The MaaS360 MDM server must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, auditor.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-82167	M360-10-007100	SV-96881r1_rule		Medium

Description
Having several administrative roles for the MaaS360 MDM server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations they may not understand or approve of, which can weaken overall security and increase the risk of compromise. - Server primary administrator: Responsible for server installation, initial configuration, and maintenance functions. Responsible for the setup and maintenance of security configuration administrator and auditor accounts. Responsible for the maintenance of applications in the MAS. - Security configuration administrator: Responsible for security configuration of the server, defining device user groups, setup and maintenance of device user group administrator accounts, and defining privileges of device user group administrators. - Device user group administrator: Responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. Responsible for defining which apps user groups or individual users have access to in the MAS. Can only perform administrative functions assigned by the security configuration administrator. - Auditor: Responsible for reviewing and maintaining server and mobile device audit logs. SFR ID: FMT_SMR.1.1(1)

Description

Having several administrative roles for the MaaS360 MDM server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations they may not understand or approve of, which can weaken overall security and increase the risk of compromise. - Server primary administrator: Responsible for server installation, initial configuration, and maintenance functions. Responsible for the setup and maintenance of security configuration administrator and auditor accounts. Responsible for the maintenance of applications in the MAS. - Security configuration administrator: Responsible for security configuration of the server, defining device user groups, setup and maintenance of device user group administrator accounts, and defining privileges of device user group administrators. - Device user group administrator: Responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. Responsible for defining which apps user groups or individual users have access to in the MAS. Can only perform administrative functions assigned by the security configuration administrator. - Auditor: Responsible for reviewing and maintaining server and mobile device audit logs. SFR ID: FMT_SMR.1.1(1)

STIG	Date
IBM MaaS360 with Watson v10.x MDM Security Technical Implementation Guide	2019-08-06

Details

Check Text ( C-81967r1_chk )
Review the MaaS360 server console and confirm that different roles (administrator, auditor, user) are created with different levels of privileges, providing separation of duties for different users/groups. On the MaaS360 console, complete the following steps: 1. Go to Setup >> Roles. 2. Verify all required roles are listed. (Note: Role titles may be different than listed in the requirement statement.) 3. Select applicable role and select "edit", and then verify the role has the appropriate rights to access based on vulnerability description of this requirement statement (check). If the MaaS360 server does not have all required roles and the roles do not have appropriate rights, this is a finding.

Check Text ( C-81967r1_chk )

Review the MaaS360 server console and confirm that different roles (administrator, auditor, user) are created with different levels of privileges, providing separation of duties for different users/groups.

On the MaaS360 console, complete the following steps:
1. Go to Setup >> Roles.
2. Verify all required roles are listed. (Note: Role titles may be different than listed in the requirement statement.)
3. Select applicable role and select "edit", and then verify the role has the appropriate rights to access based on vulnerability description of this requirement statement (check).

If the MaaS360 server does not have all required roles and the roles do not have appropriate rights, this is a finding.

Fix Text (F-89023r1_fix)
On the MaaS360 console, complete the following steps for each role: 1. Go to Setup >> Roles. 2. Select the "Add Role" button. 3. Under "Basic Information", input the Role Name and Role Description. 4. Under "Select Mode of Creation", click on the "Create new" bubble and then click "Next". 5. Under "Grant Access Rights", select the appropriate rights for the role and then click "Save".