Mobile device user accounts must not be assigned to the default security/IT policy.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-24978 | WIR-WMS-GD-007 | SV-30819r2_rule | ECSC-1 | Medium |
| Description |
|---|
| The mobile device default security/IT policy on the MDM does not include most DoD required security policies for data encryption, authentication, and access control. DoD enclaves are at risk of data exposure and hacker attack if users are assigned the default (or other non-STIG compliant) security/IT policy. |
| STIG | Date |
|---|---|
| Mobile Device Management (MDM) Server Security Technical Implementation Guide (STIG) | 2012-07-20 |
Details
| Check Text ( C-31348r4_chk ) |
|---|
| User accounts will only be assigned a STIG-compliant security/IT policy. Determine which policy sets on the MDM server user accounts have been assigned to using the following procedures: -Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server by using the following procedures: --Log into the MDM console. --View all iOS policies on the server. -Note: STIG-compliant policies should be identified as such in the policy title. An example is STIG_iOS_Policy. It is recommended that all non-STIG policies be deleted. Note: Other checks will be used to verify the policy sets identified as STIG-compliant are configured correctly. Verify all users are assigned to a STIG policy set. The exact procedure will depend on the MDM product being reviewed. Mark as a finding if any user account is assigned a policy set identified as not STIG-compliant. |
| Fix Text (F-27619r2_fix) |
|---|
| User accounts will only be assigned a STIG compliant security/IT policy. |