The mobile operating system must employ mobile device management services to centrally manage security relevant configuration and policy settings.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33237	SRG-OS-000229-MOS-000117	SV-43655r2_rule		Medium

Description
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of mobile device management (MDM) allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Description

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of mobile device management (MDM) allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

STIG	Date
Mobile Operating System Security Requirements Guide	2013-04-12

Details

Check Text ( C-41533r2_chk )
Inspect a sample of mobile devices and the MDM to verify the MDM is being used to centrally manage the devices. Ask a system administrator to push a temporary configuration setting to one of the devices to validate the MDM configuration capability is operational. The mobile OS must support the ability of an MDM to enable or disable the following device interfaces: - Wi-Fi - Bluetooth - Global Positioning System (GPS) receiver - Near-field communications - Infrared port - Microphone - Camera - Memory card port - USB port The mobile OS must further support the ability of an MDM to restrict how these interfaces are used when they are enabled. Required managed functions include the ability to enable or disable: - Over the air provisioning - USB tethering - Automatic connection to known Wi-Fi sites - Personal hotspot functionality - Bluetooth profiles other than the serial port, headset, hands free, or phone book profiles - Bluetooth discoverable mode - VPN split tunneling functionality - Audio recording functionality - Video recording functionality - Location services - Short message service (SMS) - Multimedia messaging service (MMS) - USB mass storage mode - Availability of contact database information when device is locked - Contact database fields available outside the contact application The mobile OS also must support the ability of an MDM to enforce the following security related configuration parameters: - Device unlock password - Device unlock password complexity - Duration of inactivity before device lock - Encryption of data on storage media - Encryption of data in transit - Permitted applications (application white list) - Prohibited web sites (web site blacklist) - Web proxy URL Finally, the mobile operating system must enforce the ability of the MDM agent application to scan the device for security policy compliance at a periodic interval configured on the agent, and initiate commands to wipe storage media. If the MDM does not manage any of the required settings listed above, this is a finding.

Check Text ( C-41533r2_chk )

Inspect a sample of mobile devices and the MDM to verify the MDM is being used to centrally manage the devices. Ask a system administrator to push a temporary configuration setting to one of the devices to validate the MDM configuration capability is operational.

The mobile OS must support the ability of an MDM to enable or disable the following device interfaces:
- Wi-Fi
- Bluetooth
- Global Positioning System (GPS) receiver
- Near-field communications
- Infrared port
- Microphone
- Camera
- Memory card port
- USB port

The mobile OS must further support the ability of an MDM to restrict how these interfaces are used when they are enabled. Required managed functions include the ability to enable or disable:
- Over the air provisioning
- USB tethering
- Automatic connection to known Wi-Fi sites
- Personal hotspot functionality
- Bluetooth profiles other than the serial port, headset, hands free, or phone book profiles
- Bluetooth discoverable mode
- VPN split tunneling functionality
- Audio recording functionality
- Video recording functionality
- Location services
- Short message service (SMS)
- Multimedia messaging service (MMS)
- USB mass storage mode
- Availability of contact database information when device is locked
- Contact database fields available outside the contact application

The mobile OS also must support the ability of an MDM to enforce the following security related configuration parameters:
- Device unlock password
- Device unlock password complexity
- Duration of inactivity before device lock
- Encryption of data on storage media
- Encryption of data in transit
- Permitted applications (application white list)
- Prohibited web sites (web site blacklist)
- Web proxy URL

Finally, the mobile operating system must enforce the ability of the MDM agent application to scan the device for security policy compliance at a periodic interval configured on the agent, and initiate commands to wipe storage media.

If the MDM does not manage any of the required settings listed above, this is a finding.

Fix Text (F-37167r1_fix)
Implement an MDM system to centrally manage configuration settings.