The MDM server must configure the mobile device to prohibit the mobile device user from installing unapproved applications.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-36148	SRG-APP-135-MDM-148-MAM	SV-47552r1_rule		Medium

Description
The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. Preventing a user from installing unapproved applications mitigates this risk. All OS core applications, third-party applications, and carrier installed applications must be approved. In this case, applications include any applets, browse channel apps, and icon apps.

Description

The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. Preventing a user from installing unapproved applications mitigates this risk. All OS core applications, third-party applications, and carrier installed applications must be approved. In this case, applications include any applets, browse channel apps, and icon apps.

STIG	Date
Mobile Device Manager Security Requirements Guide	2013-01-24

Details

Check Text ( C-44388r1_chk )
Review the MDM server configuration to ensure the MDM server can configure the mobile device to prohibit the mobile device user from installing unapproved applications. If this function is not present, this is a finding.

Fix Text (F-40678r1_fix)
Configure the MDM server so the mobile device is configured to prohibit the mobile device user from installing unapproved applications.