| Review the operating system and browser configuration to determine if traffic is forced through DoD proxy servers. |
If greater assurance is required, access a number of Internet web sites and verify traffic flows through a DoD proxy server by viewing the traffic using a network protocol analyzer or by communicating with personnel that manage the proxy server.
Note: Although in iOS 6, Safari can be configured to meet this requirement, Safari encryption is not FIPS 140-2 validated and cannot be used in the DoD. Therefore, a third-party browser must be used.
There are two acceptable implementations for this requirement.
1. The device uses a mobile VPN to route all data traffic to the DoD enclave, which forces all browser traffic to the DoD Internet gateway.
2. The device browser supports a proxy server setting that forces all traffic to a specified the proxy server when configured to do so. The configuration must be from an MDM server and not user modifiable. In some implementations, the user may enter a container application to access the browser functionality.
Verify that none of the unauthorized browsers can be used. On a sample of 3-4 devices, identify the browsers on the device. If any are unauthorized, verify they are not functional.
Mark as a finding if any non-compliant browser is functional.