The AirWatch MDM Server must be able to detect if the security policy has been modified, disabled, or bypassed on managed mobile devices.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-47335	ARWA-01-000150	SV-60207r1_rule		High

Description
If the security policy has been modified in an unauthorized manner, IA is severely degraded and a variety of further attacks are possible. Detecting whether the security policy has been modified or disabled mitigates these risks.

STIG	Date
AirWatch MDM STIG	2015-11-30

Details

Check Text ( C-50101r3_chk )
Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server can detect if the security policy has been modified, disabled, or bypassed on managed mobile devices. If this function is not present, this is a finding. To verify policies for the Compliance Engine, use the following procedure: (1) click "Menu" on top tool bar, (2) click "Compliance" under "Profiles and Policies" heading, and (3) click on applicable compliance policy. On Rules tab, verify the correct rule set for the applicable policy to be applied. (4) On Actions tab, verify the correct Action type to take Actionable Result is set. (5) On Assignment tab, verify correct device types, users, or groups are assigned. (Note: for "jailbroken" or "rooted device" detection, verify "Compromised Status" and "Is Compromised" is selected on Rules tab.

Check Text ( C-50101r3_chk )

Review the AirWatch MDM Server configuration to ensure the AirWatch MDM Server can detect if the security policy has been modified, disabled, or bypassed on managed mobile devices. If this function is not present, this is a finding.

To verify policies for the Compliance Engine, use the following procedure: (1) click "Menu" on top tool bar, (2) click "Compliance" under "Profiles and Policies" heading, and (3) click on applicable compliance policy. On Rules tab, verify the correct rule set for the applicable policy to be applied. (4) On Actions tab, verify the correct Action type to take Actionable Result is set. (5) On Assignment tab, verify correct device types, users, or groups are assigned.

(Note: for "jailbroken" or "rooted device" detection, verify "Compromised Status" and "Is Compromised" is selected on Rules tab.

Fix Text (F-51041r3_fix)
Configure the AirWatch MDM Server to detect if the security policy has been modified, disabled, or bypassed on managed mobile devices. To establish policies for the Compliance Engine, use the following procedure: (1) click "Add" from the top tool bar, and (2) click "Compliance Policy". On Rules tab select the following: (1a) To Match "All" or "Any" of the entered Rules, (2a) Choose deviation to detect on devices, and (3a) click "Next". (3) On Actions tab, select the following: (a) Choose Action type to take (command), and (b) Actionable Result, and (c) click Next. (4) On Assignment tab select device types, users, or groups to assign Policy to, and (5) click "Next". (6) View Summary for accuracy, and (7) click Save and Assign. (Note: for "jailbroken" or "rooted device" detection, select "Compromised Status" and "Is Compromised" on Rules tab.

Fix Text (F-51041r3_fix)

Configure the AirWatch MDM Server to detect if the security policy has been modified, disabled, or bypassed on managed mobile devices.

To establish policies for the Compliance Engine, use the following procedure: (1) click "Add" from the top tool bar, and (2) click "Compliance Policy". On Rules tab select the following: (1a) To Match "All" or "Any" of the entered Rules, (2a) Choose deviation to detect on devices, and (3a) click "Next". (3) On Actions tab, select the following: (a) Choose Action type to take (command), and (b) Actionable Result, and (c) click Next. (4) On Assignment tab select device types, users, or groups to assign Policy to, and (5) click "Next". (6) View Summary for accuracy, and (7) click Save and Assign.

(Note: for "jailbroken" or "rooted device" detection, select "Compromised Status" and "Is Compromised" on Rules tab.