The MDM must disable copying data from inside the security container to a non-secure data area on the mobile device in the security policy implemented on managed mobile devices.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-24995	WIR-GMMS-006-01	SV-30735r2_rule	ECCR-1	Medium

Description
A security container is required on any device that uses a mobile OS that with an encryption module that is not FIPS 140-2 validated. An approved security container application uses a FIPS 140-2 validated cryptographic module with AES encryption to protect data. If this requirement is not met, sensitive data could be saved in the non-FIPS 140-2 validated area of memory on the mobile device, which would violate DoD policy and may expose sensitive DoD data.

Description

A security container is required on any device that uses a mobile OS that with an encryption module that is not FIPS 140-2 validated. An approved security container application uses a FIPS 140-2 validated cryptographic module with AES encryption to protect data. If this requirement is not met, sensitive data could be saved in the non-FIPS 140-2 validated area of memory on the mobile device, which would violate DoD policy and may expose sensitive DoD data.

STIG	Date
Mobile Device Management (MDM) Server Security Technical Implementation Guide (STIG)	2013-01-17

Details

Check Text ( C-31143r8_chk )
1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy. 2. Select each security policy iOS devices are assigned to and, in turn, verify the required settings are in the policy. Verify copying data out of secure sandbox has been disabled. Mark as a finding if the MDM agent is not configured to disable copying data out of secure sandbox. Note: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database. For the Good Technology MDM: -Verify copying out of secure sandbox has been disabled. Have the administrator log in to the Good Mobile Control console and choose the iOS policy. In the Messaging section ensure that “Do not allow data to be copied from the Good application” is checked.

Check Text ( C-31143r8_chk )

1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.
2. Select each security policy iOS devices are assigned to and, in turn, verify the required settings are in the policy. Verify copying data out of secure sandbox has been disabled.

Mark as a finding if the MDM agent is not configured to disable copying data out of secure sandbox.

Note: If there is a finding, note the name of the policy in the Findings Details section in VMS/Component Provided Tracking Database.

For the Good Technology MDM:
-Verify copying out of secure sandbox has been disabled. Have the administrator log in to the Good Mobile Control console and choose the iOS policy. In the Messaging section ensure that “Do not allow data to be copied from the Good application” is checked.

Fix Text (F-27637r4_fix)
Disable copying files from inside the security container to a non-secure data area on the mobile device on the MDM server security policy implemented on managed mobile devices.