Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review Samsung SDS EMM server documentation and configuration settings to determine if the warning banner is using the appropriate designated wording. On the MDM console, do the following: 1) Log in to the Samsung SDS EMM Server Admin Console using a web browser. 2) Go to Settings >> Admin Console >> System and click on the button labeled “Logo / Notification” near the top of the screen. 3) In the “Logo / Notification” window that appears, confirm the text in the Login Notification “Text” is the required DoD banner text. If the warning banner is not set up on the MDM server or wording does not exactly match the requirement text, this is a finding.
Configure the MDM server to display the appropriate warning banner text. On the MDM console, do the following: 1) Log into the Samsung SDS EMM Server Admin Console using a web browser. 2) Go to Settings >> Admin Console >> System and click on the button labeled “Logo / Notification” near the top of the screen. 3) In the “Logo / Notification” window that appears, enter required DoD text in the Login Notification “Text” box. 4) Click "Save".
Review the MDM server configuration settings and verify the server is configured with the Administrator roles: a. MD user; b. Server primary administrator; c. Security configuration administrator; d. Device user group administrator; and e. Auditor. This validation procedure is performed on the MDM Administration Console. On the MDM console, do the following to verify that users in the roles MD user exists: 1) Log in to the Samsung SDS EMM Server Admin Console using a web browser. 2) Go to Devices & Users >> Users & Organization. 3) Observe that the user created in the Implementation Guidance is listed on this screen. On the MDM console, do the following to verify that users in the roles (c), (d) and (e) exist: 1) Log in to the Samsung SDS EMM Server Admin Console using a web browser. 2) Go to Settings >> Admin Console >> Administrators. 3) Observe that the user with the Security configuration administrator role is in the list on this screen, that the “Type” column indicates “Super”, and that a modify symbol appears under all of the columns for “App”, “Cert”, “Org”, “Profile”, “Portal”, and “Audit”. 4) Observe that the user with the Device user group administrator role is in the list on this screen, that the “Type” column indicates “Common”, and that a modify symbol appears under all of the columns for “App”, “Cert”, “Org”, “Profile”, “Portal”, and “Audit”. 5) Observe that the user with the Auditor role is in the list on this screen, that the “Type” column indicates “Common”, and that a modify symbol appears only under the “Audit” column. No verification is needed for the Server primary administrator since this role is always automatically created during server install. If the MDM console is not configured with required Administrator roles, this is a finding.
Configure the MDM server with the Administrator roles: a. MD user; b. Server primary administrator; c. Security configuration administrator; d. Device user group administrator; and e. Auditor. On the MDM console, do the following to create an MD user: 1) Log in to the Samsung SDS EMM Server Admin Console using a web browser. 2) Go to Devices & Users >> Users & Organization and select the “+” to get a pull-down menu. Select “Add Single User”. 3) Complete fields with user specific information. 4) Click "Save". 5) Click "No" in next dialog box (OK box) to complete setup of user. On the MDM console, do the following to create users in the roles (c), (d), and (e): 1) Log in to the Samsung SDS EMM Server Admin Console using a web browser. 2) Go to Settings >> Admin Console >> Administrators and click on the “+” button near the top of the screen. 3) In the “Add Administrator” window, fill in the following once for each user account being created: a) Choose the “New” radio button. b) Fill in the “Admin ID” and “Admin Name” fields with values for a new user. c) To Create a Security configuration administrator do the following: Set the Type field to “Super”. d) To Create a Device user group administrator do the following: Set the Type field to “Common” and check all of the “Authorization” boxes. e) To Create an Auditor do the following: Set the Type field to “common” and check only the Audit box. 4) Choose “Save” to create the account with the specified role. 5) Click "Yes" in next dialog box (Save box) to complete setup of user. A user in the Server Primary Administrator role is created by defining a Windows Administrator account on the platform running the Samsung SDS EMM server. This is automatically created during server install.
The following describes how the MDM server transfers MD audit logs and MDM server logs to another server for analysis and reporting. Ask the system administrator to identify which audit management server Samsung SDS EMM server logs are transferred to. Verify that the audit management server contains records of the MD audit logs and MDM server logs, which have been transferred from the Samsung SDS EMM server. If logs are not automatically transferred periodically, verify logs are transferred manually at least daily. If the Samsung SDS EMM server is not configured to transfer MD audit logs to another server (automatically or manually), this is a finding.
The following describes how the MDM server can transfer MD audit logs and MDM server logs to another server for analysis and reporting. This is a manual process that has to be performed by the administrator periodically. To transfer Samsung SDS EMM server logs, on the MDM console, do the following: 1) Log in to the Samsung SDS EMM Server Admin Console using a web browser. 2) Go to Service Overview >> Logs >> Audit Logs. 3) Choose a date and click the "Export" button to export the selected Audit data to a file on the administrator’s workstation. 4) Follow the browser-specific instructions to save the comma-separated values file. To transfer MD audit logs, on the MDM console, do the following: 1) Log in to the Samsung SDS EMM Server Admin Console using a web browser. 2) Go to Service Overview >> Logs >> Device Logs. 3) Choose the desired device in the left side of the “Device Logs” screen. 4) Choose the Export action in the row for the device log to be saved to export the selected MD audit log to a file on the administrator’s workstation. 5) Follow the browser-specific instructions to save the comma-separated values file.
Review the Samsung SDS EMM server or platform configuration to determine whether the system is locked after 15 minutes. Clock the time on a server to validate that it is correctly enforcing the time period. If the session lock does not occur within 15 minutes of inactivity, this is a finding.
To configure the Samsung SDS EMM server or platform to lock the server after 15 minutes of inactivity do the following: 1) Log in to the Samsung SDS EMM Server Admin Console using a web browser. 2) Click the “v” symbol at the top right of the web page to get a pull-down menu. 3) Choose “Configure session timeout”. 4) Set the Session Timeout(min) value to "15". 5) Click on the “Save” button.
Review the Samsung SDS EMM server platform configuration to determine whether a DoD-approved firewall is installed or if the platform operating system provides a firewall service that can restrict both inbound and outbound traffic by TCP/UDP port and IP address. If there is not a host-based firewall present on the Samsung SDS EMM server platform, this is a finding.
Install a DoD-approved firewall.
Ask the MDM administrator for a list of ports, protocols and IP address ranges necessary to support Samsung SDS EMM server and platform functionality (see the STIG Supplemental document for a list of required ports, protocols, and services). Review the list to determine if the stated required configuration is appropriate. Compare the list against the configuration of the firewall, and identify discrepancies. If the host-based firewall is not configured to support only those ports, protocols, and IP address ranges necessary for operation, this is a finding.
Configure the firewall on the Samsung SDS EMM server to only permit ports, protocols, and IP address ranges necessary for operation.
Ask the MDM administrator for a list of ports, protocols and services that have been configured on the host-based firewall. Verify all allowed ports, protocols, and services are included on the DoD PPSM CAL list. If any allowed ports, protocols, and services on the MDM host-based firewall are not included on the DoD PPSM CAL list, this is a finding.
Turn off any ports, protocols, and services on the MDM host-based firewall that are not on the DoD Ports, Protocols, Services Management (PPSM) Category Assurance Levels (CAL) list.
Review the MDM agent configuration settings to determine if the agent is configured with a periodicity of reachable events set to six hours or less. This validation procedure is performed on both the Samsung SDS EMM Server Admin Console. 1) Log in to the Samsung SDS EMM Server Admin Console using a web browser. 2) Go to Settings >> Service >> Configuration. 3) For Android: On row 20 verify “Inventory Collection Period for Android (Hrs)” is set to "6" or less. 4) For iOS: On row 21 verify “Inventory Collection Period for iOS (Hrs)” is set to "6" or less. If the periodicity of reachable events is not set to "6" hours or less, this is a finding.
Configure the MDM agent periodicity of reachable events to six hours or less. On the MDM console, do the following: 1) Log in to the Samsung SDS EMM Server Admin Console using a web browser. 2) Go to Settings >> Service >> Configuration. 3) For Android: Ensure that row 20 “Inventory Collection Period for Android (Hrs)” shows a value of "6" or less. 4) For iOS: Ensure that row 21 “Inventory Collection Period for iOS (Hrs)” shows a value of "6" or less. 5) Click on the check-mark box in the top left of the "Configuration" screen to "Apply Changes". 6) Click “OK” on the “Notify” save completed window. On the MDM agent, do the following: No actions required on the MDM agent