STIGQter STIGQter: STIG Summary: MobileIron Core v9.x MDM Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 26 Jul 2019: The MobileIron Core MDM server must be configured with the Administrator roles: a. MD user. b. Server primary administrator. c. Security configuration administrator. d. Device user group administrator. e. Auditor.

DISA Rule

SV-85153r1_rule

Vulnerability Number

V-70531

Group Title

PP-MDM-202105

Rule Version

MICR-9X-104110

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the MobileIron Core Server with the Administrator roles:

1. Follow the instructions in the MobileIron Core and Android Client Mobile Device Management Protection Profile Guide beginning on pg. 13 "Configuring administrators to have roles defined by federal requirements":
1a. Follow the instructions on page 16 "Configuring administrators to be a server primary administrator"
1b. Follow the instructions on page 17 "Configuring administrators to be a security configuration administrator"
1c. Follow the instructions on page 21 "Configuring administrators to be a device user group administrator"
1d. Follow the instructions on page 23 "Configuring administrators to be an auditor"
2. In each case instructions are provided to create a new user with the identified role.

Check Contents

Review the MobileIron Core Server configuration settings, and verify the server is configured with the Administrator roles.

Note: Reviewers should reference the following document to see which roles must be assigned to each type of server administrator (these are the DoD required roles for each type of administrator): MobileIron Core and Android Client Mobile Device Management Protection Profile Guide.

Note: any user of a registered MD is automatically assigned the MD User role (applicable-Inherently Meets).

1. Verify at least one user is in the Server primary administrator role.
1a. Login to the MobileIron Core Server's system manager portal as a user with the server primary administrator role using a web browser.
1b. Select Security >> Identity Source >> Local Users
1c. Verify at least one user is listed under "Local User". All local users are automatically assigned the Server primary administrator role.

If there are no users in the server primary administrator role, this is a finding.

2. Verify at least one user is in the Security configuration administrator role and has been assigned required roles.
2a. Login to the MobileIron Core Server's system manager portal as a user with the server primary administrator role using a web browser.
2b. Select Security >> Identity Source >> Local Users
2c. Verify a User ID of a user expected to be in the server configuration administrator role is listed.
2d. Login to the MobileIron Core Server's administrator portal as a user with the server primary administrator role using a web browser.
2e. Select Admin >> Admins.
2f. Find a server configuration administrator user and verify their assigned roles match the DoD definition of server configuration administrator as follows: Select the user and click Actions >> Edit Roles.

If there are no users assigned the server configuration administrator role or the roles assigned to any server configuration administrator user are not correct, this is a finding.

3. Verify a user is in the Device user group administrator role and has been assigned required roles.
3a. Login to the MobileIron Core Server's system manager portal as a user with the server primary administrator role using a web browser.
3b. Select Security >> Identity Source >> Local Users
3c. Verify a User ID of a user expected to be in the Device user group administrator role is listed.
3d. Login to the MobileIron Core Server's administrator portal as a user with the server primary administrator role using a web browser.
3e. Select Admin >> Admins.
3f. Find a Device user group administrator user and verify their assigned roles match the DoD definition of Device user group administrator as follows: Select the user and click Actions >> Edit Roles.

If there are no users assigned the Device user group administrator role or the roles assigned to any Device user group administrator user are not correct, this is a finding.

4. Verify a user is in the Auditor role and has been assigned required roles.
4a. Login to the MobileIron Core Server's system manager portal as a user with the server primary administrator role using a web browser.
4b. Select Security >> Identity Source >> Local Users
4c. Verify a User ID of a user expected to be in the Auditor role is listed.
4d. Login to the MobileIron Core Server's administrator portal as a user with the server primary administrator role using a web browser.
4e. Select Admin >> Admins.
4f. Find an Auditor user and verify their assigned roles match the DoD definition of Device user group administrator as follows: Select the user and click Actions >> Edit Roles.

If there are no users assigned the Auditor role or the roles assigned to any Auditor user are not correct, this is a finding.

Vulnerability Number

V-70531

Documentable

False

Rule Version

MICR-9X-104110

Severity Override Guidance

Review the MobileIron Core Server configuration settings, and verify the server is configured with the Administrator roles.

Note: Reviewers should reference the following document to see which roles must be assigned to each type of server administrator (these are the DoD required roles for each type of administrator): MobileIron Core and Android Client Mobile Device Management Protection Profile Guide.

Note: any user of a registered MD is automatically assigned the MD User role (applicable-Inherently Meets).

1. Verify at least one user is in the Server primary administrator role.
1a. Login to the MobileIron Core Server's system manager portal as a user with the server primary administrator role using a web browser.
1b. Select Security >> Identity Source >> Local Users
1c. Verify at least one user is listed under "Local User". All local users are automatically assigned the Server primary administrator role.

If there are no users in the server primary administrator role, this is a finding.

2. Verify at least one user is in the Security configuration administrator role and has been assigned required roles.
2a. Login to the MobileIron Core Server's system manager portal as a user with the server primary administrator role using a web browser.
2b. Select Security >> Identity Source >> Local Users
2c. Verify a User ID of a user expected to be in the server configuration administrator role is listed.
2d. Login to the MobileIron Core Server's administrator portal as a user with the server primary administrator role using a web browser.
2e. Select Admin >> Admins.
2f. Find a server configuration administrator user and verify their assigned roles match the DoD definition of server configuration administrator as follows: Select the user and click Actions >> Edit Roles.

If there are no users assigned the server configuration administrator role or the roles assigned to any server configuration administrator user are not correct, this is a finding.

3. Verify a user is in the Device user group administrator role and has been assigned required roles.
3a. Login to the MobileIron Core Server's system manager portal as a user with the server primary administrator role using a web browser.
3b. Select Security >> Identity Source >> Local Users
3c. Verify a User ID of a user expected to be in the Device user group administrator role is listed.
3d. Login to the MobileIron Core Server's administrator portal as a user with the server primary administrator role using a web browser.
3e. Select Admin >> Admins.
3f. Find a Device user group administrator user and verify their assigned roles match the DoD definition of Device user group administrator as follows: Select the user and click Actions >> Edit Roles.

If there are no users assigned the Device user group administrator role or the roles assigned to any Device user group administrator user are not correct, this is a finding.

4. Verify a user is in the Auditor role and has been assigned required roles.
4a. Login to the MobileIron Core Server's system manager portal as a user with the server primary administrator role using a web browser.
4b. Select Security >> Identity Source >> Local Users
4c. Verify a User ID of a user expected to be in the Auditor role is listed.
4d. Login to the MobileIron Core Server's administrator portal as a user with the server primary administrator role using a web browser.
4e. Select Admin >> Admins.
4f. Find an Auditor user and verify their assigned roles match the DoD definition of Device user group administrator as follows: Select the user and click Actions >> Edit Roles.

If there are no users assigned the Auditor role or the roles assigned to any Auditor user are not correct, this is a finding.

Check Content Reference

M

Target Key

3081

Comments