Windows Phone 8.1 must be designed to implement protected and secure OS Updates.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-58971	MSWP-81-501408	SV-73401r1_rule		Medium

Description
MOS updates and upgrades are an essential part of the life cycle of modern smartphones and generally occur annually. OS updates need to be a trusted process to prevent compromise of OS code, drivers, code signing, and malware injection. That process needs to be delivered over a securely encrypted and mutually authenticated method. If the MOS update process security cannot be documented, then the ability to disable updates or manage their availability by MDM is an acceptable option. The UBE action on the mobile device ensures that all approved (whitelist) apps will receive important functional and security updates, in addition to system security updates. SFR ID: FMT_SMF.1.1 #42

Description

MOS updates and upgrades are an essential part of the life cycle of modern smartphones and generally occur annually. OS updates need to be a trusted process to prevent compromise of OS code, drivers, code signing, and malware injection. That process needs to be delivered over a securely encrypted and mutually authenticated method. If the MOS update process security cannot be documented, then the ability to disable updates or manage their availability by MDM is an acceptable option. The UBE action on the mobile device ensures that all approved (whitelist) apps will receive important functional and security updates, in addition to system security updates. SFR ID: FMT_SMF.1.1 #42

STIG	Date
Microsoft Windows Phone 8.1 Security Technical Implementation Guide	2015-05-13

Details

Check Text ( C-59799r1_chk )
This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. On the MDM administration console: 1. Ask the MDM administrator to create or modify a temporary policy to enable the "Store" application. 2. Change that setting value to be enabled. 3. Deploy that updated policy to the test device. 4. After the phone procedure below is completed, push the STIG enforcement policy to the device. This ensures that the Store app is once again restricted. This validation procedure is performed on the Windows Phone mobile device: 1. From the Start page, swipe left to get to the App list, tap Settings. 2. In the Settings list, tap "phone update". 3. Verify that if a setting called "Automatically download updates" is shown, that check box is unchecked. 4. Return to the App list. 5. Find the "Store" app, and tap on it. 6. Tap on the menu (look for 3 dots) on the lower right of the screen, and then tap on "settings". 7. Scroll down to App updates, and verify that the "Update apps automatically" check box is turned Off. If the phone update "Automatically download updates" check box is checked or the Store app's setting for "Update apps automatically" check box is turned On, this is a finding.

Check Text ( C-59799r1_chk )

This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device.

On the MDM administration console:
1. Ask the MDM administrator to create or modify a temporary policy to enable the "Store" application.
2. Change that setting value to be enabled.
3. Deploy that updated policy to the test device.
4. After the phone procedure below is completed, push the STIG enforcement policy to the device. This ensures that the Store app is once again restricted.

This validation procedure is performed on the Windows Phone mobile device:
1. From the Start page, swipe left to get to the App list, tap Settings.
2. In the Settings list, tap "phone update".
3. Verify that if a setting called "Automatically download updates" is shown, that check box is unchecked.
4. Return to the App list.
5. Find the "Store" app, and tap on it.
6. Tap on the menu (look for 3 dots) on the lower right of the screen, and then tap on "settings".
7. Scroll down to App updates, and verify that the "Update apps automatically" check box is turned Off.

If the phone update "Automatically download updates" check box is checked or the Store app's setting for "Update apps automatically" check box is turned On, this is a finding.

Fix Text (F-64365r2_fix)
This requirement is enforced via User Based Enforcement (UBE). The procedure for the user to follow is: 1. From the Start page, swipe left to get to the App list, tap Settings. 2. In the Settings list, tap "phone update". 3. If a setting called "Automatically download updates" is shown, uncheck that check box. NOTE: This step has to be done before a device has been enrolled into management by a DoD MDM: 4. Return to the App list. 5. Find the "Store" app, and tap on it. 6. Tap on the menu (look for 3 dots) on the lower right of the screen, and then tap on "settings". 7. Scroll down to App updates, and slide the toggle for "Update apps automatically" to Off.

Fix Text (F-64365r2_fix)

This requirement is enforced via User Based Enforcement (UBE).

The procedure for the user to follow is:
1. From the Start page, swipe left to get to the App list, tap Settings.
2. In the Settings list, tap "phone update".
3. If a setting called "Automatically download updates" is shown, uncheck that check box.

NOTE: This step has to be done before a device has been enrolled into management by a DoD MDM:

4. Return to the App list.
5. Find the "Store" app, and tap on it.
6. Tap on the menu (look for 3 dots) on the lower right of the screen, and then tap on "settings".
7. Scroll down to App updates, and slide the toggle for "Update apps automatically" to Off.