Enterprise" •Verify "Check Every" is set to "6 hours"

Fix: F-30027r2_fix

Set up a compliance rule on the MDM server to check the version of the MDM agent on the mobile device.

a
The MDM agent must wipe a managed mobile device if the MDM agent does not connect to the MDM server in 90 days or less.
Low - V-32745 - SV-43091r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-MDM-01
Vuln IDs
  • V-32745
Rule IDs
  • SV-43091r1_rule
If a mobile device has not connected to the management server within the specified time period, this is an indication that the device is no longer being used, has been lost, or has been stolen. To protect possible sensitive data on the device from being compromised, the device should be wiped. System AdministratorECWN-1, IAAC-1
Checks: C-41077r5_chk

1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy. 2. Select each security policy iOS devices are assigned to and, in turn, verify the required settings are in the policy. Verify the policy setting that will wipe the mobile device is set to wipe if the MDM agent does not connect to the server in 90 days or less. The check procedure will depend on the MDM product used. Mark as a finding if each security policy is not set as required. Note: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database. For the Good Technology MDM server: Verify the “iOS Connectivity Verification” rule is listed. (Note that the rule title does not have to be exact.) - Open the rule by checking the box next to the rule, then click on Edit. •Platform: iPhone •Check to Run: Connectivity Verification •Verify “Failure Action” is set to “Wipe Enterprise Data” •Verify Check Every is set to “90 days”

Fix: F-36623r3_fix

Set each iOS security policy on the MDM server to wipe the device if the MDM agent does not connect to the server in 90 days or less.

a
The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed every 30 days or less.
Low - V-33231 - SV-43637r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-MDM-03
Vuln IDs
  • V-33231
Rule IDs
  • SV-43637r1_rule
There are two primary methods for generating the encryption key used to encrypt data between the management server and the server agent installed on the mobile device. The first method is to use a shared secret and the second is to generate the master encryption key based on PKI key generation. When a shared secret is used, if the master encryption key is not rotated periodically, and it is compromised, all future data sent between the mobile management server and the agent located on the mobile device would be compromised. Limiting the compromise to no more than a specific period of data is a security best practice.System AdministratorIAKM-1
Checks: C-41503r3_chk

This requirement applies to any mobile management server, including the MDM, MAM, MDIS, and MEM. If PKI-based encryption key generation is used between the management server and the agent on the mobile device, this check is not applicable. Work with the server system administrator and determine how the encryption key is generated. If a shared secret is used between the management server and the agent on the mobile device, view the configuration of the master encryption key on the server. Verify AES is used for the master encryption key and it is set to rotate at least every 30 days. Mark as a finding if the master encryption key is not rotated at least every 30 days or AES encryption is not used.

Fix: F-37140r1_fix

Use an AES master encryption key and set it to rotate at least every 30 days.

a
The MDM server must be configured to display an alert to the administrator when handhelds have been inactive after a defined period of time.
Low - V-33996 - SV-44449r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-GMMS-31
Vuln IDs
  • V-33996
Rule IDs
  • SV-44449r1_rule
An inactive mobile device is an indication that the device may have been lost or stolen. In addition, provisioned devices have monthly fees associated with them and management should consider reallocating inactive devices.System AdministratorIAAC-1
Checks: C-41997r2_chk

1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy. 2. Select each policy set users are assigned to and, in turn, verify the required settings are in the policy set. Verify the policy is configured to report to the system administrator if the device has not contacted the MDM server in 3 weeks or less. -Note: If there is a finding, note the name of the policy set in the Findings Details section in VMS/Component Provided Tracking Database. Mark as a finding if the required setting is not set on the MDM server. If the Good Technology MDM server is used: Verify “Display handhelds as inactive after” is checked and select any value of 3 weeks or less (Settings Tab, Good Mobile Control – User Settings/Policy Settings).

Fix: F-37913r2_fix

Configure the MDM server to display an alert to the administrator when handhelds have been inactive after a defined period of time (3 weeks or less).

b
A valid Apple MDM certificate must be installed on the MDM server.
Medium - V-33999 - SV-44452r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-GMMS-32
Vuln IDs
  • V-33999
Rule IDs
  • SV-44452r1_rule
Without the Apple MDM certificate, the MDM server will not be able to manage a security policy on the iOS mobile device and DoD data will be at risk of compromise.System AdministratorECWN-1
Checks: C-41998r3_chk

On the MDM server, verify the Apple certificate has been installed, is up to date, and has not yet expired. The exact procedure will vary by server product. Mark as a finding if the Apple MDM certificate is not installed or is expired. For the Good Technology MDM: In the Good server console, click the Settings Tab and then Certificates in the left pane.

Fix: F-37915r1_fix

Install a valid Apple MDM certificate on the MDM server.