UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The AirWatch MDM Server must implement separation of administrator duties by requiring a specific role be assigned to each administrator account.


Overview

Finding ID Version Rule ID IA Controls Severity
V-47299 ARWA-01-000005 SV-60171r1_rule High
Description
Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. Employing a separation of duties model reduces the threat that one individual has the authority to make changes to a system, and the authority to delete any record of those changes. This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of a role is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. It is recommended that the following or similar roles be supported: - AirWatch MDM Server administrative account administrator: responsible for server installation, initial configuration, and maintenance functions. - Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies. - Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. - Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs.
STIG Date
AirWatch MDM STIG 2015-11-30

Details

Check Text ( C-50065r2_chk )
Review the AirWatch MDM Server configuration to ensure there are accounts associated with the following roles:

- AirWatch MDM Server administrative account administrator: responsible for server installation, initial configuration, and maintenance functions.
- Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies.
- Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion.
- Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs.

If this separation of duties is not present, this is a finding.

Ensure custom AirWatch roles: (1) click "Menu" from the console tool bar, (2) click "Administrators" under "Accounts" heading, (3) click "Roles" on left-hand tool bar, and (4) click on applicable role to check. Note: only Roles created due to organizational necessity will be created by the Administrator and can be checked in this fashion; not all Roles may be used at every organizational site.
Fix Text (F-51005r1_fix)
Create and configure accounts to be aligned with the following roles:

- AirWatch MDM Server administrative account administrator: responsible for server installation, initial configuration, and maintenance functions.
- Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies.
- Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion.
- Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs.

Create custom AirWatch roles by clicking (1) "Menu" from the console tool bar, (2) selecting "Administrators" from under the "Accounts" heading from the drop-down menu, (3) click "Roles" on left-hand tool bar, and (4) click "Add Role" from the Roles page. (5) Fill out applicable Roles information, and (6) click "Save". (7) Click "Admin Accounts" on left-hand tool bar, and from "Administrators" screen, (8) click "Add User". (9) Fill out applicable user information, (10) click Roles tab, and (11) assign previously created customer role to this account. (12) Click "Save".