UCF STIG Viewer Logo

Mobile Device Management (MDM) Server Security Technical Implementation Guide (STIG)


Date Finding Count (19)
2013-05-08 CAT I (High): 4 CAT II (Med): 6 CAT III (Low): 9
STIG Description
This STIG provides technical security controls required for the use of a MDM server to manage mobile devices in the DoD environment. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles

Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-24975 High The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required.
V-24976 High Security controls must be implemented on the MDM server for connections to back-office servers and applications by managed mobile devices.
V-24978 High Mobile device accounts must not be assigned default and non-STIG compliant security/IT policies.
V-26564 High Authentication on system administration accounts for mobile management servers must be configured to support CTO 07-15 Rev 1 requirements.
V-24972 Medium The required mobile device management server version (or later) must be used.
V-24973 Medium The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Tomcat, IIS, etc.).
V-24998 Medium The Over-The-Air (OTA) device provisioning password must have expiration set.
V-33999 Medium A valid Apple MDM certificate must be installed on the MDM server.
V-26152 Medium S/MIME must be enabled on the server.
V-25000 Medium The MDM server must enable an MDM security profile on each managed iOS device.
V-24999 Low OTA Provisioning PIN reuse must not be allowed.
V-25754 Low The PKI digital certificate installed on mobile management servers for server authentication must be a DoD PKI-issued certificate.
V-33996 Low The MDM server must be configured to display an alert to the administrator when handhelds have been inactive after a defined period of time.
V-24987 Low The timeout for the PKI certificate PIN cache must be set at 120 minutes or less. (Note: 15 minutes or less is the recommended setting.)
V-25004 Low The MDM server must implement jailbreak detection on managed mobile devices.
V-33231 Low The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed every 30 days or less.
V-26728 Low The MDM server must define the required MDM agent version.
V-32745 Low The MDM agent must wipe a managed mobile device if the MDM agent does not connect to the MDM server in 90 days or less.
V-25002 Low The MDM server must define the required mobile device hardware versions.