The MobileIron Core MDM server must be configured to block mobile devices that do not have required applications installed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-70527	MICR-9X-102130	SV-85149r1_rule		Low

Description
The security baseline of managed mobile devices could be compromised if key required applications are not installed, including device monitoring and management applications. This requirement mitigates that risk. SFR ID: FMT_SMF.1.1(1) Refinement #28

STIG	Date
MobileIron Core v9.x MDM Security Technical Implementation Guide	2019-05-06

Details

Check Text ( C-70927r1_chk )
Review MobileIron Core Server documentation and configuration settings to determine if the server blocks mobile devices that do not have required applications installed. Task 1: Verify the configuration of the app control alert 1. Log in to the MobileIron Core Admin Portal. 2. In the Admin Portal, go to Logs >> Event Settings. 3. Select the Policy Violation Event that has been set up for sending an alert. 4. Click Edit. 5. In the Security Policy Triggers section, look for the App Control – All Platforms heading. 6. Confirm that the app control alert “Required app not found” is selected. 7. In the Apply to Labels section, verify that the appropriate labels are in the Selected column. Note: need to specifically state the "appropriate labels". <-- The labels are admin defined... (this verifies the policy has been applied to the appropriate set of devices). 8. Click Cancel. Task 2: Verify the custom compliance action 1. Go to Policies & Configs >> Compliance Actions. 2. Select the compliance action that was configured for when a required app is not installed. 3. Click Actions >> Edit. 4. In the Alert section, verify that “Send a compliance notification or alert to the user” is selected. 5. In the Block Access section, verify Block email access and AppConnect apps has been selected. 6. In the Quarantine section, verify the following are selected: a. Quarantine the device b. Remove All Configurations c. Do not remove Wi-Fi settings for all devices (iOS and Android only) 7. Verify “Enforce Compliance Actions Locally on Devices” is selected. 8. Click Cancel. Task 3: Verify the app control rule 1. In the Admin Portal, go to Apps >> App Control. 2. Select the App Control Rule that was configured for checking that the required app is installed. 3. Click the edit icon. 4. Verify that the selected Type option is Required: (iOS and Android only) 5. Under Rule Entries for App, verify that Identifier Equals is selected. 6. Verify that the correct app ID is in the App identifier/Name field. 7. Verify that the desired Device Platform (All) is selected 8. To verify each additional required app, repeat steps 4 through 6. 9. Click Cancel. Task 4: Verify the app control rule in the security policy 1. In Admin Portal, go to Policies & Configs >> Policies. 2. Select the security policy you want to work with. Note: this needs more explanation. 3. Click Edit. 4. Scroll down to the Access Control section of the Modifying Security Policy dialog. 5. Under the For All Platforms heading, verify that the checkbox for the app control rules option which says “when a device violates following App Control rules:” is selected. 6. In the dropdown list, verify the custom compliance action that was created for this purpose was selected. 7. Under Rule Type: Required, verify that the app control rule created for this purpose is in the Enabled list. 8. Click Cancel. 9. Click More Actions >> Apply to Label. 10.Verify the appropriate labels are selected. 11.Close the Apply to Label dialog. If on the MobileIron Core Admin Portal, -For Task 1, if the app control alert “Required app not found” is not selected or the policy has not been applied to the appropriate set of devices (by labels), this is a finding. -If the compliance action has not been configured as specified in Task 2, this is a finding. -For Task 3, if all required apps are not listed in the App Control Rule and the App Control Rule is not a "Required" type, this is a finding. -For Task 4, if the security policy does not map the custom app control rule (Task 3) to the custom compliance action (Task 2), this is a finding.

Check Text ( C-70927r1_chk )

Review MobileIron Core Server documentation and configuration settings to determine if the server blocks mobile devices that do not have required applications installed.

Task 1: Verify the configuration of the app control alert
1. Log in to the MobileIron Core Admin Portal.
2. In the Admin Portal, go to Logs >> Event Settings.
3. Select the Policy Violation Event that has been set up for sending an alert.
4. Click Edit.
5. In the Security Policy Triggers section, look for the App Control – All Platforms heading.
6. Confirm that the app control alert “Required app not found” is selected.
7. In the Apply to Labels section, verify that the appropriate labels are in the Selected column. Note: need to specifically state the "appropriate labels". <-- The labels are admin defined... (this verifies the policy has been applied to the appropriate set of devices).
8. Click Cancel.

Task 2: Verify the custom compliance action
1. Go to Policies & Configs >> Compliance Actions.
2. Select the compliance action that was configured for when a required app is not installed.
3. Click Actions >> Edit.
4. In the Alert section, verify that “Send a compliance notification or alert to the user” is selected.
5. In the Block Access section, verify Block email access and AppConnect apps has been selected.
6. In the Quarantine section, verify the following are selected:
a. Quarantine the device
b. Remove All Configurations
c. Do not remove Wi-Fi settings for all devices (iOS and Android only)
7. Verify “Enforce Compliance Actions Locally on Devices” is selected.
8. Click Cancel.

Task 3: Verify the app control rule
1. In the Admin Portal, go to Apps >> App Control.
2. Select the App Control Rule that was configured for checking that the required app is installed.
3. Click the edit icon.
4. Verify that the selected Type option is Required: (iOS and Android only)
5. Under Rule Entries for App, verify that Identifier Equals is selected.
6. Verify that the correct app ID is in the App identifier/Name field.
7. Verify that the desired Device Platform (All) is selected
8. To verify each additional required app, repeat steps 4 through 6.
9. Click Cancel.

Task 4: Verify the app control rule in the security policy
1. In Admin Portal, go to Policies & Configs >> Policies.
2. Select the security policy you want to work with. Note: this needs more explanation.
3. Click Edit.
4. Scroll down to the Access Control section of the Modifying Security Policy dialog.
5. Under the For All Platforms heading, verify that the checkbox for the app control rules option which says “when a device violates following App Control rules:” is selected.
6. In the dropdown list, verify the custom compliance action that was created for this purpose was selected.
7. Under Rule Type: Required, verify that the app control rule created for this purpose is in the Enabled list.
8. Click Cancel.
9. Click More Actions >> Apply to Label.
10.Verify the appropriate labels are selected.
11.Close the Apply to Label dialog.

If on the MobileIron Core Admin Portal,
-For Task 1, if the app control alert “Required app not found” is not selected or the policy has not been applied to the appropriate set of devices (by labels), this is a finding.
-If the compliance action has not been configured as specified in Task 2, this is a finding.
-For Task 3, if all required apps are not listed in the App Control Rule and the App Control Rule is not a "Required" type, this is a finding.
-For Task 4, if the security policy does not map the custom app control rule (Task 3) to the custom compliance action (Task 2), this is a finding.

Fix Text (F-76765r1_fix)
To configure a compliance action that is triggered if a required app is not installed: Task 1: Configure app control alert 1. Log in to the MobileIron Core Admin Portal. 2. In the Admin Portal, go to Logs >> Event Settings. 3. Select Add New >> Policy Violations Event. 4. Enter a name for the event (for example: App Control Alert). 5. In the Security Policy Triggers section, look for the App Control – All Platforms heading. 6. Confirm that the app control alert “Required app not found” is selected. 7. Deselect all the other checkboxes. 8. In the Apply to Labels section, select the appropriate labels in the Available column, and click the right arrow to move them to the selected column. 9. Click Save. Task 2: Define a custom compliance action 1. Go to Policies & Configs >> Compliance Actions. 2. Click Add+ to open the Add Compliance Action dialog. 3. Enter a name for the compliance action (for example: Required App Alert). 4. In the Alert section, select Send a compliance notification or alert to the user. 5. In the Block Access section, select Block email access and AppConnect apps. 6. In the Quarantine section, select Quarantine. 7. Select Remove All Configurations. 8. Select Enforce Compliance Actions Locally on Devices. 9. Click Save. Task 3: Define app control rule 1. In the Admin Portal, go to Apps >> App Control. 2. Click Add. 3. Enter a name for this rule (for example: Required Application(s)). Note: the name cannot be changed once the app control rule is saved. 4. For the Type option, select Required: (iOS and Android only) 5. Under Rule Entries for App, select Identifier Equals. 6. Enter the app ID in the App identifier/Name field. 7. Select the desired Device Platform (All). 8. To add another app, click the "+" icon and repeat steps 5 and 6. 9. Click Save. Task 4: Apply the app control rule to a security policy 1. In Admin Portal, go to Policies & Configs >> Policies. 2. Select the security policy you want to work with. 3. Click Edit. 4. Scroll down to the Access Control section of the Modifying Security Policy dialog. 5. Under the For All Platforms heading, select the checkbox for the app control rules option, which says “when a device violates following App Control rules:”. 6. In the dropdown list, select the custom compliance action that you just created. 7. Under Rule Type: Required, select the app control rule that you just created, and click the arrow button to move it to the Enabled list. 8. Click Save. 9. Apply the security policy to a label that is also applied to the target devices. Click More Actions >> Apply to Label.

Fix Text (F-76765r1_fix)

To configure a compliance action that is triggered if a required app is not installed:

Task 1: Configure app control alert
1. Log in to the MobileIron Core Admin Portal.
2. In the Admin Portal, go to Logs >> Event Settings.
3. Select Add New >> Policy Violations Event.
4. Enter a name for the event (for example: App Control Alert).
5. In the Security Policy Triggers section, look for the App Control – All Platforms heading.
6. Confirm that the app control alert “Required app not found” is selected.
7. Deselect all the other checkboxes.
8. In the Apply to Labels section, select the appropriate labels in the Available column, and click the right arrow to move them to the selected column.
9. Click Save.

Task 2: Define a custom compliance action
1. Go to Policies & Configs >> Compliance Actions.
2. Click Add+ to open the Add Compliance Action dialog.
3. Enter a name for the compliance action (for example: Required App Alert).
4. In the Alert section, select Send a compliance notification or alert to the user.
5. In the Block Access section, select Block email access and AppConnect apps.
6. In the Quarantine section, select Quarantine.
7. Select Remove All Configurations.
8. Select Enforce Compliance Actions Locally on Devices.
9. Click Save.

Task 3: Define app control rule
1. In the Admin Portal, go to Apps >> App Control.
2. Click Add.
3. Enter a name for this rule (for example: Required Application(s)). Note: the name cannot be changed once the app control rule is saved.
4. For the Type option, select Required: (iOS and Android only)
5. Under Rule Entries for App, select Identifier Equals.
6. Enter the app ID in the App identifier/Name field.
7. Select the desired Device Platform (All).
8. To add another app, click the "+" icon and repeat steps 5 and 6.
9. Click Save.

Task 4: Apply the app control rule to a security policy
1. In Admin Portal, go to Policies & Configs >> Policies.
2. Select the security policy you want to work with.
3. Click Edit.
4. Scroll down to the Access Control section of the Modifying Security Policy dialog.
5. Under the For All Platforms heading, select the checkbox for the app control rules option, which says “when a device violates following App Control rules:”.
6. In the dropdown list, select the custom compliance action that you just created.
7. Under Rule Type: Required, select the app control rule that you just created, and click the arrow button to move it to the Enabled list.
8. Click Save.
9. Apply the security policy to a label that is also applied to the target devices. Click More Actions >> Apply to Label.