The mobile operating system must disable the mobile device upon the MDM agents instruction, permitting someone in possession of the device to make emergency 911 calls only.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33271	SRG-OS-000260-MOS-000130	SV-43690r2_rule		High

Description
Under some conditions, a compromised device represents a threat to other computing resources on the network. For example, a compromised device may attempt to conduct a denial of service attack on other devices, or may be executing a mechanism to spread malware before a countermeasure has been put in place. In these situations, it is critical that mobile device management (MDM) be able to disable the device to protect other network resources. Disabling the device means disabling all user functionality with the exception of making emergency 911 calls. Disabling the device may, but needs not, render the device or resident data permanently inaccessible. For example, the MDM may lock the device such that it cannot be unlocked without an additional MDM instruction, but preserve data and applications if the device is later unlocked. Actions to restore the device to factory defaults still permit user functionality and therefore do not qualify as disabling the device.

Description

Under some conditions, a compromised device represents a threat to other computing resources on the network. For example, a compromised device may attempt to conduct a denial of service attack on other devices, or may be executing a mechanism to spread malware before a countermeasure has been put in place. In these situations, it is critical that mobile device management (MDM) be able to disable the device to protect other network resources. Disabling the device means disabling all user functionality with the exception of making emergency 911 calls. Disabling the device may, but needs not, render the device or resident data permanently inaccessible. For example, the MDM may lock the device such that it cannot be unlocked without an additional MDM instruction, but preserve data and applications if the device is later unlocked. Actions to restore the device to factory defaults still permit user functionality and therefore do not qualify as disabling the device.

STIG	Date
Mobile Operating System Security Requirements Guide	2013-07-03

Details

Check Text ( C-41568r1_chk )
Verify the mobile operating system configuration can disable the mobile device upon the MDM agent's instruction, while still permitting someone in possession of the device to make emergency 911 calls. The site may provide log evidence for mobile devices that have been disabled in the past. If the mobile operating system does not allow the MDM agent to disable the mobile device, this is a finding.

Fix Text (F-37201r1_fix)
Configure the mobile operating system and MDM such that an MDM can disable the device.