Windows Phone 8.1 must be configured to enforce an application installation policy through an application whitelist specifying a set of allowed applications and versions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-58935	MSWP-81-100305	SV-73365r1_rule		Medium

Description
Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. The actions of some enterprise apps cannot be controlled by whitelist, such as backup of application information to OneDrive. Other mitigation techniques will be required to facilitate those actions to safeguard data. SFR ID: FMT_SMF.1.1 #10

Description

Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. The actions of some enterprise apps cannot be controlled by whitelist, such as backup of application information to OneDrive. Other mitigation techniques will be required to facilitate those actions to safeguard data. SFR ID: FMT_SMF.1.1 #10

STIG	Date
Microsoft Windows Phone 8.1 Security Technical Implementation Guide	2015-05-13

Details

Check Text ( C-59765r1_chk )
This validation procedure is only performed on the MDM administration console. On the MDM administration console: 1. Display policy area for managing allowed applications. 2. Verify a policy exists that creates an application whitelist of allowed applications. 3. Verify all applications on the list of whitelisted applications have been approved by the Approving Official (AO). 4. Verify the application whitelist policy has been deployed to the target devices under management on the MDM console. NOTE: This list can be empty if no applications have been approved. See the STIG supplemental document for additional information. If the application whitelist policy does not exist or does not contain only authorized applications or has not been deployed to targeted devices under enrollment, this is a finding.

Check Text ( C-59765r1_chk )

This validation procedure is only performed on the MDM administration console.

On the MDM administration console:
1. Display policy area for managing allowed applications.
2. Verify a policy exists that creates an application whitelist of allowed applications.
3. Verify all applications on the list of whitelisted applications have been approved by the Approving Official (AO).
4. Verify the application whitelist policy has been deployed to the target devices under management on the MDM console.

NOTE: This list can be empty if no applications have been approved. See the STIG supplemental document for additional information.

If the application whitelist policy does not exist or does not contain only authorized applications or has not been deployed to targeted devices under enrollment, this is a finding.

Fix Text (F-64329r2_fix)
Setup an Application catalog (authorized apps) using an MDM for Windows Phone 8.1. This will provide an authorized repository of applications which can be installed on a managed user's device.