Windows Phone 8.1 must be configured to implement the management setting: Disallow the sharing of device telemetry captured as a result of crashes and other logging processes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-58965	MSWP-81-501203	SV-73395r1_rule		Medium

Description
Applications and OS processes have a capability to have telemetry data called Software Quality Metrics (SQM) that can send software instrumentation metrics to the SQM service and to the client to download client-specific control data. The protocol allows applications and operating system components to collect and send instrumentation metrics, including customer experience data, crash reports, and traces to a hosted service over HTTP/HTTPS. That data, while not including any privacy-sensitive information, could potentially contain information sensitive to DoD. Disabling this feature mitigates the risk of any unknown information being stored in Microsoft telemetry tracking databases. SFR ID: FMT_SMF.1.1 #42

Description

Applications and OS processes have a capability to have telemetry data called Software Quality Metrics (SQM) that can send software instrumentation metrics to the SQM service and to the client to download client-specific control data. The protocol allows applications and operating system components to collect and send instrumentation metrics, including customer experience data, crash reports, and traces to a hosted service over HTTP/HTTPS. That data, while not including any privacy-sensitive information, could potentially contain information sensitive to DoD. Disabling this feature mitigates the risk of any unknown information being stored in Microsoft telemetry tracking databases. SFR ID: FMT_SMF.1.1 #42

STIG	Date
Microsoft Windows Phone 8.1 Security Technical Implementation Guide	2015-05-13

Details

Check Text ( C-59795r1_chk )
This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. It assumes you have an existing device time-out policy in place that will lock the device after a certain period. On the MDM administration console: 1. Ask the MDM administrator to verify the phone compliance policy. 2. Find the setting for "Allow telemetry data to be sent". 3. Verify that setting restriction is turned off/disallowed. On the Windows Phone mobile device: 1. Launch "Settings". 2. Select "feedback". 3. Verify that the setting toggle called "Send feedback" is disabled. There should be a sentence after the disabled toggle that says: "Disabled by company policy". If the MDM console does not have the "Allow telemetry data to be sent" policy disabled or, on the phone, the "Disabled by company policy" message does not appear in the specified location on the "feedback" screen of the Settings app, this is a finding.

Check Text ( C-59795r1_chk )

This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. It assumes you have an existing device time-out policy in place that will lock the device after a certain period.

On the MDM administration console:
1. Ask the MDM administrator to verify the phone compliance policy.
2. Find the setting for "Allow telemetry data to be sent".
3. Verify that setting restriction is turned off/disallowed.

On the Windows Phone mobile device:
1. Launch "Settings".
2. Select "feedback".
3. Verify that the setting toggle called "Send feedback" is disabled. There should be a sentence after the disabled toggle that says: "Disabled by company policy".

If the MDM console does not have the "Allow telemetry data to be sent" policy disabled or, on the phone, the "Disabled by company policy" message does not appear in the specified location on the "feedback" screen of the Settings app, this is a finding.

Fix Text (F-64359r1_fix)
Configure the MDM system to require the "Allow telemetry data to be sent" policy to be disabled for Windows Phone devices. Deploy the MDM policy to managed devices.