UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Mobile Application Management (MAM) Server Security Technical Implementation Guide (STIG)


Overview

Date Finding Count (15)
2013-01-17 CAT I (High): 5 CAT II (Med): 7 CAT III (Low): 3
STIG Description
This STIG provides technical security controls required for the use of a MAM server to manage applications installed on mobile devices in the DoD environment. The requirements listed in this benchmark apply to any DoD iOS implementation when iOS devices process sensitive DoD information, connect to a DoD network or network connected PC, or provide service to a DoD email system. The requirements can be implemented in an application server separate from the MDM server or included in the MDM server. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-24975 High The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required.
V-26564 High Authentication on system administration accounts for mobile management servers must be configured to support CTO 07-15 Rev 1 requirements.
V-32769 High The MAM server must manage a list of authorized applications (white list) by device account and by group account.
V-34417 High The MAM server must take predefined actions if unapproved applications are found after a scan of managed mobile devices.
V-32771 High The MAM server must scan the list of installed applications on managed mobile devices every 6 hours or less to determine if unapproved applications are installed.
V-24972 Medium The required mobile device management server version (or later) must be used.
V-24973 Medium The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Tomcat, IIS, etc.).
V-32767 Medium The MAM server must be able to obtain applications from a DoD- managed application store.
V-32770 Medium The MAM server must be configured to prohibit the removal of required applications on managed devices or alert and take a predefined action if required applications have been removed.
V-32772 Medium The MAM server must manage the installation of updates and patches for installed applications on managed mobile devices.
V-32775 Medium The MAM server must install DoD-managed applications, including the browser, email client, and VPN client, in an approved security container on managed mobile devices.
V-32774 Medium The MAM server must allow the inspection of installed applications on managed mobile devices.
V-25754 Low The PKI digital certificate installed on mobile management servers for server authentication must be a DoD PKI-issued certificate.
V-32768 Low The MAM server must install required applications on managed mobile devices.
V-33231 Low The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed every 30 days or less.