UCF STIG Viewer Logo

Mobile Device Management (MDM) Server Security Technical Implementation Guide (STIG)


Overview

Date Finding Count (34)
2013-01-17 CAT I (High): 6 CAT II (Med): 15 CAT III (Low): 13
STIG Description
This STIG provides technical security controls required for the use of a MDM server to manage mobile devices in the DoD environment. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-24993 High Data must be wiped after maximum number of password attempts (10 or less) is reached for the MDM server security container on the mobile device.
V-24975 High The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required.
V-24976 High Security controls must be implemented on the MDM server for connections to back-office servers and applications by managed mobile devices.
V-24978 High Mobile device accounts must not be assigned default and non-STIG compliant security/IT policies.
V-26564 High Authentication on system administration accounts for mobile management servers must be configured to support CTO 07-15 Rev 1 requirements.
V-33994 High The MDM server must be configured to not autocomplete the entry of passwords to the security container.
V-25032 Medium Password or CAC authentication to the security container on the mobile device must be enabled.
V-24994 Medium Inactivity lock must be set to 15 minutes or less for the MDM server security container on the mobile device.
V-24995 Medium The MDM must disable copying data from inside the security container to a non-secure data area on the mobile device in the security policy implemented on managed mobile devices.
V-24998 Medium The Over-The-Air (OTA) device provisioning password must have expiration set.
V-24992 Medium The MDM server must set the maximum number of invalid password attempts that can be entered to unlock the security container before the MDM server wipes the security container.
V-24990 Medium Minimum length of the MDM server security container password on the mobile device must be 8 characters.
V-26152 Medium S/MIME must be enabled on the server.
V-26135 Medium Sequential numbers must not be allowed in the password for the MDM server security container on the mobile device.
V-24972 Medium The required mobile device management server version (or later) must be used.
V-24973 Medium The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Tomcat, IIS, etc.).
V-32747 Medium The MDM server must implement one or more security containers on the mobile device if the mobile device operating system is not FIPS 140-2 validated or does not use AES for data-at-rest (DAR) encryption.
V-33999 Medium A valid Apple MDM certificate must be installed on the MDM server.
V-26561 Medium “Require CAC to be present” must be set.
V-26562 Medium Upper case letters, lower case letters, and numbers must be used in the password of the MDM server security container on the mobile device.
V-25000 Medium The MDM server must enable an MDM security profile on each managed iOS device.
V-25004 Low The MDM server must implement jailbreak detection on managed mobile devices.
V-25002 Low The MDM server must define the required mobile device hardware versions.
V-25030 Low The MDM agent must provide the capability for a system administrator to select which data fields in the contacts database will be available to applications outside of the contact database.
V-24999 Low OTA Provisioning PIN reuse must not be allowed.
V-24991 Low Three or more repeated characters for the MDM server security container password on the mobile device must be disallowed.
V-33231 Low The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed every 30 days or less.
V-26728 Low The MDM server must define the required MDM agent version.
V-32745 Low The MDM agent must wipe a managed mobile device if the MDM agent does not connect to the MDM server in 90 days or less.
V-24989 Low Previously used passwords of the MDM server security container on the mobile device must be disallowed.
V-24988 Low The password age of the MDM server security container on the mobile device must be set to 120 days or less.
V-25754 Low The PKI digital certificate installed on mobile management servers for server authentication must be a DoD PKI-issued certificate.
V-24987 Low The timeout for the PKI certificate PIN cache must be set at 120 minutes or less. (Note: 15 minutes or less is the recommended setting.)
V-33996 Low The MDM server must be configured to display an alert to the administrator when handhelds have been inactive after a defined period of time.