| Checked | Name | Title |
|---|
| ☐ | SV-108671r1_rule | When the Jamf Pro EMM server cannot establish a connection to determine the validity of a certificate, the server must not have the option to accept the certificate. |
| ☐ | SV-108673r1_rule | The Jamf Pro EMM server must configure the MDM Agent/platform to enable the DoD required device enrollment restrictions allowed for enrollment [specific device model]. |
| ☐ | SV-108675r1_rule | The Jamf Pro EMM server or platform must be configured to initiate a session lock after a 15-minute period of inactivity. |
| ☐ | SV-108677r1_rule | The Jamf Pro EMM server must be configured with an enterprise certificate for signing policies (if function is not automatically implemented during Jamf Pro EMM server install). |
| ☐ | SV-108679r1_rule | The Jamf Pro EMM server must be configured to transfer Jamf Pro EMM server logs to another server for storage, analysis, and reporting.
Note: Jamf Pro EMM server logs include logs of MDM events and logs transferred to the Jamf Pro EMM server by MDM agents of managed devices. |
| ☐ | SV-108681r1_rule | The Jamf Pro EMM server must be configured to display the required DoD warning banner upon administrator logon.
Note: This requirement is not applicable if the TOE platform is selected in FTA_TAB.1.1 in the Security Target (ST). |
| ☐ | SV-108683r1_rule | The Jamf Pro EMM server must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, auditor. |
| ☐ | SV-108685r1_rule | The Jamf Pro EMM server must be configured to leverage the MDM platform user accounts and groups for Jamf Pro EMM server user identification and CAC authentication. |
| ☐ | SV-108687r1_rule | Authentication of Jamf Pro EMM server accounts must be configured so they are implemented either via an Authentication Gateway Service (AGS) which connects to the site DoD Identity Access Management (IdAM) environment that utilizes CAC authentication or via strong password controls for the administrator local accounts. |
| ☐ | SV-108689r1_rule | The Jamf Pro EMM server platform must be protected by a DoD-approved firewall. |
| ☐ | SV-108691r1_rule | The firewall protecting the Jamf Pro EMM server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support Jamf Pro EMM server and platform functions. |
| ☐ | SV-108693r1_rule | The firewall protecting the Jamf Pro EMM server platform must be configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services). |
| ☐ | SV-108695r1_rule | The Jamf Pro EMM server must connect to [Authentication Gateway Service (AGS)] with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information. |
| ☐ | SV-108697r1_rule | All Jamf Pro EMM server local accounts created during application installation and configuration must be disabled. |
| ☐ | SV-108701r1_rule | Jamf Pro EMM must be maintained at a supported version. |
| ☐ | SV-108703r1_rule | The default mysql_secure_installation must be installed. |
| ☐ | SV-108705r1_rule | A unique database name and a unique MySQL user with a secure password must be created for use in Jamf Pro EMM. |
| ☐ | SV-108707r1_rule | Separate MySQL user accounts with limited privileges must be created within Jamf Pro EMM. |
| ☐ | SV-108709r1_rule | MySQL database backups must be scheduled in Jamf Pro EMM. |
| ☐ | SV-108711r1_rule | The MySQL DatabasePassword key must be removed or set to a blank value in the database configuration file in Jamf Pro EMM. |
| ☐ | SV-108713r1_rule | The Jamf Pro EMM local accounts password must be configured with length of 15 characters. |
| ☐ | SV-108715r1_rule | The Jamf Pro EMM local accounts must be configured with at least one lowercase character. |
| ☐ | SV-108717r1_rule | The Jamf Pro EMM local accounts must be configured with at least one uppercase character. |
| ☐ | SV-108719r1_rule | The Jamf Pro EMM local accounts must be configured with at least one number. |
| ☐ | SV-108721r1_rule | The Jamf Pro EMM local accounts must be configured with at least one special character. |
| ☐ | SV-108723r1_rule | The Jamf Pro EMM local accounts must be configured with password minimum lifetime of 24 hours. |
| ☐ | SV-108725r1_rule | The Jamf Pro EMM local accounts must be configured with password maximum lifetime of 3 months. |
| ☐ | SV-108727r1_rule | The Jamf Pro EMM local accounts must prohibit password reuse for a minimum of five generations. |
| ☐ | SV-108729r1_rule | The Jamf Pro EMM must automatically disable accounts after a 35 day period of account inactivity (local accounts). |
| ☐ | SV-108731r1_rule | The Jamf Pro EMM must enforce the limit of three consecutive invalid logon attempts by a user. |
STIGQter: STIG Summary: