Only DoD PKI issued or DoD approved server authentication certificates must be installed on DoD mobile operating system devices.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-43208	AIOS-03-000001	SV-55956r1_rule		Medium

Description
If unauthorized device authentication certificates are installed on the device, there is the potential that the device may connect to a rogue device or network. Rogue devices can mimic the behavior of authorized equipment to trick the user into providing authentication credentials, which could then in turn be used to compromise DoD information and networks. Restricting device authentication certificates to an authorized list mitigates the risk of attaching to rogue devices and networks.

Description

If unauthorized device authentication certificates are installed on the device, there is the potential that the device may connect to a rogue device or network. Rogue devices can mimic the behavior of authorized equipment to trick the user into providing authentication credentials, which could then in turn be used to compromise DoD information and networks. Restricting device authentication certificates to an authorized list mitigates the risk of attaching to rogue devices and networks.

STIG	Date
Apple iOS 7 STIG	2014-08-26

Details

Check Text ( C-49235r1_chk )
This check procedure is performed on both the iOS Over-the-Air management tool and the iOS device. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the iOS Over-the-Air management tool, verify "Certificate Inventory" has only authorized certificates installed. For example, in Mobile Iron Admin Portal: 1. Ask the MDM administrator to display the "USERS & DEVICES". 2. Click or tap on the word "Devices". 3. Click or tap the user. 4. Click or tap the "iOS" disclosure triangle under "Device Details". 5. Click or tap "Certificate Inventory". 6. Verify the certificates listed in the "Certificate Details" window are authorized. On the iOS device: 1. Open Settings app. 2. Tap "General". 3. Tap "Profiles". 4. Review each "CONFIGURATION PROFILES". If only one profile is present on the device, it will appear automatically. 5. Tap "More Details". 6. Verify listed "CERTIFICATES" are authorized. If any non DoD authorized certificates are present in the iOS Over-the-Air management tool or on the iOS device, this is a finding.

Check Text ( C-49235r1_chk )

This check procedure is performed on both the iOS Over-the-Air management tool and the iOS device.
Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS Over-the-Air management tool, verify "Certificate Inventory" has only authorized certificates installed.
For example, in Mobile Iron Admin Portal:
1. Ask the MDM administrator to display the "USERS & DEVICES".
2. Click or tap on the word "Devices".
3. Click or tap the user.
4. Click or tap the "iOS" disclosure triangle under "Device Details".
5. Click or tap "Certificate Inventory".
6. Verify the certificates listed in the "Certificate Details" window are authorized.

On the iOS device:
1. Open Settings app.
2. Tap "General".
3. Tap "Profiles".
4. Review each "CONFIGURATION PROFILES". If only one profile is present on the device, it will appear automatically.
5. Tap "More Details".
6. Verify listed "CERTIFICATES" are authorized.

If any non DoD authorized certificates are present in the iOS Over-the-Air management tool or on the iOS device, this is a finding.

Fix Text (F-48795r1_fix)
Instruct the user of the iOS device to remove the unauthorized certificates.