The over-the-air (OTA) device provisioning password must have expiration set.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-24998	WIR-GMMS-008	SV-30738r2_rule	ECWN-1	Medium

Description
The time period that a device can be provisioned via Over-The-Air (OTA) provisioning needs to be controlled to ensure unauthorized people do not have the capability to setup rogue devices on the network. Note Active Directory credentials should not be utilized for the OTA provisioning password.

STIG	Date
Mobile Device Management (MDM) Server Security Technical Implementation Guide (STIG)	2012-07-20

Details

Check Text ( C-31148r5_chk )
1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: -Have the SA identify STIG compliant and non compliant policies on the server. --Log into the MDM server console. --Click on the Policies tab. --View all iOS security policies on the server. -Note: STIG-compliant policies should be identified as such in the policy title. An example is STIG_iOS_Policy. It is recommended that all non-STIG policies be deleted. 2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. -Note: If there is a finding, note the name of the non STIG-compliant policy in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the MDM console and click on the Policies tab. -Select an iOS security policy to review. -The exact procedure used to verify the required setting will vary by MDM product. For the Good technology MDM server: -Verify “OTA Provisioning PIN expires after” is checked and is set to 7 days or less. -Verify “Allow OTA Provisioning PIN reuse” is unchecked. Mark as a finding if the OTA provisioning password is not set.

Check Text ( C-31148r5_chk )

1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure:
-Have the SA identify STIG compliant and non compliant policies on the server.
--Log into the MDM server console.
--Click on the Policies tab.
--View all iOS security policies on the server.
-Note: STIG-compliant policies should be identified as such in the policy title. An example is STIG_iOS_Policy. It is recommended that all non-STIG policies be deleted.

2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy.
-Note: If there is a finding, note the name of the non STIG-compliant policy in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the MDM console and click on the Policies tab.
-Select an iOS security policy to review.
-The exact procedure used to verify the required setting will vary by MDM product.

For the Good technology MDM server:

-Verify “OTA Provisioning PIN expires after” is checked and is set to 7 days or less.
-Verify “Allow OTA Provisioning PIN reuse” is unchecked.

Mark as a finding if the OTA provisioning password is not set.

Fix Text (F-27641r3_fix)
Set the OTA device provisioning password expiration as required.