UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Windows 10 Mobile must enforce an application installation policy by specifying an application whitelist.


Overview

Finding ID Version Rule ID IA Controls Severity
V-70083 MSWM-10-200306 SV-84705r1_rule Medium
Description
Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the operating system (OS) by the OS vendor) and pre-installed applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. SFR ID: FMT_SMF_EXT.1.1 #10b
STIG Date
Microsoft Windows 10 Mobile Security Technical Implementation Guide 2016-09-26

Details

Check Text ( C-70559r1_chk )
Review Windows 10 Mobile configuration settings to determine if the mobile device has an application whitelist configured. If feasible, use a spare device to determine if an application whitelist is configured.

This validation procedure is performed on both the MDM administration console and the Windows 10 Mobile device.

On the MDM administration console:

1. Display policy area for managing allowed applications.
2. Verify a policy exists that creates an application whitelist of allowed applications.
3. Verify all applications on the list of whitelisted applications have been approved by the Authorizing Official (AO).
4. Verify the application whitelist policy has been deployed to the target devices under management on the MDM console.
5. This list can be empty if no applications have been approved. See the STIG supplemental document for additional information.

On the Windows 10 Mobile device:

1. Go to "All apps" page. From the Start page swipe left to reveal.
2. If the whitelist policy has been successfully deployed the majority of apps listed should have a dimmed appearance and have the text "Unavailable" under each restricted application.
3. Look for several apps that are not included in the application whitelist.
4. Determine if any app can be launched by tapping on its icon.
5. Verify that the app both has the text "Unavailable" under its title and that when launched this text appears on a pop-up page: "This app is disabled by your enterprise policy".

If the application whitelist policy doesn't exist or doesn't only contain authorized applications or hasn't been deployed to targeted devices under enrollment or on the device any non-whitelisted app can be launched, this is a finding.
Fix Text (F-76319r1_fix)
Setup an Application whitelist (authorized apps) using an MDM for Windows 10 Mobile.

Deploy the policy on managed devices.

This will provide an authorized repository of applications which can be installed on a managed user's device.