UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Mobile Device Management (MDM) Server Security Technical Implementation Guide (STIG)


Overview

Date Finding Count (19)
2013-05-08 CAT I (High): 4 CAT II (Med): 6 CAT III (Low): 9
STIG Description
This STIG provides technical security controls required for the use of a MDM server to manage mobile devices in the DoD environment. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-24975 High The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required.
V-24976 High Security controls must be implemented on the MDM server for connections to back-office servers and applications by managed mobile devices.
V-24978 High Mobile device accounts must not be assigned default and non-STIG compliant security/IT policies.
V-26564 High Authentication on system administration accounts for mobile management servers must be configured to support CTO 07-15 Rev 1 requirements.
V-24972 Medium The required mobile device management server version (or later) must be used.
V-24973 Medium The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Tomcat, IIS, etc.).
V-24998 Medium The Over-The-Air (OTA) device provisioning password must have expiration set.
V-33999 Medium A valid Apple MDM certificate must be installed on the MDM server.
V-26152 Medium S/MIME must be enabled on the server.
V-25000 Medium The MDM server must enable an MDM security profile on each managed iOS device.
V-24999 Low OTA Provisioning PIN reuse must not be allowed.
V-25754 Low The PKI digital certificate installed on mobile management servers for server authentication must be a DoD PKI-issued certificate.
V-33996 Low The MDM server must be configured to display an alert to the administrator when handhelds have been inactive after a defined period of time.
V-24987 Low The timeout for the PKI certificate PIN cache must be set at 120 minutes or less. (Note: 15 minutes or less is the recommended setting.)
V-25004 Low The MDM server must implement jailbreak detection on managed mobile devices.
V-33231 Low The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed every 30 days or less.
V-26728 Low The MDM server must define the required MDM agent version.
V-32745 Low The MDM agent must wipe a managed mobile device if the MDM agent does not connect to the MDM server in 90 days or less.
V-25002 Low The MDM server must define the required mobile device hardware versions.