Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
This validation procedure is performed on the MDM administration console: On the MDM administration console: 1. Ask the MDM administrator to verify the phone compliance policy. 2. Find the setting for restricting the Allow Developer Unlock capability. 3. Verify that setting restriction is turned on. If the MDM does not have the policy to disable developer mode enforced, this is a finding.
Configure the MDM system to require the Allow Developer Unlocking/Developer Mode policy to be disabled for Windows Phone devices. Deploy the MDM policy on managed devices.
This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. On the MDM administration console: 1. Display the policy that restricts the use of a Store application. 2. Verify that this policy is set to be disabled. On Windows Phone: 1. From the Start page or on the Applications page (swipe to the left from the Start page), find the Store application icon. NOTE: The Store icon should appear dim. 2. Tap on the Store app to attempt to launch it. A message should be displayed: "App disabled. This app has been disabled by company policy. Contact your company's support person for help." If the MDM does not have a policy that disables the Store application, or if the Windows Store app can be successfully launched, this is a finding.
Configure an application control policy using an MDM for Windows Phone 8.1 to disable the Store application. Deploy the policy to managed devices.
This validation procedure is only performed on the MDM administration console. On the MDM administration console: 1. Display policy area for managing allowed applications. 2. Verify a policy exists that creates an application whitelist of allowed applications. 3. Verify all applications on the list of whitelisted applications have been approved by the Approving Official (AO). 4. Verify the application whitelist policy has been deployed to the target devices under management on the MDM console. NOTE: This list can be empty if no applications have been approved. See the STIG supplemental document for additional information. If the application whitelist policy does not exist or does not contain only authorized applications or has not been deployed to targeted devices under enrollment, this is a finding.
Setup an Application catalog (authorized apps) using an MDM for Windows Phone 8.1. This will provide an authorized repository of applications which can be installed on a managed user's device.
This validation procedure is performed only on the MDM administration console. On the MDM administration console: 1. Ask the MDM administrator to verify the phone compliance policy. 2. Find the "Allow USB Connection" setting. 3. Verify the "Allow USB Connection Setting" is disabled. If the MDM does not have a compliance policy that disables USB connectivity, this is a finding.
Configure the MDM system to require the Allow USB Connection policy to be disabled for Windows Phone devices. Deploy the MDM policy on managed devices.
This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. On the MDM administration console: 1. Ask the MDM administrator to display the device password settings. Check that these settings are configured. 2. Number of repeated sign-on failures before device is wiped is 10 or less. This validation procedure is performed on the Windows Phone mobile device. NOTE: This test should not be used on a production device. On the Windows Phone mobile device: 1. Ensure that the device has timed out or power cycled so that the lockscreen is shown. 2. Attempt to unlock the device using an incorrect PIN. 3. On the last attempt, a warning will be presented and will ask the user to enter A1B2C3. This is to ensure that random logon attempts were not being pocket dialed. Once A1B2C3 is entered, a final attempt to unlock the phone can be made. 4. Verify that after the 10th attempt or less, the message Goodbye is displayed as the Windows Phone reboots and wipes/hard resets. If the MDM is not configured to wipe the device in 10 attempts or less, or the device does not wipe after 10 attempts to unlock it, this is a finding.
Configure the MDM system to enforce a local device wipe after 10 or less repeated sign-on failures. Deploy the policy on managed devices.
This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. On the MDM administration console: 1. Ask the MDM administrator to display the device password settings. 2. Verify the device time-out/inactivity setting is turned on. 3. Verify the minimum length is set to 15 minutes. On the Windows Phone mobile device: 1. Initiate the test by leaving the phone idle for longer than 15 minutes 2. Tap the Power button to turn the screen on. 3. Swipe up the lock screen and reveal the unlock screen. 4. Verify that a password is required to gain access to the device. If the MDM is not configured to require a device lock after 15 minutes or less, or the device fails to lock in 15 minutes or less, this is a finding.
Configure Windows Phone 8.1 policies to lock the device after 15 minutes or less. Deploy the policy on managed devices.
This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. On the MDM administration console: 1. Ask the MDM administrator to display the device password settings. 2. Verify that a password required setting is in effect. 3. Verify the minimum length for the password is set to 6 or greater. On the Windows Phone mobile device: 1. Attempt to change the password to a 5-digit password. 2. Verify Windows Phone rejects the new password. If the password policy on the MDM is not set to require a password with a minimum length of at least 6, or a device accepts a passcode of less than 6 characters, this is a finding.
Configure the MDM system to enforce a password required as well as a minimum length password of 6 characters for device unlock. Deploy the policy on managed devices.
This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. On the MDM administration console: 1. Ask the MDM administrator to display the device encryption setting. 2. Verify device encryption is activated. On the Windows Phone mobile device: 1. Launch "Settings". 2. Select "storage sense". 3. Verify the word "encrypted" appears after the measurement of how much storage is in use. For example, "2.62 GB used, encrypted" is compliant, whereas "2.62 GB used" is not compliant. If the MDM is not configured to enforce encryption, or if the word "encrypted" does not appear in the specified location in the "storage sense" screen of the Settings app, this is a finding.
Configure the MDM system to require the device encryption for Windows Phone devices. Deploy the MDM policy to managed devices.
This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. On the MDM administration console: 1. Ask the MDM administrator to verify the phone compliance policy. 2. Find the setting for "allow removable storage". 3. Verify that setting restriction is turned off/disallowed. On a Windows Phone 8.1 device that contains a microSD slot and has a microSD card inserted: 1. Launch "settings". 2. Find and tap on "storage sense". 3. If a removable storage card is mounted, there should be a section that lists phone storage, and directly under that, a section for SD card storage. 4. Verify that the SD card section has a sentence directly below it that says "not found". If the MDM does not have a policy enforcement that disables the use of removable storage, or if a "not found" message does not appear under the SD card location on the "storage sense" screen of the Settings app, and instead, under SD card, you see how much space is used and how much is free, that SD card was not disabled, and this is a finding.
Configure the MDM system to enforce a policy that configures the "allow removable storage" policy to be disabled for Windows Phone devices. Deploy the MDM policy to managed devices.
This procedure is the same as requirement MSWP-81-100812. The procedure only has to be performed once. This validation procedure is performed on the Windows Phone mobile device: 1. Lock the phone; tap button to turn off screen. 2. Tap power button to power up. 3. Swipe up on lockscreen to reveal screen. 4. See Banner warning. 5. Verify that the DoD warning banner has the required text. If configured banner message was not viewable or does not have required text, this is a finding.
This procedure is the same as requirement MSWP-81-100812. The procedure only has to be performed once. This requirement is enforced via User Based Enforcement (UBE). For Windows Phone 8.1, the following procedure must be followed: Distribute a photo to all users with phones that has a picture with the notice and consent warning message. Save that photo locally to the phone. Each user then does the following on the phone: 1. In the App list, tap Settings. 2. In the Settings list, tap lock screen. 3. Under Background, tap choose background. 4. Tap photo. 5. Tap change photo. 6. Select and tap the photo distributed by the administrator, and tap the check mark at the bottom of the photo. The phone with the notice and consent warning is now displayed before unlocking the phone.
This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. It assumes you have an existing device time-out policy in place that will lock the device after a certain period. On the MDM administration console: 1. Ask the MDM administrator to verify the phone compliance policy. 2. Find the setting for "allow access to Action Center information under lockscreen". 3. Verify that setting restriction is turned off/disallowed. On the Windows Phone mobile device: 1. If On, tap the power button to turn the screen off; otherwise, leave the screen off until the time-out period passes. The device could also be powered off instead. 2. Press the power button to turn on the screen. 3. The lockscreen background screen should appear. Swipe a finger from the very top of the screen to bring up the action center. 4. Verify that when the action center appears, the only things visible are the 4 configurable settings buttons, along with the "all settings" button. If an MDM policy to disallow the "allow access to Action Center information under lockscreen" is missing, or any notifications for various services like email show up under the settings buttons, this is a finding.
Configure the MDM system to require the "allow access to Action Center information under lockscreen" policy to be disabled for Windows Phone devices. Deploy the MDM policy on managed devices.
This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. On the MDM administration console: 1. Ask the MDM administrator to verify the phone compliance policy. 2. Find the setting for "manual VPN On/Off Control". 3. Verify that setting restriction is turned off/disallowed. This validation procedure is performed on the Windows Phone mobile device. On the Windows Phone mobile device: 1.Wait for the MDM policy to be applied. 2. Go to settings/VPN. 3. Verify that the VPN Status toggle is On and that the control is disabled and cannot be turned off. If, on the MDM System, the "manual VPN On/Off Control" policy is not disabled, this is a finding. If, on the Windows Phone mobile device, the VPN Status toggle is not disabled, this is a finding.
Configure the MDM system to enforce a security policy that disallows manually turning off VPN in Windows Phone settings. Deploy the policy on managed devices.
This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. On the MDM administration console: 1. Ask the MDM administrator to verify the phone compliance policy. 2. Find the setting for "Require simple password, no repeating or pattern based passwords". 3. Verify that setting restriction is turned off/disallowed. This validation procedure is performed on the Windows Phone mobile device. On the Windows Phone mobile device: 1.Wait for the MDM policy to be applied. 2. When prompted that the password policy has changed, attempt to set a password that is either 111111 or 123456. 3. Verify that those password types are not allowed. If the MDM system does not enforce a password policy that disables "Require simple password, no repeating or pattern based passwords" or, on the phone, creating simple password is allowed, this is a finding.
Configure the MDM system to enforce a password policy that disables "Require simple password, no repeating or pattern based passwords". Deploy the policy on managed devices.
This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. It assumes you have an existing device time-out policy in place that will lock the device after a certain period. On the MDM administration console: 1. Ask the MDM administrator to verify the phone compliance policy. 2. Find the setting for "allow access to the Cortana personal assistant". 3. Verify that setting restriction is turned off/disallowed. On the Windows Phone mobile device: 1. If On, tap the power button to turn the screen off; otherwise, leave the screen off until the time-out period passes. The device could also be powered off instead. 2. Press the power button to turn on the screen. 3. The lockscreen background screen should appear. Press and hold the Search button at the lower right of the device. A screen will appear that says "Listening..." 4. Speak the voice command "show me my calendar". 5. Verify that when Cortana responds, she says, "You just need to unlock your phone first." If the MDM does not have a policy setting enforced for "allow access to the Cortana personal assistant", or if Cortana is able to provide voice assistance and show information under the lockscreen, this is a finding.
Configure the MDM system to require the "allow access to the Cortana personal assistant" policy to be disabled for Windows Phone devices. Deploy the MDM policy on managed devices.
This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. It assumes you have an existing device time-out policy in place that will lock the device after a certain period. On the MDM administration console: 1. Ask the MDM administrator to verify the phone compliance policy. 2. Find the setting for "allow user to manually unenroll from management". 3. Verify that setting restriction is turned off/disallowed. On the Windows Phone mobile device: 1. Go to "settings". 2. Tap on "workplace". 3. Look at the bottom of the screen to see if there is a company/agency name with the small text of "enrolled" under it. 4. Tap on that enrollment name; that should take you to a new page with details about the enrollment and have a refresh and wastebasket icon at the bottom. 5. Tap on the wastebasket (delete) icon to unenroll from MDM management. A message box should come up with a "Can't delete account" alert. If the MDM does not disable the policy setting for "allow user to manually unenroll from management" or, if, on the phone, a message starting with the sentence "Can't delete account" is not shown when tapping on the wastebasket icon in the workplace app, this is a finding.
Configure the MDM system with a security policy that requires the "allow user to manually unenroll from management" capability to be disabled for Windows Phone devices. Deploy the MDM policy to managed devices.
This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. On the MDM administration console: 1. Ask the MDM administrator to verify the phone compliance policy. 2. Find the setting for "allow sharing of documents (Office)". 3. Verify that setting restriction is turned off/disallowed. On the Windows Phone mobile device: 1. From the Start page, swipe to the left to show the all apps list, find "Office", and tap on it. 2. Swipe to the left until you see the page called "places". 3. Tap on the "phone" location. 4. Tap on the file called "sample spreadsheet". 5. Tap on the menu (look for 3 dots) at the lower right of the screen, and then scroll through that menu and look for "share". 6. Verify that in that menu the menu item called "share" is grayed out/disabled. If the MDM console does not have the Office Sharing policy disabled, or if the sharing menu item for an Office document is not disabled and can be tapped on and a share action started, this is a finding.
Configure the MDM system to require the "allow sharing of documents (Office)" policy to be disabled for Windows Phone devices. Deploy the MDM policy on managed devices.
This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. It assumes you have an existing device time-out policy in place that will lock the device after a certain period. On the MDM administration console: 1. Ask the MDM administrator to verify the phone compliance policy. 2. Find the setting for "sync settings to OneDrive". 3. Verify that setting restriction is turned off/disallowed. On the Windows Phone mobile device: 1. Launch "Settings". 2. Find and tap on "sync my settings". 3. Verify that no settings toggles are visible, and there should be a sentence that says: "Disabled by policy". If the MDM does not have the allow "sync settings to OneDrive" policy disabled, or, if the "Disabled by policy" message does not appear in the specified location on the "sync my settings" screen of the phone, this is a finding.
Configure the MDM system to require the "sync settings to OneDrive" policy to be disabled for Windows Phone devices. Deploy the MDM policy to managed devices.
This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. It assumes you have an existing device time-out policy in place that will lock the device after a certain period. On the MDM administration console: 1. Ask the MDM administrator to verify the phone compliance policy. 2. Find the setting for "Allow telemetry data to be sent". 3. Verify that setting restriction is turned off/disallowed. On the Windows Phone mobile device: 1. Launch "Settings". 2. Select "feedback". 3. Verify that the setting toggle called "Send feedback" is disabled. There should be a sentence after the disabled toggle that says: "Disabled by company policy". If the MDM console does not have the "Allow telemetry data to be sent" policy disabled or, on the phone, the "Disabled by company policy" message does not appear in the specified location on the "feedback" screen of the Settings app, this is a finding.
Configure the MDM system to require the "Allow telemetry data to be sent" policy to be disabled for Windows Phone devices. Deploy the MDM policy to managed devices.
This validation procedure is performed on the Windows Phone 8.1 device only. On the Windows Phone mobile device: 1. Go to "settings". 2. Tap on "workplace". 3. Look at the bottom of the screen to see if there is a company/agency name with the small text of "enrolled" under it. If the word "enrolled" is not shown at the bottom of the workplace screen and a button named "add account" is displayed instead, this is a finding.
Enroll the device in MDM. Implement MDM to centrally manage configuration settings.
This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. On the MDM administration console: 1. Ask the MDM administrator to create or modify a temporary policy to enable the "Store" application. 2. Change that setting value to be enabled. 3. Deploy that updated policy to the test device. 4. After the phone procedure below is completed, push the STIG enforcement policy to the device. This ensures that the Store app is once again restricted. This validation procedure is performed on the Windows Phone mobile device: 1. From the Start page, swipe left to get to the App list, tap Settings. 2. In the Settings list, tap "phone update". 3. Verify that if a setting called "Automatically download updates" is shown, that check box is unchecked. 4. Return to the App list. 5. Find the "Store" app, and tap on it. 6. Tap on the menu (look for 3 dots) on the lower right of the screen, and then tap on "settings". 7. Scroll down to App updates, and verify that the "Update apps automatically" check box is turned Off. If the phone update "Automatically download updates" check box is checked or the Store app's setting for "Update apps automatically" check box is turned On, this is a finding.
This requirement is enforced via User Based Enforcement (UBE). The procedure for the user to follow is: 1. From the Start page, swipe left to get to the App list, tap Settings. 2. In the Settings list, tap "phone update". 3. If a setting called "Automatically download updates" is shown, uncheck that check box. NOTE: This step has to be done before a device has been enrolled into management by a DoD MDM: 4. Return to the App list. 5. Find the "Store" app, and tap on it. 6. Tap on the menu (look for 3 dots) on the lower right of the screen, and then tap on "settings". 7. Scroll down to App updates, and slide the toggle for "Update apps automatically" to Off.
This validation procedure is only performed on the MDM system. 1. Ask the MDM administrator to review the current VPN profile for Windows Phone 8.1 devices. 2. Find the setting in the profile that controls the use of "Split Tunneling". 3. Verify that the setting is set to disabled or false. If the VPN profile's setting for allowing "Split Tunneling" is set to allowed, this is a finding.
Configure the MDM system to enforce a VPN profile that sets the connection to be Forced Tunnel. Configure the MDM settings as follows: 1. Create a new VPN profile, or modify an existing one that has a configuration setting that disables the setting for "Split Tunnel". 2. Deploy the policy to managed devices.
This validation procedure is performed only on the firewall(s) that control VPN Gateway access for mobile devices accessing public OneDrive on the Internet. On the firewall administration console: 1. Ask the firewall administrator to verify that a rule exists that blocks outbound access to OneDrive. 2. Verify there is a rule to block access to all of these domains: "*.live.com" "*.live.net" "*.livefilestore.com" "*.1drv.com" If the firewall for the DoD VPN does not have rules prohibiting outbound traffic to "*.live.com", "*.live.net", "*.livefilestore.com", and "*.1drv.com", this is a finding.
Configure firewall settings for the VPN Gateway to terminate inbound traffic from mobile devices accessing public OneDrive on the Internet. Configure the firewall for VPN as follows: 1. Have the firewall administrator add rules that block outbound access to OneDrive. Block access to these domains: "*.live.com" "*.live.net" "*.livefilestore.com" "*.1drv.com" This is one of 5 implementation requirements that work together to prevent access to cloud services.
This validation procedure is only performed on the MDM system. 1. Ask the MDM administrator to review the current VPN profile for Windows Phone 8.1 devices. 2. Find the setting in the profile that controls the use of an "Always On" VPN connection. 3. Verify that the setting is set to required. If the VPN profile's setting for "Always On" is not set to required, this is a finding.
Configure the MDM system to enforce a VPN profile that sets the connection to be an Always On connection. Configure the MDM settings as follows: 1. Create a new VPN profile, or modify an existing one that has a configuration setting that enforces the setting for "Always On". 2. Deploy the policy to managed devices.
The procedure is performed only on the Windows Phone 8.1 device. 1. From the Start page, swipe to the left to show the App list. 2. Find and tap on "Settings". 3. In the Settings list, tap on "backup". 4. Tap on "apps+settings", then verify the toggle for the setting "Settings backup" to set to Off. 5. Tap the phone's back button. 6. Tap on "text messages", then, in that setting, verify the toggle for "Text message backup" to set to Off. 7. Tap the phone's back button. 8. Tap on "photos+videos", then, in that setting, verify the "Don't upload" radio button for both the Photos and Videos settings is selected. If the Backup app under settings does not have the "apps+settings" toggle set to Off, the "text messages" toggle set to Off, and the "Don't upload" radio button selected for Photos and Videos in "photos+videos, this is a finding.
Configure a User Based Enforcement (UBE) to disable all Windows Phone Backup functions. For Windows Phone 8.1, the following procedure must be followed: 1. From the Start page, swipe to the left to show the App list. 2. Find and tap on "Settings". 3. In the Settings list, tap on "backup". 4. Tap on "apps+settings", then slide the toggle for the setting "Settings backup" to Off. You will see a warning that no more backups will occur. Confirm change by tapping on "turn off". 5. Tap the phone's back button. 6. Tap on "text messages", then, in that setting, slide the toggle for "Text message backup" to Off. 7. Tap the phone's back button. 8. Tap on "photos+videos", then, in that setting, select the "Don't upload" radio button for both the Photos and Videos settings.
The procedure is performed only on the Windows Phone 8.1 device. 1. From the Start page swipe to the left to show the App list. 2. Find and tap on "Settings". 3. In the Settings list tap on "about". 4. Tap on the "more info" button. 5. Verify that the "OS version" number is greater than or equal to 8.10.15116 to meet all DISA STIG requirements including VPN. If the "OS version" number under settings/About/more info is not greater than or equal to 8.10.15116, this is a finding.
Ensure that the devices being used are running operating system build 8.10.15116 or higher (GDR2).