The MDM server must enable an MDM security profile on each managed iOS device.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-25000	WIR-GMMS-011	SV-30740r2_rule	ECWN-1	Medium

Description
Sensitive DoD data could be compromised if a MDM security profile is not installed on DoD iOS devices. Other iOS profiles do not have access to all security APIs on the iOS device. If the iOS MDM security profile is removed access to the protected Government data inside the security container will not be allowed. The user must be forced to re-install the MDM security profile before gaining access. The mobile device will report the removal and implementation of the MDM security profile to the MDM management server.

Description

Sensitive DoD data could be compromised if a MDM security profile is not installed on DoD iOS devices. Other iOS profiles do not have access to all security APIs on the iOS device. If the iOS MDM security profile is removed access to the protected Government data inside the security container will not be allowed. The user must be forced to re-install the MDM security profile before gaining access. The mobile device will report the removal and implementation of the MDM security profile to the MDM management server.

STIG	Date
Mobile Device Management (MDM) Server Security Technical Implementation Guide (STIG)	2012-07-20

Details

Check Text ( C-31150r5_chk )
If the MDM client provides the mobile device security container, use the following procedure for verifying requirement is met: 1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure: -Have the SA identify STIG compliant and non compliant policies on the server. --Log into the MDM server console. --Click on the Policies tab. --View all iOS security policies on the server. -Note: STIG-compliant policies should be identified as such in the policy title. An example is STIG_iOS_Policy. It is recommended that all non-STIG policies be deleted. 2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy. -Note: If there is a finding, note the name of the non STIG-compliant policy in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the MDM console and click on the Policies tab. -Select an iOS security policy to review. -The exact procedure used to verify the required setting will vary by MDM product. For the Good technology MDM server: -Verify “Enable MDM profile” is checked. -Verify all access rights for the MDM profile are enabled. This procedure will vary by MDM product. Here are example of configuration settings that may be available and should be enabled: ---Installation, removal, and inspection of configuration profiles. ---Installation, removal, and inspection of provisioning profiles. ---Inspection of installed applications. ---Query of device information. ---Query of network information. ---Restriction-related queries. ---Security-related queries. Mark as a finding if the MDM profile and required access rights are not set as required.

Check Text ( C-31150r5_chk )

If the MDM client provides the mobile device security container, use the following procedure for verifying requirement is met:
1. Make a list of all iOS security policies listed on the MDM server that have been assigned to iOS devices and review each policy using the following procedure:
-Have the SA identify STIG compliant and non compliant policies on the server.
--Log into the MDM server console.
--Click on the Policies tab.
--View all iOS security policies on the server.
-Note: STIG-compliant policies should be identified as such in the policy title. An example is STIG_iOS_Policy. It is recommended that all non-STIG policies be deleted.

2. Select each security policy iOS devices are assigned to, and in turn, verify the required settings are in the policy.
-Note: If there is a finding, note the name of the non STIG-compliant policy in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the MDM console and click on the Policies tab.
-Select an iOS security policy to review.
-The exact procedure used to verify the required setting will vary by MDM product.

For the Good technology MDM server:

-Verify “Enable MDM profile” is checked.

-Verify all access rights for the MDM profile are enabled. This procedure will vary by MDM product. Here are example of configuration settings that may be available and should be enabled:
---Installation, removal, and inspection of configuration profiles.
---Installation, removal, and inspection of provisioning profiles.
---Inspection of installed applications.
---Query of device information.
---Query of network information.
---Restriction-related queries.
---Security-related queries.

Mark as a finding if the MDM profile and required access rights are not set as required.

Fix Text (F-27643r2_fix)
Configure the MDM server to enable an MDM security profile and access rights of the profile on each managed iOS device.