Mobile device accounts must not be assigned default and non-STIG compliant security/IT policies.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-24978	WIR-WMS-GD-007	SV-30819r2_rule	ECSC-1	High

Description
The mobile device default security/IT policy on the MDM does not include most DoD-required security policies for data encryption, authentication, and access control. Also, non-STIG compliant policy may not meet critical (CAT I and CAT II) security requirements. DoD enclaves are at risk of data exposure and hacker attack if devices are assigned default or other non-STIG compliant security/IT policies.

Description

The mobile device default security/IT policy on the MDM does not include most DoD-required security policies for data encryption, authentication, and access control. Also, non-STIG compliant policy may not meet critical (CAT I and CAT II) security requirements. DoD enclaves are at risk of data exposure and hacker attack if devices are assigned default or other non-STIG compliant security/IT policies.

STIG	Date
Mobile Device Management (MDM) Server Security Technical Implementation Guide (STIG)	2013-01-17

Details

Check Text ( C-31348r6_chk )
Mobile device accounts will only be assigned a STIG-compliant security/IT policy. Determine which policy sets on the MDM server user accounts have been assigned to using the following procedures: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server by using the following procedures: --Log into the MDM console. --View all iOS policies on the server. -Note: STIG-compliant policies should be identified as such in the policy title. An example is STIG_iOS_Policy. It is recommended that all non-STIG policies be deleted. Note: Other checks will be used to verify the policy sets identified as STIG-compliant are configured correctly. Verify all devices are assigned to a STIG policy set. The exact procedure will depend on the MDM product being reviewed. Mark as a finding if any mobile device account is assigned a policy set identified as not STIG-compliant.

Check Text ( C-31348r6_chk )

Mobile device accounts will only be assigned a STIG-compliant security/IT policy.

Determine which policy sets on the MDM server user accounts have been assigned to using the following procedures:

-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server by using the following procedures:
--Log into the MDM console.

--View all iOS policies on the server.

-Note: STIG-compliant policies should be identified as such in the policy title. An example is STIG_iOS_Policy. It is recommended that all non-STIG policies be deleted.

Note: Other checks will be used to verify the policy sets identified as STIG-compliant are configured correctly.

Verify all devices are assigned to a STIG policy set. The exact procedure will depend on the MDM product being reviewed.

Mark as a finding if any mobile device account is assigned a policy set identified as not STIG-compliant.

Fix Text (F-27619r6_fix)
Only assign mobile device accounts a STIG-compliant security/IT policy.