The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed every 30 days or less.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33231	WIR-WMS-MDM-03	SV-43637r1_rule	IAKM-1	Low

Description
There are two primary methods for generating the encryption key used to encrypt data between the management server and the server agent installed on the mobile device. The first method is to use a shared secret and the second is to generate the master encryption key based on PKI key generation. When a shared secret is used, if the master encryption key is not rotated periodically, and it is compromised, all future data sent between the mobile management server and the agent located on the mobile device would be compromised. Limiting the compromise to no more than a specific period of data is a security best practice.

Description

There are two primary methods for generating the encryption key used to encrypt data between the management server and the server agent installed on the mobile device. The first method is to use a shared secret and the second is to generate the master encryption key based on PKI key generation. When a shared secret is used, if the master encryption key is not rotated periodically, and it is compromised, all future data sent between the mobile management server and the agent located on the mobile device would be compromised. Limiting the compromise to no more than a specific period of data is a security best practice.

STIG	Date
Mobile Device Management (MDM) Server Security Technical Implementation Guide (STIG)	2013-05-08

Details

Check Text ( C-41503r3_chk )
This requirement applies to any mobile management server, including the MDM, MAM, MDIS, and MEM. If PKI-based encryption key generation is used between the management server and the agent on the mobile device, this check is not applicable. Work with the server system administrator and determine how the encryption key is generated. If a shared secret is used between the management server and the agent on the mobile device, view the configuration of the master encryption key on the server. Verify AES is used for the master encryption key and it is set to rotate at least every 30 days. Mark as a finding if the master encryption key is not rotated at least every 30 days or AES encryption is not used.

Check Text ( C-41503r3_chk )

This requirement applies to any mobile management server, including the MDM, MAM, MDIS, and MEM. If PKI-based encryption key generation is used between the management server and the agent on the mobile device, this check is not applicable.

Work with the server system administrator and determine how the encryption key is generated. If a shared secret is used between the management server and the agent on the mobile device, view the configuration of the master encryption key on the server. Verify AES is used for the master encryption key and it is set to rotate at least every 30 days.

Mark as a finding if the master encryption key is not rotated at least every 30 days or AES encryption is not used.

Fix Text (F-37140r1_fix)
Use an AES master encryption key and set it to rotate at least every 30 days.