The master AES encryption key used to encrypt data between the MDM server and the agent on the mobile device must be rotated.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-36365	SRG-APP-193-MDM-296-SRV	SV-47769r1_rule		Medium

Description
There are two primary methods for generating the encryption key used to encrypt data between the management server and the server agent installed on the mobile device. The first method is to use a shared secret and the second is to generate the master encryption key based on PKI key generation. When a shared secret is used, if the master encryption key is not rotated periodically, and it is compromised, all future data sent between the mobile management server and the agent located on the mobile device would be compromised. Limit the compromise to an organizationally defined period is a security best practice. This is typically 30 days or less.

Description

There are two primary methods for generating the encryption key used to encrypt data between the management server and the server agent installed on the mobile device. The first method is to use a shared secret and the second is to generate the master encryption key based on PKI key generation. When a shared secret is used, if the master encryption key is not rotated periodically, and it is compromised, all future data sent between the mobile management server and the agent located on the mobile device would be compromised. Limit the compromise to an organizationally defined period is a security best practice. This is typically 30 days or less.

STIG	Date
Mobile Device Manager Security Requirements Guide	2013-01-24

Details

Check Text ( C-44607r1_chk )
Review the MDM server configuration to determine whether the MDM server is configured to rotate its master AES encryption key. If the master AES encryption key is not configured to rotate, this is a finding.

Fix Text (F-40897r1_fix)
Configure the MDM server to rotate its master AES encryption key.