The MobileIron Core MDM server must be configured with the Administrator roles: a. MD user. b. Server primary administrator. c. Security configuration administrator. d. Device user group administrator. e. Auditor.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-70531	MICR-9X-104110	SV-85153r1_rule		Medium

Description
Having several roles for the MDM server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations they may not understand or approve of, which can weaken overall security and increase the risk of compromise. SFR ID: FMT_SMR.1.1(1) Refinement

Description

Having several roles for the MDM server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations they may not understand or approve of, which can weaken overall security and increase the risk of compromise. SFR ID: FMT_SMR.1.1(1) Refinement

STIG	Date
MobileIron Core v9.x MDM Security Technical Implementation Guide	2019-05-06

Details

Check Text ( C-70931r1_chk )
Review the MobileIron Core Server configuration settings, and verify the server is configured with the Administrator roles. Note: Reviewers should reference the following document to see which roles must be assigned to each type of server administrator (these are the DoD required roles for each type of administrator): MobileIron Core and Android Client Mobile Device Management Protection Profile Guide. Note: any user of a registered MD is automatically assigned the MD User role (applicable-Inherently Meets). 1. Verify at least one user is in the Server primary administrator role. 1a. Login to the MobileIron Core Server's system manager portal as a user with the server primary administrator role using a web browser. 1b. Select Security >> Identity Source >> Local Users 1c. Verify at least one user is listed under "Local User". All local users are automatically assigned the Server primary administrator role. If there are no users in the server primary administrator role, this is a finding. 2. Verify at least one user is in the Security configuration administrator role and has been assigned required roles. 2a. Login to the MobileIron Core Server's system manager portal as a user with the server primary administrator role using a web browser. 2b. Select Security >> Identity Source >> Local Users 2c. Verify a User ID of a user expected to be in the server configuration administrator role is listed. 2d. Login to the MobileIron Core Server's administrator portal as a user with the server primary administrator role using a web browser. 2e. Select Admin >> Admins. 2f. Find a server configuration administrator user and verify their assigned roles match the DoD definition of server configuration administrator as follows: Select the user and click Actions >> Edit Roles. If there are no users assigned the server configuration administrator role or the roles assigned to any server configuration administrator user are not correct, this is a finding. 3. Verify a user is in the Device user group administrator role and has been assigned required roles. 3a. Login to the MobileIron Core Server's system manager portal as a user with the server primary administrator role using a web browser. 3b. Select Security >> Identity Source >> Local Users 3c. Verify a User ID of a user expected to be in the Device user group administrator role is listed. 3d. Login to the MobileIron Core Server's administrator portal as a user with the server primary administrator role using a web browser. 3e. Select Admin >> Admins. 3f. Find a Device user group administrator user and verify their assigned roles match the DoD definition of Device user group administrator as follows: Select the user and click Actions >> Edit Roles. If there are no users assigned the Device user group administrator role or the roles assigned to any Device user group administrator user are not correct, this is a finding. 4. Verify a user is in the Auditor role and has been assigned required roles. 4a. Login to the MobileIron Core Server's system manager portal as a user with the server primary administrator role using a web browser. 4b. Select Security >> Identity Source >> Local Users 4c. Verify a User ID of a user expected to be in the Auditor role is listed. 4d. Login to the MobileIron Core Server's administrator portal as a user with the server primary administrator role using a web browser. 4e. Select Admin >> Admins. 4f. Find an Auditor user and verify their assigned roles match the DoD definition of Device user group administrator as follows: Select the user and click Actions >> Edit Roles. If there are no users assigned the Auditor role or the roles assigned to any Auditor user are not correct, this is a finding.

Check Text ( C-70931r1_chk )

Review the MobileIron Core Server configuration settings, and verify the server is configured with the Administrator roles.

Note: Reviewers should reference the following document to see which roles must be assigned to each type of server administrator (these are the DoD required roles for each type of administrator): MobileIron Core and Android Client Mobile Device Management Protection Profile Guide.

Note: any user of a registered MD is automatically assigned the MD User role (applicable-Inherently Meets).

1. Verify at least one user is in the Server primary administrator role.
1a. Login to the MobileIron Core Server's system manager portal as a user with the server primary administrator role using a web browser.
1b. Select Security >> Identity Source >> Local Users
1c. Verify at least one user is listed under "Local User". All local users are automatically assigned the Server primary administrator role.

If there are no users in the server primary administrator role, this is a finding.

2. Verify at least one user is in the Security configuration administrator role and has been assigned required roles.
2a. Login to the MobileIron Core Server's system manager portal as a user with the server primary administrator role using a web browser.
2b. Select Security >> Identity Source >> Local Users
2c. Verify a User ID of a user expected to be in the server configuration administrator role is listed.
2d. Login to the MobileIron Core Server's administrator portal as a user with the server primary administrator role using a web browser.
2e. Select Admin >> Admins.
2f. Find a server configuration administrator user and verify their assigned roles match the DoD definition of server configuration administrator as follows: Select the user and click Actions >> Edit Roles.

If there are no users assigned the server configuration administrator role or the roles assigned to any server configuration administrator user are not correct, this is a finding.

3. Verify a user is in the Device user group administrator role and has been assigned required roles.
3a. Login to the MobileIron Core Server's system manager portal as a user with the server primary administrator role using a web browser.
3b. Select Security >> Identity Source >> Local Users
3c. Verify a User ID of a user expected to be in the Device user group administrator role is listed.
3d. Login to the MobileIron Core Server's administrator portal as a user with the server primary administrator role using a web browser.
3e. Select Admin >> Admins.
3f. Find a Device user group administrator user and verify their assigned roles match the DoD definition of Device user group administrator as follows: Select the user and click Actions >> Edit Roles.

If there are no users assigned the Device user group administrator role or the roles assigned to any Device user group administrator user are not correct, this is a finding.

4. Verify a user is in the Auditor role and has been assigned required roles.
4a. Login to the MobileIron Core Server's system manager portal as a user with the server primary administrator role using a web browser.
4b. Select Security >> Identity Source >> Local Users
4c. Verify a User ID of a user expected to be in the Auditor role is listed.
4d. Login to the MobileIron Core Server's administrator portal as a user with the server primary administrator role using a web browser.
4e. Select Admin >> Admins.
4f. Find an Auditor user and verify their assigned roles match the DoD definition of Device user group administrator as follows: Select the user and click Actions >> Edit Roles.

If there are no users assigned the Auditor role or the roles assigned to any Auditor user are not correct, this is a finding.

Fix Text (F-76769r1_fix)
Configure the MobileIron Core Server with the Administrator roles: 1. Follow the instructions in the MobileIron Core and Android Client Mobile Device Management Protection Profile Guide beginning on pg. 13 "Configuring administrators to have roles defined by federal requirements": 1a. Follow the instructions on page 16 "Configuring administrators to be a server primary administrator" 1b. Follow the instructions on page 17 "Configuring administrators to be a security configuration administrator" 1c. Follow the instructions on page 21 "Configuring administrators to be a device user group administrator" 1d. Follow the instructions on page 23 "Configuring administrators to be an auditor" 2. In each case instructions are provided to create a new user with the identified role.

Fix Text (F-76769r1_fix)

Configure the MobileIron Core Server with the Administrator roles:

1. Follow the instructions in the MobileIron Core and Android Client Mobile Device Management Protection Profile Guide beginning on pg. 13 "Configuring administrators to have roles defined by federal requirements":
1a. Follow the instructions on page 16 "Configuring administrators to be a server primary administrator"
1b. Follow the instructions on page 17 "Configuring administrators to be a security configuration administrator"
1c. Follow the instructions on page 21 "Configuring administrators to be a device user group administrator"
1d. Follow the instructions on page 23 "Configuring administrators to be an auditor"
2. In each case instructions are provided to create a new user with the identified role.