The MDM agent must provide the capability for a system administrator to select which data fields in the contacts database will be available to applications outside of the contact database.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-25030	WIR-GMMS-007	SV-30830r2_rule	ECWN-1	Low

Description
The MDM agent contacts list could be considered sensitive information for some DoD mobile device users; therefore, access by the mobile OS to all data in the list must be restricted. Otherwise, sensitive contact information could be exposed.

STIG	Date
Mobile Device Management (MDM) Server Security Technical Implementation Guide (STIG)	2013-01-17

Details

Check Text ( C-31251r5_chk )
Note, if the system includes a MEM server, this requirement applies to the MEM server and not the MDM server. In that case, mark the check as not applicable (there is a similar MEM server check). If there is no MEM server, use the following procedure. This is an MDM server security policy check. Recommend all checks related to the security policy pushed to the mobile device be reviewed using the following procedure. 1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy. 2. Select each policy set users are assigned to and, in turn, verify the required settings are in the policy set. Verify that if access to the MDM agent contacts list is enabled, only the following fields are checked: first name, last name, work number, mobile number, and pager number. -Note: If there is a finding, note the name of the policy set in the Findings Details section in VMS/Component Provided Tracking Database. Mark as a finding if access to the MDM agent contacts list is enabled for the mobile OS and the fields of the contacts list is not restricted as required. For the Good Technology server: -If “Enable access to Good Contacts” is checked, click on the Choose Fields button and verify only the following fields are checked: first name, last name, work number, mobile number, and pager number.

Check Text ( C-31251r5_chk )

Note, if the system includes a MEM server, this requirement applies to the MEM server and not the MDM server. In that case, mark the check as not applicable (there is a similar MEM server check). If there is no MEM server, use the following procedure.

This is an MDM server security policy check. Recommend all checks related to the security policy pushed to the mobile device be reviewed using the following procedure.

1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy.

2. Select each policy set users are assigned to and, in turn, verify the required settings are in the policy set. Verify that if access to the MDM agent contacts list is enabled, only the following fields are checked: first name, last name, work number, mobile number, and pager number.

-Note: If there is a finding, note the name of the policy set in the Findings Details section in VMS/Component Provided Tracking Database.

Mark as a finding if access to the MDM agent contacts list is enabled for the mobile OS and the fields of the contacts list is not restricted as required.
For the Good Technology server:
-If “Enable access to Good Contacts” is checked, click on the Choose Fields button and verify only the following fields are checked: first name, last name, work number, mobile number, and pager number.

Fix Text (F-27717r3_fix)
If access is enabled to the MDM agent contacts lists by the mobile OS, limit contact information to only default fields: first name, last name, work number, mobile number, and pager number.