STIGQter STIGQter: STIG Summary: MobileIron Core v9.x MDM Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 26 Jul 2019: The MobileIron Core MDM server must be configured to block mobile devices that do not have required OS type and version.

DISA Rule

SV-85145r1_rule

Vulnerability Number

V-70523

Group Title

PP-MDM-991000

Rule Version

MICR-9X-100120

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the MobileIron Core Server to block mobile devices that do not have required OS types and version.

Task 1: Configure Operating Systems allowed to register
1. Log in to the MobileIron Core Admin Portal.
2. In the Admin Portal, go to Settings >> Users & Devices >> Registration
3. Scroll to the Platforms for Registration section.
4. In the Enabled Platforms list, select the platforms that are not approved: Windows, etc.
Note: Shift-click platforms to select more than one.
5. Click the left arrow button to move the selected platforms to the Disabled Platforms list.
6. Click Save.

Task 2: Configure OS version alert
1. Log in to the MobileIron Core Admin Portal.
2. In the Admin Portal, go to Logs >> Event Settings.
3. Select Add New >> Policy Violations Event.
4. Enter a name for the event (for example: OS Event).
5. For an Android OS version alert:
a. In the Security Policy Triggers section, look for the Android heading.
b. Confirm that the app control alert "Disallowed Android OS version found" is selected.
6. For an iOS OS version alert:
a. In the Security Policy Triggers section, look for the iOS heading.
b. Confirm that the app control alert "Disallowed iOS version found" is selected.
7. Deselect all the other checkboxes on the screen.
8. In the Apply to Labels section, select the appropriate labels in the Available column, and click the right arrow to move them to the selected column.
9. Click Save.

Task 3: Define a custom compliance action
1. Go to Policies & Configs >> Compliance Actions.
2. Click Add+ to open the Add Compliance Action dialog.
3. Enter a name for the compliance action (for example: OS Compliance Alert).
4. In the Alert section, select Send a compliance notification or alert to the user.
5. In the Block Access section, select Block email access and AppConnect apps.
6. In the Quarantine section, select Quarantine.
7. Select Remove All Configurations.
8. Select Enforce Compliance Actions Locally on Devices.
9. Click Save.

Task 4: Set up the security policy to trigger the compliance action when the violations occur:
1. In Admin Portal, go to Policies & Configs >> Policies.
2. Select the security policy you want to work with.
3. Click Edit.
4. Scroll down to the Access Control section of the Modifying Security Policy dialog.
8. If the security policy is to be applied to Android devices:
a. Under For Android devices, select the checkbox for when Android version is less than.
b. On the same line, in the dropdown list, select the custom compliance action that you just created.
c. On the same line, in the dropdown list for Android OS versions, select the appropriate OS version.
9. If the security policy is to be applied to iOS devices:
a. Under For iOS devices, select the checkbox for when iOS version is less than.
b. On the same line, in the dropdown list, select the custom compliance action that you just created.
c. On the same line, in the dropdown list for iOS versions, select the appropriate OS version.
10.Click Save.
11.Apply the security policy to a label that is also applied to the target devices. Click More Actions >> Apply to Label.

Check Contents

Review MobileIron Core Server documentation and configuration settings to determine if the server blocks mobile devices that do not have required OS types and version.

Task 1: Verify only allowed Operating Systems can register
1. Log in to the MobileIron Core Admin Portal
2. In the Admin Portal, go to Settings >> Users & Devices >> Registration
3. Scroll to the Platforms for Registration section.
4. Verify that only approved operating systems appear in the Enabled Platforms list

Task 2: Verify the configuration of the OS version alert
1. Log in to the MobileIron Core Admin Portal.
2. In the Admin Portal, go to Logs >> Event Settings.
3. Select the Policy Violation Event that has been configured for sending an alert.
4. Click Edit.
5. For an Android OS version alert:
a. In the Security Policy Triggers section, look for the Android heading.
b. Confirm that the app control alert "Disallowed Android OS version found" is selected.
6. For an iOS OS version alert:
a. In the Security Policy Triggers section, look for the iOS heading.
b. Confirm that the app control alert "Disallowed iOS version found" is selected.
7. In the Apply to Labels section, verify that the appropriate labels are in the Selected column.
8. Click Cancel.

Task 3: Verify the custom compliance action
1. Go to Policies & Configs >> Compliance Actions.
2. Select the compliance action that was configured for when a required app is not installed.
3. Click Actions >> Edit.
4. In the Alert section, verify that “Send a compliance notification or alert to the user” is selected.
5. In the Block Access section, verify Block email access and AppConnect apps has been selected.
6. In the Quarantine section, verify the following are selected:
a. Quarantine the device
b. Remove All Configurations
c. Do not remove Wi-Fi settings for all devices (iOS and Android only)
7. Verify “Enforce Compliance Actions Locally on Devices” is selected.
8. Click Cancel.

Task 4: Verify the security policy is set up to trigger the compliance action when violations occur:
1. In Admin Portal, go to Policies & Configs >> Policies.
2. Select the security policy that is to be verified.
3. Click Edit.
4. Scroll down to the Access Control section of the Modifying Security Policy dialog.
5. If the security policy is applied to Android devices:
a. Under For iOS devices, verify the checkbox for when iOS version is less than is selected.
b. On the same line, in the dropdown list, verify the custom compliance action that you just created is selected.
c. On the same line, in the dropdown list for iOS OS versions, verify the appropriate OS version is selected.
6. If the security policy is applied to iOS devices:
a. Under For Android devices, verify the checkbox for when Android version is less than is selected.
b. On the same line, in the dropdown list, verify the custom compliance action that you just created is selected.
c. On the same line, in the dropdown list for Android OS versions, verify the appropriate OS version is selected.
7. Click Cancel.
8. Click More Actions >> Apply to Label.
9. Verify the appropriate labels are selected.
10.Close the Apply to Label dialog.

If the MobileIron Core Admin Portal is not configured so that only approved OS types are listed on the "Enabled Platforms" list, or is not configured to alert when disallowed OS versions are found, or “Enforce Compliance Actions Locally on Devices” is not selected, or a compliance trigger is not enabled, this is a finding.

Vulnerability Number

V-70523

Documentable

False

Rule Version

MICR-9X-100120

Severity Override Guidance

Review MobileIron Core Server documentation and configuration settings to determine if the server blocks mobile devices that do not have required OS types and version.

Task 1: Verify only allowed Operating Systems can register
1. Log in to the MobileIron Core Admin Portal
2. In the Admin Portal, go to Settings >> Users & Devices >> Registration
3. Scroll to the Platforms for Registration section.
4. Verify that only approved operating systems appear in the Enabled Platforms list

Task 2: Verify the configuration of the OS version alert
1. Log in to the MobileIron Core Admin Portal.
2. In the Admin Portal, go to Logs >> Event Settings.
3. Select the Policy Violation Event that has been configured for sending an alert.
4. Click Edit.
5. For an Android OS version alert:
a. In the Security Policy Triggers section, look for the Android heading.
b. Confirm that the app control alert "Disallowed Android OS version found" is selected.
6. For an iOS OS version alert:
a. In the Security Policy Triggers section, look for the iOS heading.
b. Confirm that the app control alert "Disallowed iOS version found" is selected.
7. In the Apply to Labels section, verify that the appropriate labels are in the Selected column.
8. Click Cancel.

Task 3: Verify the custom compliance action
1. Go to Policies & Configs >> Compliance Actions.
2. Select the compliance action that was configured for when a required app is not installed.
3. Click Actions >> Edit.
4. In the Alert section, verify that “Send a compliance notification or alert to the user” is selected.
5. In the Block Access section, verify Block email access and AppConnect apps has been selected.
6. In the Quarantine section, verify the following are selected:
a. Quarantine the device
b. Remove All Configurations
c. Do not remove Wi-Fi settings for all devices (iOS and Android only)
7. Verify “Enforce Compliance Actions Locally on Devices” is selected.
8. Click Cancel.

Task 4: Verify the security policy is set up to trigger the compliance action when violations occur:
1. In Admin Portal, go to Policies & Configs >> Policies.
2. Select the security policy that is to be verified.
3. Click Edit.
4. Scroll down to the Access Control section of the Modifying Security Policy dialog.
5. If the security policy is applied to Android devices:
a. Under For iOS devices, verify the checkbox for when iOS version is less than is selected.
b. On the same line, in the dropdown list, verify the custom compliance action that you just created is selected.
c. On the same line, in the dropdown list for iOS OS versions, verify the appropriate OS version is selected.
6. If the security policy is applied to iOS devices:
a. Under For Android devices, verify the checkbox for when Android version is less than is selected.
b. On the same line, in the dropdown list, verify the custom compliance action that you just created is selected.
c. On the same line, in the dropdown list for Android OS versions, verify the appropriate OS version is selected.
7. Click Cancel.
8. Click More Actions >> Apply to Label.
9. Verify the appropriate labels are selected.
10.Close the Apply to Label dialog.

If the MobileIron Core Admin Portal is not configured so that only approved OS types are listed on the "Enabled Platforms" list, or is not configured to alert when disallowed OS versions are found, or “Enforce Compliance Actions Locally on Devices” is not selected, or a compliance trigger is not enabled, this is a finding.

Check Content Reference

M

Target Key

3081

Comments