UCF STIG Viewer Logo

The AirWatch MDM Server must configure the mobile device to prohibit the mobile device user from installing unapproved applications.


Overview

Finding ID Version Rule ID IA Controls Severity
V-47319 ARWA-02-000181 SV-60191r1_rule Medium
Description
The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. Preventing a user from installing unapproved applications mitigates this risk. All OS core applications, third-party applications, and carrier installed applications must be approved. In this case, applications include any applets, browse channel apps, and icon apps.
STIG Date
AirWatch MDM STIG 2015-11-30

Details

Check Text ( C-50085r2_chk )
Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server can configure the mobile device to prohibit the mobile device user from installing unapproved applications. If this function is not present, this is a finding.

Note that the following should take place in conjunction with application blacklisting/whitelisting as noted in the "AirWatch Mobile Application Management Guide", page 35, "Enforcing Application Security and Compliance", and applicable items within this STIG.

Apple iOS MOS:
To verify Application blacklists on Administration console: (1) click on "Menu" in top tool bar, (2) click on "Applications" under "Catalog" heading, and (3) on left-hand tool bar click on "Application Groups". (4) Click on applicable group, and verify that correct information is set.
Fix Text (F-51025r2_fix)
Configure the AirWatch MDM Server so the mobile device is configured to prohibit the mobile device user from installing unapproved applications.

To set Application Blacklists in Administration console: (1) click on "Menu" in top tool bar, (2) click on "Applications" under "Catalog" heading, and on left-hand tool bar (3) click on "Application Groups". (4) Click "Add Group", and under drop-down box labeled "Type" choose "Blacklist". (5) Choose Android or iOS platform, and (6) add applicable applications. (7) Click "Next" to review summary and (8) click "Finish".