UCF STIG Viewer Logo

Mobile Device Management (MDM) Server Security Technical Implementation Guide (STIG)


Overview

Date Finding Count (27)
2012-07-20 CAT I (High): 3 CAT II (Med): 16 CAT III (Low): 8
STIG Description
This STIG provides technical security controls required for the use of a MDM server to manage mobile devices in the DoD environment.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-26564 High Authentication on system administration accounts for mobile management servers must be configured to support Microsoft Active Directory (AD) authentication.
V-24975 High The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required.
V-24976 High Security controls must be implemented on the MDM server for connections to back-office servers and applications by managed mobile devices.
V-25004 Medium A compliance rule must be setup in the MDM server implementing jailbreak detection on managed mobile devices. Devices will be wiped if they have been jailbroken.
V-25032 Medium Password or CAC authentication to the security container on the mobile device must be enabled.
V-24995 Medium The MDM must disable copying data from inside the security container to a non-secure data area on the mobile device in the security policy implemented on managed mobile devices.
V-24998 Medium The over-the-air (OTA) device provisioning password must have expiration set.
V-32747 Medium The MDM server must implement one or more security containers on the mobile device if the mobile OS device operating system is not FIPS 140-2 validated or does not use AES for data-at-rest (DAR) encryption.
V-24992 Medium The MDM server must set the maximum number of invalid password attempts that can be entered to unlock the security container before the MDM server wipes the security container.
V-24993 Medium Data must be wiped after maximum password attempts reached for the MDM server security container on the mobile device.
V-24990 Medium Password minimum length of the MDM server security container on the mobile device must be set as required.
V-26729 Medium The MDM must disable copying data from outside the security container into the security container application on the mobile device in the security policy implemented on managed mobile devices.
V-24994 Medium Inactivity lock must be set as required for the MDM server security container on the mobile device.
V-24972 Medium The required MDM server version (or later) must be used.
V-24973 Medium The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Web Server, Apache Tomcat, IIS, etc.).
V-24978 Medium Mobile device user accounts must not be assigned to the default security/IT policy.
V-26135 Medium Sequential numbers must not be allowed in the password for the MDM server security container on the mobile device.
V-26562 Medium Upper case letters, lower case letters, and numbers must be used in the password of the MDM server security container on the mobile device.
V-25000 Medium The MDM server must enable an MDM security profile on each managed iOS device.
V-33231 Low The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed on a periodic basis.
V-24991 Low Repeated password characters must be disallowed for the MDM server security container on the mobile device.
V-26728 Low A compliance rule must be set up on the MDM server defining required MDM agent/secure container versions.
V-32745 Low The MDM agent must wipe a managed mobile device if the MDM agent cannot connect to the MDM server within the specified time period.
V-25754 Low The PKI digital certificate installed on mobile management servers must be a DoD PKI-issued certificate.
V-24989 Low Previously used passwords of the MDM server security container on the mobile device must be disallowed.
V-24988 Low The password age of the MDM server security container on the mobile device must be set as required.
V-25002 Low A compliance rule must be set up in the MDM server defining required mobile device hardware versions.