STIGQter STIGQter: STIG Summary: VMware AirWatch v9.x MDM Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 19 Sep 2016: The AirWatch MDM Server must leverage the MDM Platform user accounts and groups for AirWatch MDM Server user identification and authentication and the MDM Platform accounts must be implemented via an enterprise directory service.

DISA Rule

SV-86269r1_rule

Vulnerability Number

V-71645

Group Title

PP-MDM-204101 PP-MDM-204102

Rule Version

VMAW-09-000550

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the AirWatch MDM Server to leverage an enterprise authentication mechanism.

On the AirWatch console complete the following procedure to leverage an enterprise authentication mechanism, and configure users to leverage directory service accounts for enrollment:

1. Follow steps on pages 9-18 of "VMware AirWatch Directory Services" guide artifact to connect AirWatch MDM Server application to enterprise authentication mechanism.
2. Log into the AirWatch MDM Administration console.
3. Choose "Groups and Settings".
4. Choose "All Settings".
5. Under "Devices and Users" heading, choose "General".
6. Choose "Enrollment".
7. On "Authentication Modes" setting, check the box labeled "Directory" and uncheck all other options.
8. Choose "Save".

Check Contents

On the AirWatch console complete the following procedure to ensure that the AirWatch MDM Server is configured to leverage an enterprise authentication mechanism, and that AirWatch users can only use directory accounts to enroll into the AirWatch MDM Server:

1. For MDM Server Platform configuration, refer to "VMware AirWatch Directory Services Integration" guide artifact, pages 9-18.
2. Log into the AirWatch MDM Administration console.
3. Choose "Groups and Settings".
4. Choose "All Settings".
5. Under "System" heading, choose "Enterprise Integration".
6. Choose "Directory Services".
7. Under "Server" tab, verify directory service connection information.
8. Under "User" tab, verify User Group connection information.
9. Under "Group" tab, verify Group connection information.
10. Choose "X" to close screen.
11. Choose "Groups and Settings".
12. Choose "All Settings".
13. Under "Devices and Users" heading choose "General".
14. Choose "Enrollment".
15. On "Authentication Modes" setting, verify only the box titled "Directory" is selected.

If on the AirWatch MDM server console "Directory" is not selected as the authentication mode, this is a finding.

Vulnerability Number

V-71645

Documentable

False

Rule Version

VMAW-09-000550

Severity Override Guidance

On the AirWatch console complete the following procedure to ensure that the AirWatch MDM Server is configured to leverage an enterprise authentication mechanism, and that AirWatch users can only use directory accounts to enroll into the AirWatch MDM Server:

1. For MDM Server Platform configuration, refer to "VMware AirWatch Directory Services Integration" guide artifact, pages 9-18.
2. Log into the AirWatch MDM Administration console.
3. Choose "Groups and Settings".
4. Choose "All Settings".
5. Under "System" heading, choose "Enterprise Integration".
6. Choose "Directory Services".
7. Under "Server" tab, verify directory service connection information.
8. Under "User" tab, verify User Group connection information.
9. Under "Group" tab, verify Group connection information.
10. Choose "X" to close screen.
11. Choose "Groups and Settings".
12. Choose "All Settings".
13. Under "Devices and Users" heading choose "General".
14. Choose "Enrollment".
15. On "Authentication Modes" setting, verify only the box titled "Directory" is selected.

If on the AirWatch MDM server console "Directory" is not selected as the authentication mode, this is a finding.

Check Content Reference

M

Target Key

3103

Comments