UCF STIG Viewer Logo

Ivanti MobileIron Core MDM Server Security Technical Implementation Guide


Overview

Date Finding Count (26)
2021-12-02 CAT I (High): 5 CAT II (Med): 21 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-251418 High The Ivanti MobileIron Core server must be maintained at a supported version.
V-251416 High The Ivanti MobileIron Core server must configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.
V-251413 High The Ivanti MobileIron Core server must use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.
V-251420 High The Ivanti MobileIron Core server must use a FIPS-validated cryptographic module to generate cryptographic hashes.
V-251423 High The Ivanti MobileIron Core server must be configured to implement FIPS 140-2 mode for all server and agent encryption.
V-251419 Medium The Ivanti MobileIron Core server must be configured with the periodicity of the following commands to the agent of six hours or less: - query connectivity status - query the current version of the managed device firmware/software - query the current version of installed mobile applications - read audit logs kept by the managed device.
V-251414 Medium The Ivanti MobileIron Core server must automatically terminate a user session after an organization-defined period of user inactivity.
V-251415 Medium The Ivanti MobileIron Core server must be configured to transfer Ivanti MobileIron Core server logs to another server for storage, analysis, and reporting. Note: Ivanti MobileIron Core server logs include logs of UEM events and logs transferred to the Ivanti MobileIron Core server by UEM agents of managed devices.
V-251417 Medium The Ivanti MobileIron Core server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
V-251410 Medium The Ivanti MobileIron Core server must enforce password complexity by requiring that at least one lowercase character be used.
V-251411 Medium The Ivanti MobileIron Core server must enforce password complexity by requiring that at least one numeric character be used.
V-251412 Medium The Ivanti MobileIron Core server must enforce password complexity by requiring that at least one special character be used.
V-251408 Medium The Ivanti MobileIron Core server must prohibit password reuse for a minimum of four generations.
V-251774 Medium The Ivanti MobileIron Core server must configured to lock administrator accounts after three unsuccessful login attempts.
V-251777 Medium The Ivanti MobileIron Core server must be configured to lock an administrator's account for at least 15 minutes after the account has been locked because the maximum number of unsuccessful login attempts has been exceeded.
V-251421 Medium The Ivanti MobileIron Core server must, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly.
V-251409 Medium The Ivanti MobileIron Core server must enforce password complexity by requiring that at least one uppercase character be used.
V-251422 Medium The Ivanti MobileIron Core server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-251407 Medium The Ivanti MobileIron Core server must enforce a minimum 15-character password length.
V-251406 Medium The Ivanti MobileIron Core server must be configured to use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.
V-251405 Medium The Ivanti MobileIron Core server must back up audit records at least every seven days onto a log management server.
V-251404 Medium The Ivanti MobileIron Core server must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
V-251403 Medium The Ivanti MobileIron Core server must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.
V-251402 Medium The Ivanti MobileIron Core server must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
V-251401 Medium The Ivanti MobileIron Core server must initiate a session lock after a 15-minute period of inactivity.
V-251400 Medium The Ivanti MobileIron Core server must limit the number of concurrent sessions per privileged user account to three or less concurrent sessions.