| V-24975 | High | The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required.
| A mobile device user could get access to unauthorized network resources (application and content servers, etc.) via the communications link between the mobile device and mobile management server... |
| V-24976 | High | Security controls must be implemented on the MDM server for connections to back-office servers and applications by managed mobile devices.
| The secure connection from the smartphone to the MDM server can be used by the mobile device to allow a user to connect to back-office servers and applications located on the enclave network.... |
| V-24978 | High | Mobile device accounts must not be assigned default and non-STIG compliant security/IT policies. | The mobile device default security/IT policy on the MDM does not include most DoD-required security policies for data encryption, authentication, and access control. Also, non-STIG compliant... |
| V-26564 | High | Authentication on system administration accounts for mobile management servers must be configured to support CTO 07-15 Rev 1 requirements.
| CTO 07-15 Rev 1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced. This is best enforced by requiring the server... |
| V-24972 | Medium | The required mobile device management server version (or later) must be used. | Earlier versions of the MDM server may have security vulnerabilities or not have required security features implemented. Therefore, sensitive DoD data could be exposed if required security... |
| V-24973 | Medium | The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Tomcat, IIS, etc.). | The host server where the mobile management server is installed must be compliant with the Windows STIG and applicable application STIGs to ensure the system is not vulnerable to attack resulting... |
| V-24998 | Medium | The Over-The-Air (OTA) device provisioning password must have expiration set. | The time period that a device can be provisioned via Over-The-Air (OTA) provisioning needs to be controlled to ensure unauthorized individuals do not have the capability to set up rogue devices on... |
| V-33999 | Medium | A valid Apple MDM certificate must be installed on the MDM server. | Without the Apple MDM certificate, the MDM server will not be able to manage a security policy on the iOS mobile device and DoD data will be at risk of compromise. |
| V-26152 | Medium | S/MIME must be enabled on the server. | Sensitive DoD data could be exposed if the required setting is not configured on the Good server. If S/MIME support is not configured on the server, the user will not be able to view critical... |
| V-25000 | Medium | The MDM server must enable an MDM security profile on each managed iOS device.
| Sensitive DoD data could be compromised if an MDM security profile is not installed on DoD iOS devices. Other iOS profiles do not have access to all security APIs on the iOS device. If the iOS... |
| V-24999 | Low | OTA Provisioning PIN reuse must not be allowed. | The reuse of the OTA PIN can allow a hacker to provision an unauthorized device on the system. |
| V-25754 | Low | The PKI digital certificate installed on mobile management servers for server authentication must be a DoD PKI-issued certificate. | When a self-signed PKI certificate is used, a rogue mobile management server can impersonate the DoD mobile management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI. |
| V-33996 | Low | The MDM server must be configured to display an alert to the administrator when handhelds have been inactive after a defined period of time. | An inactive mobile device is an indication that the device may have been lost or stolen. In addition, provisioned devices have monthly fees associated with them and management should consider... |
| V-24987 | Low | The timeout for the PKI certificate PIN cache must be set at 120 minutes or less. (Note: 15 minutes or less is the recommended setting.) | Most mobile devices have the capability to cache the digital certificate PIN so that it does not need to be entered every time the user’s digital certificate has to be accessed when a PKI... |
| V-25004 | Low | The MDM server must implement jailbreak detection on managed mobile devices. | If a device is jailbroken, the user may have the ability to install unauthorized software that might disclose sensitive DoD information or attack other systems. The MDM should alert if there are... |
| V-33231 | Low | The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed every 30 days or less. | There are two primary methods for generating the encryption key used to encrypt data between the management server and the server agent installed on the mobile device. The first method is to use... |
| V-26728 | Low | The MDM server must define the required MDM agent version. | Older software versions do not support required security features. |
| V-32745 | Low | The MDM agent must wipe a managed mobile device if the MDM agent does not connect to the MDM server in 90 days or less.
| If a mobile device has not connected to the management server within the specified time period, this is an indication that the device is no longer being used, has been lost, or has been stolen. ... |
| V-25002 | Low | The MDM server must define the required mobile device hardware versions.
| Older devices do not support required security features. Therefore, sensitive data could be at risk of being exposed if required security features are not available. |
