The MDM server must encrypt all data in transit (e.g., mobile device encryption keys, server PKI certificates, mobile device data bases) using AES encryption (AES 128 bit encryption key length is the minimum requirement; AES 256 desired).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-36242	SRG-APP-264-MDM-224-SRV	SV-47646r1_rule		Medium

Description
If data in transit is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. AES encryption with appropriate key lengths provides assurance that the cryptography is adequate. This requirement applies to data transmitted to managed mobile devices and to another enterprise network management application.

Description

If data in transit is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. AES encryption with appropriate key lengths provides assurance that the cryptography is adequate. This requirement applies to data transmitted to managed mobile devices and to another enterprise network management application.

STIG	Date
Mobile Device Manager Security Requirements Guide	2013-01-24

Details

Check Text ( C-44482r1_chk )
Review MDM server configuration, and NIST FIPS certificate to validate the server supports AES encryption for data in transit. Confirm that at least AES 128 bit encryption is used. If the MDM server does not support AES encryption for data in transit, this is a finding.

Fix Text (F-40772r1_fix)
Configure the MDM server to use AES 128 or AES 256 encryption for data in transit.