STIGQter: STIG Summary: IBM MaaS360 with Watson v10.x MDM Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 26 Apr 2019:

The MaaS360 MDM Agent must provide an alert via the trusted channel to the MDM server for the following event: change in enrollment state.

DISA Rule

SV-96909r1_rule

Vulnerability Number

V-82195

Group Title

PP-MDM-302001

Rule Version

M360-10-300100

Severity

CAT II

CCI(s)

• CCI-002699 - The information system performs verification of the correct operation of organization-defined security functions: when the system is in an organization-defined transitional state; upon command by a user with appropriate privileges; and/or on an organization-defined frequency.

Weight

10

Fix Recommendation

Configure the MaaS360 Agent to alert via the trusted channel to the MaaS360 server for the following event: change in enrollment status

On the MaaS360 Console, complete the following steps:
1. Navigate to Security >> Compliance Rules >> Add Rule Set and Create a rule.
2. Under Basic Settings >> Select Applicable Platforms, select the MOS, and under "Event Notification Recipients", input the email for the system administrator who will get the notification.
3. Under “Enforcement Rules”, select Enforcement Rules and ensure the "Enrollment" box is checked and that all boxes for "Trigger Action on Managed Status" are checked.
4. Ensure "Enforcement Action" is set to "alert".

Check Contents

Review the MaaS360 server configuration to verify the MaaS360 Agent alerts the MDM via the trusted channel to the MaaS360 server for the following event: change in enrollment status.

On the MaaS360 Console, complete the following steps:
1. Navigate to Security >> Compliance Rules.
2. Have the system administrator identify the applicable "Change in enrollment status" rule set name.
3. Select rule set name in list.
4. Under “Enforcement Rules”, verify the "Enrollment" box is checked, all boxes are checked for "Trigger Action on Managed Status", and "Enforcement Action" is set to "alert".

If there are no "Change in enrollment status" rule set names set up or rules that have been set up are not configured correctly, this is a finding.

Vulnerability Number

V-82195

Documentable

False

Rule Version

M360-10-300100

Severity Override Guidance

Review the MaaS360 server configuration to verify the MaaS360 Agent alerts the MDM via the trusted channel to the MaaS360 server for the following event: change in enrollment status.

On the MaaS360 Console, complete the following steps:
1. Navigate to Security >> Compliance Rules.
2. Have the system administrator identify the applicable "Change in enrollment status" rule set name.
3. Select rule set name in list.
4. Under “Enforcement Rules”, verify the "Enrollment" box is checked, all boxes are checked for "Trigger Action on Managed Status", and "Enforcement Action" is set to "alert".

If there are no "Change in enrollment status" rule set names set up or rules that have been set up are not configured correctly, this is a finding.

Check Content Reference

M

Target Key

3403

Comments