UCF STIG Viewer Logo

Jamf Pro v10.x EMM Security Technical Implementation Guide


Overview

Date Finding Count (30)
2020-02-04 CAT I (High): 1 CAT II (Med): 28 CAT III (Low): 1
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-99597 High Jamf Pro EMM must be maintained at a supported version.
V-99607 Medium The MySQL DatabasePassword key must be removed or set to a blank value in the database configuration file in Jamf Pro EMM.
V-99605 Medium MySQL database backups must be scheduled in Jamf Pro EMM.
V-99603 Medium Separate MySQL user accounts with limited privileges must be created within Jamf Pro EMM.
V-99601 Medium A unique database name and a unique MySQL user with a secure password must be created for use in Jamf Pro EMM.
V-99609 Medium The Jamf Pro EMM local accounts password must be configured with length of 15 characters.
V-99585 Medium The Jamf Pro EMM server platform must be protected by a DoD-approved firewall.
V-99587 Medium The firewall protecting the Jamf Pro EMM server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support Jamf Pro EMM server and platform functions.
V-99581 Medium The Jamf Pro EMM server must be configured to leverage the MDM platform user accounts and groups for Jamf Pro EMM server user identification and CAC authentication.
V-99583 Medium Authentication of Jamf Pro EMM server accounts must be configured so they are implemented either via an Authentication Gateway Service (AGS) which connects to the site DoD Identity Access Management (IdAM) environment that utilizes CAC authentication or via strong password controls for the administrator local accounts.
V-99567 Medium When the Jamf Pro EMM server cannot establish a connection to determine the validity of a certificate, the server must not have the option to accept the certificate.
V-99625 Medium The Jamf Pro EMM must automatically disable accounts after a 35 day period of account inactivity (local accounts).
V-99627 Medium The Jamf Pro EMM must enforce the limit of three consecutive invalid logon attempts by a user.
V-99589 Medium The firewall protecting the Jamf Pro EMM server platform must be configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).
V-99621 Medium The Jamf Pro EMM local accounts must be configured with password maximum lifetime of 3 months.
V-99623 Medium The Jamf Pro EMM local accounts must prohibit password reuse for a minimum of five generations.
V-99599 Medium The default mysql_secure_installation must be installed.
V-99619 Medium The Jamf Pro EMM local accounts must be configured with password minimum lifetime of 24 hours.
V-99593 Medium All Jamf Pro EMM server local accounts created during application installation and configuration must be disabled.
V-99591 Medium The Jamf Pro EMM server must connect to [Authentication Gateway Service (AGS)] with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.
V-99611 Medium The Jamf Pro EMM local accounts must be configured with at least one lowercase character.
V-99575 Medium The Jamf Pro EMM server must be configured to transfer Jamf Pro EMM server logs to another server for storage, analysis, and reporting. Note: Jamf Pro EMM server logs include logs of MDM events and logs transferred to the Jamf Pro EMM server by MDM agents of managed devices.
V-99613 Medium The Jamf Pro EMM local accounts must be configured with at least one uppercase character.
V-99615 Medium The Jamf Pro EMM local accounts must be configured with at least one number.
V-99571 Medium The Jamf Pro EMM server or platform must be configured to initiate a session lock after a 15-minute period of inactivity.
V-99617 Medium The Jamf Pro EMM local accounts must be configured with at least one special character.
V-99573 Medium The Jamf Pro EMM server must be configured with an enterprise certificate for signing policies (if function is not automatically implemented during Jamf Pro EMM server install).
V-99569 Medium The Jamf Pro EMM server must configure the MDM Agent/platform to enable the DoD required device enrollment restrictions allowed for enrollment [specific device model].
V-99579 Medium The Jamf Pro EMM server must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, auditor.
V-99577 Low The Jamf Pro EMM server must be configured to display the required DoD warning banner upon administrator logon. Note: This requirement is not applicable if the TOE platform is selected in FTA_TAB.1.1 in the Security Target (ST).