Ivanti MobileIron Core MDM Server STIG
Ivanti MobileIron Core MDM Server Security Technical Implementation Guide. Version v1 r1, released Nov. 14, 2021.
IMIC-11-008600: The Ivanti MobileIron Core server must be configured to transfer Ivanti MobileIron Core server logs to another server for storage, analysis, and reporting. Note: Ivanti MobileIron Core server logs include logs of UEM events and logs transferred to the Ivanti MobileIron Core server by UEM agents of managed devices.
Verify that Splunk is configured for automated log export. Step 1: Verify that the Splunk Forwarder is enabled. 1. Log in to System Manager. 2. Go to Settings >> Services. 3. Verify that the "Enable" toggle is ON and "Running" is displayed. If "Enable" toggle is not ON or "Running" is not displayed, this is a finding. Step 2: Verify that Splunk Indexer is configured. 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Indexer. 3. Verify that there is an entry and the Status is "Connected". If there is no entry for Splunk Indexer or the Status is "Not Connected", this is a finding. Step 3: Verify "Audit Log" is enabled in the Splunk "data to index". 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Data to open the "Data to Index" window. 3. Verify "Audit Log" is included in the "Data To Index". If "Audit Log" is not included in the "Data To Index", this is a finding. Note: Syslog can be used instead of Splunk.
Discussion
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Note: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices. Satisfies: FMT_SMF.1.1(2) c.8, FAU_STG_EXT.1.1(1) Reference: PP-MDM-411054
Fix
Complete the following activities to configure the transfer of MobileIron Core 10 server logs: Configure Splunk for automated log export: Step 1: Enable Core to turn on the Splunk Forwarder so it can push data to the Splunk Indexer. To enable the Splunk Forwarder: 1. Log in to System Manager. 2. Go to Settings >> Services. 3. Select "Enable" next to Splunk Forwarder. 4. Click Apply >> OK to save the changes. Step 2: Add a Splunk Indexer to configure which external Splunk Indexer will receive and manipulate the data from the Splunk Forwarder. To add a Splunk Indexer: 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Indexer. 3. Click "Add" to open the Add Splunk Indexer window. 4. Modify the fields, as necessary, in the "Add Splunk Indexer" window. The following fields and descriptions are in the Add Splunk Indexer window: - Splunk Indexer - Add the IP address of your Splunk Enterprise Server. - Port - Add port of your Splunk Enterprise Server. - Enable SSL - Click this check box to enable SSL. 5. Click Apply >> OK to save the changes. Step 3: Configure Splunk Data to configure which data Splunk Forwarder sends to the Splunk Indexer. To configure Splunk Data: 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Data to open the "Data to Index" window. 3. Modify the fields, as necessary. - Click Show/Hide Advanced Options to further customize which data to send to Splunk. - Check "Audit Log" at a minimum. 4. Click Apply >> OK. 5. Restart the Splunk Forwarder by disabling it, then enabling it again. a. Go to Settings >> Services. b. Select Disable next to Splunk Forwarder. c. Click Apply >> OK. d. Select Enable next to Splunk Forwarder. 6. Click Apply >> OK to save the changes. Note: Syslog can be used instead of Splunk.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
IMIC-11-005000: The Ivanti MobileIron Core server must enforce password complexity by requiring that at least one uppercase character be used.
Verify the local user account uses at least one uppercase character: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Verify "Upper Case" is checked. If "Upper Case" is not checked, this is a finding.
Discussion
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Satisfies: FMT_SMF.1(2)b Reference: PP-MDM-431020
Fix
Configure a password with at least one uppercase character: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Check "Upper Case".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
IMIC-11-007900: The Ivanti MobileIron Core server must automatically terminate a user session after an organization-defined period of user inactivity.
Review the MDM server or platform configuration and verify the server is configured to lock after 15 minutes of inactivity. If, in the Admin Portal, Settings >> General >> Timeout is not set to 15 minutes or less, this is a finding. The current value for the session timeout will be displayed in minutes.
Discussion
Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. This capability is typically reserved for specific application system functionality where the system owner, data owner, or organization requires additional assurance. Based upon requirements and events specified by the data or application owner, the application developer must incorporate logic into the application that will provide a control mechanism that disconnects users upon the defined event trigger. The methods for incorporating this requirement will be determined and specified on a case-by-case basis during the application design and development stages. Satisfies: FMT_SMF.1.1(2) b Reference: PP-MDM-431014
Fix
Configure the MDM server or platform to lock the server after 15 minutes of inactivity. In the Admin Portal, go to Settings >> General >> Timeout. From the dropdown menu, choose a timeout value of 5, 10, or 15 minutes.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
IMIC-11-010000: The Ivanti MobileIron Core server must configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.
Verify MobileIron Core is in FIPS mode. ssh to command line console of the Core. Enable >> show fips. Verify FIPS mode is configured. If FIPS mode is not configured, this is a finding.
Discussion
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network.
Fix
Configure Core to be in FIPS mode. ssh to command line console of the Core. Enable >> show fips. Configure fips >> reload.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
IMIC-11-008520: The Ivanti MobileIron Core server must be configured to lock an administrator's account for at least 15 minutes after the account has been locked because the maximum number of unsuccessful login attempts has been exceeded.
Verify the Ivanti MobileIron Core server has been configured to lock an administrator's account for at least 15 minutes after the account has been locked because the maximum number of unsuccessful login attempts has been exceeded. Log in to the Core Admin Console >> Settings >> Security >> Password Policy. Verify "Auto-Lock Time" is set to 15 minutes (900 seconds). If the Ivanti MobileIron Core server does not lock an administrator's account for at least 15 minutes after the account has been locked because the maximum number of unsuccessful login attempts has been exceeded, this is a finding.
Discussion
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. Satisfies:FMT_SMF.1(2)b Reference:PP-MDM-431030
Fix
Configure the Ivanti MobileIron Core server to lock an administrator's account for at least 15 minutes after the account has been locked because the maximum number of unsuccessful login attempts has been exceeded. Log in to the Core Admin Console >> Settings >> Security >> Password Policy. Set "Auto-Lock Time" to 15 minutes (900 seconds).
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
IMIC-11-010200: The Ivanti MobileIron Core server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
Verify the MDM server is configured with TLS server certificate chain to a DOD certificate Authority. Go into the Certificate Manager >> System Manager >> Security >> Certificate Management >> Portal HTTPS. Verify DoD certificates are installed. If DoD digital certificates are not installed on Core, this is a finding.
Discussion
Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established. The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of TLS certificates. This requirement focuses on communications protection for the application session rather than for the network packet. This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA). Satisfies: FIA_X509_EXT.1.1(1)
Fix
Install DoD digital certificates. Configure the MDM server. System Manager >> Security >> Certificate Management >> Portal HTTPS. Install DOD certificate chain.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
IMIC-11-004950: The Ivanti MobileIron Core server must prohibit password reuse for a minimum of four generations.
Verify Core is configured to enforce password history reuse of four last passwords: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Verify "Enforce Password History (Last 4 passwords)" is enabled. If "Enforce Password History (Last 4 passwords)" is not enabled, this is a finding.
Discussion
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements. Satisfies: FMT_SMF.1(2)b Reference: PP-MDM-431025
Fix
Configure Core to enforce password history reuse of four last passwords: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Check "Enable" for "Enforce Password History (Last 4 passwords)".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
IMIC-11-008510: The Ivanti MobileIron Core server must configured to lock administrator accounts after three unsuccessful login attempts.
Verify the Ivanti MobileIron Core server has been configured to lock administrator accounts after three unsuccessful login attempts. Log in to the Core Admin Console >> Settings >> Security >> Password Policy. Verify "Number of Failed attempts" is set to "3". If the Ivanti MobileIron Core server does not lock administrator accounts after three unsuccessful login attempts, this is a finding.
Discussion
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. Satisfies:FMT_SMF.1(2)b Reference:PP-MDM-431030
Fix
Configure the Ivanti MobileIron Core server to lock administrator accounts after three unsuccessful login attempts. Log in to the Core Admin Console >> Settings >> Security >> Password Policy. Set "Number of Failed attempts" to "3".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
IMIC-11-004800: The Ivanti MobileIron Core server must enforce a minimum 15-character password length.
Verify a 15-character length for local user accounts has been configured: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Verify the Min Password Length is set to 15. If the Min Password Length is not set to 15, this is a finding.
Discussion
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. Satisfies: FMT_SMF.1(2)b Reference: PP-MDM-431018
Fix
Configure a 15-character length for local user accounts: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Set Min Password Length to 15.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
IMIC-11-010800: The Ivanti MobileIron Core server must be maintained at a supported version.
Verify the Core server version is a supported version. This requirement is Not Applicable for the cloud version of Core. Find the list of currently supported on-prem versions of Core server here: https://help.ivanti.com/mi/help/en_us/EML/3.16.1/rni/Content/EmailPlusiOSReleaseNotes/Support_and_compatibilit.htm Log onto the Core console and determine the installed version of Core: 1. Click on the round person icon in the top right corner of the Core console. 2. In the drop-down menu, select "About". 3. View the version of Core that is installed. 4. Verify the version is a supported version. If the installed version of the Core server is not a supported version, this is a finding.
Discussion
The UEM vendor maintains specific product versions for a specific period of time. MDM/EMM server versions no longer supported by the vendor will not receive security updates for new vulnerabilities, which leaves them subject to exploitation. Satisfies: FPT_TUD_EXT.1.1, FPT_TUD_EXT.1.2 Reference: PP-MDM-414005
Fix
Update Core to the most current version. If using the cloud version of Core, this requirement is automatically met.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
IMIC-11-005100: The Ivanti MobileIron Core server must enforce password complexity by requiring that at least one lowercase character be used.
Verify the local user account uses at least one lowercase character: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Verify "Lower Case" is checked. If "Lower Case" is not checked, this is a finding.
Discussion
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Satisfies: FMT_SMF.1(2)b Reference: PP-MDM-431019
Fix
Configure a password with at least one lowercase character: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Check "Lower Case".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
IMIC-11-004200: The Ivanti MobileIron Core server must be configured to use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.
On the MDM console, do the following: 1. Log in to the MobileIron Core Server administrator portal as a user with the security configuration administrator role using a web browser. 2. Select "Services" on the web page. 3. Select "LDAP" on the web page. 4. Click the edit icon on an existing LDAP configuration to be tested. 5. Select "Test" on the LDAP server configuration dialog. 6. Enter a valid LDAP user ID and select "Submit". 7. Verify the LDAP query is successful and shows user attributes in a dialog box. Note: All administrator accounts must be configured for LDAP authentication unless a select number of local accounts have been approved by the AO. Verify AO approval if local accounts (not using LDAP authentication) are configured on the Core server. If the MDM server does not leverage the MDM platform user accounts and groups for MDM server user identification and authentication, this is a finding.
Discussion
A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MDM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the MDM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos). Satisfies: FIA Reference: PP-MDM-414003
Fix
Configure the MDM server to leverage the MDM platform user accounts and groups for MDM server user identification and authentication. On the MDM console, do the following: 1. Log in to the MobileIron Core Server administrator portal as a user with the security configuration administrator role using a web browser. 2. Select "Services" on the web page. 3. Select "LDAP" on the web page. 4. Select "Add New" (or click the edit icon on an existing LDAP configuration). 5. Complete the LDAP configuration dialog providing the URL for the LDAP server, alternate URL if there is a backup LDAP server, user ID and password for the LDAP server, and for additional settings see "Configuring LDAP Servers" section in the On-Premise Installation Guide. 6. Select "Save" to save the LDAP configuration. Note: All administrator accounts will be configured to use LDAP-based authentication, unless there is an operational need for a select number of local accounts, with the approval of the AO.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
IMIC-11-003000: The Ivanti MobileIron Core server must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
Verify Core is configured to alert the ISSO and SA in the event of an audit processing failure: In the Core console, go to Logs >> Event Settings >> Add New System Event. Verify System Storage Threshold has been reached is checked. If System Storage Threshold has been reached is not checked, this is a finding.
Discussion
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Satisfies: FAU_ALT_EXT.1.1 Reference: PP-MDM-412059
Fix
Configure Core to alert the ISSO and SA in the event of an audit processing failure: Logs >> Event Settings >> Add New System Event >> ensure System Storage Threshold has been reached is checked.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
IMIC-11-001500: The Ivanti MobileIron Core server must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.
Review MDM server documentation and configuration settings to determine if the MDM server is using the warning banner and the wording of the banner is the required text. On the MDM console, do the following: 1. Connect to the MobileIron Core Server using SSH. 2. Type in a user name and press enter. 3. Verify the required banner is displayed before the password prompt. The required text is found in the Vulnerability Discussion. If the required banner is not presented, this is a finding. 1. Connect to the MobileIron Core Server system manager portal using a web browser. 2. Verify the required banner is displayed on the web page. The required text is found in the Vulnerability Discussion. If the required banner is not presented, this is a finding. 1. Connect to the MobileIron Core Server administrator portal using a web browser. 2. Verify the required banner is displayed on the web page. If the required banner is not presented, this is a finding.
Discussion
Display of the DoD-approved use notification before granting access to the application ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for applications that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." Satisfies: FTA_TAB.1.1, FMT_SMF.1.1(2) c.2 Reference: PP-MDM-411056
Fix
Configure the MDM server to display the appropriate warning banner text. On the MDM console, do the following: 1. Log in to the MobileIron Core Server administrator portal as a user with the security configuration administrator role using a web browser. 2. Select Settings on the web page. 3. Select General on the web page. 4. Select Login on the web page. 5. Check the "Enable Login Text Box" on the web page. 6. Type the required banner text in the "Text to Display" dialog on the web page. 7. Select "Save" on the web page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
IMIC-11-006400: The Ivanti MobileIron Core server must use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.
Verify MobileIron Core is in FIPS mode. ssh to command line console of the Core. Enable >> show fips. Verify FIPS mode is configured. If FIPS mode is not configured, this is a finding.
Discussion
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network. Note: Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DoD systems should not be configured to use SHA-1 for integrity of remote access sessions. To protect the integrity of the authenticator and authentication mechanism used for the cryptographic module used by the network device, the application, operating system, or protocol must be configured to use one of the following hash functions for hashing the password or other authenticator in accordance with SP 800-131Ar1: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, and SHA3-512. Applications also include HMAC, KDFs, Random Bit Generation, and hash-only applications (e.g., hashing passwords and use for compute a checksum). For digital signature verification, SP800-131Ar1 allows SHA-1 for legacy use only, but this is discouraged by DoD. Separate requirements for configuring applications and protocols used by each product (e.g., SNMPv3, SSH, NTP, and other protocols and applications that require server/client authentication) are required to implement this requirement. Satisfies: FCS_COP.1.1(2)
Fix
Configure Core to be in FIPS mode. ssh to command line console of the Core. Enable >> show fips. Configure fips >> reload.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
IMIC-11-000100: The Ivanti MobileIron Core server must limit the number of concurrent sessions per privileged user account to three or less concurrent sessions.
Perform the following procedure to limit concurrent sessions per privileged users: On the Admin page for each privileged user, verify Actions Edit Role select "Enforce single session (all spaces)" is selected. If "Enforce single session (all spaces)" is not selected for each user, this is a finding.
Discussion
Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks. This requirement may be met via the application or by utilizing information system session control provided by a web server with specialized session management capabilities. If it has been specified that this requirement will be handled by the application, the capability to limit the maximum number of concurrent single user sessions must be designed and built into the application. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be defined based upon mission needs and the operational environment for each system. Satisfies: FMT_SMF.1.1(2) b Reference: PP-MDM-431010
Fix
Use the following procedure to limit the number of concurrent sessions: In the Admin Portal, go to "Admin" Actions edit Roles "Enforce single session (all spaces)".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
IMIC-11-012600: The Ivanti MobileIron Core server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
Review the MDM server documentation, Mobile Device Management Protection Profile Guide. If Core is not configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs, this is a finding.
Discussion
Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.
Fix
Configure the MDM Server per the Mobile Device Management Protection Profile and this document.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
IMIC-11-003500: The Ivanti MobileIron Core server must back up audit records at least every seven days onto a log management server.
Verify that Splunk is configured for automated log export. Step 1: Verify the Splunk Forwarder is enabled. 1. Log in to System Manager. 2. Go to Settings >> Services. 3. Verify that the "Enable" toggle is ON and "Running" is displayed. If "Enable" toggle is not ON or "Running" is not displayed, this is a finding. Step 2: Verify that Splunk Indexer is configured. 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Indexer. 3. Verify that there is an entry and the Status is "Connected". If there is no entry for Splunk Indexer or the Status is "Not Connected", this is a finding. Step 3: Verify "Audit Log" is enabled in the Splunk "data to index". 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Data to open the "Data to Index" window. 3. Verify "Audit Log" is included in the "Data To Index". If "Audit Log" is not included in the "Data To Index", this is a finding. Note: Syslog can be used instead of Splunk.
Discussion
Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media from the system being audited on an organizationally defined frequency helps ensure, in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records. This requirement only applies to applications that have a native backup capability for audit records. Operating system backup requirements cover applications that do not provide native backup functions. Satisfies: FAU_STG_EXT.1.1, FMT_SMF.1.1(2) Refinement b
Fix
Complete the following activities to configure the transfer of MobileIron Core 10 server logs: Configure Splunk for automated log export: Step 1: Enable Core to turn on the Splunk Forwarder so it can push data to the Splunk Indexer. To enable the Splunk Forwarder: 1. Log in to System Manager. 2. Go to Settings >> Services. 3. Select "Enable" next to Splunk Forwarder. 4. Click Apply >> OK to save the changes. Step 2: Add a Splunk Indexer to configure which external Splunk Indexer will receive and manipulate the data from the Splunk Forwarder. To add a Splunk Indexer: 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Indexer. 3. Click "Add" to open the Add Splunk Indexer window. 4. Modify the fields as necessary in the "Add Splunk Indexer" window. The following are fields and descriptions in the Add Splunk Indexer window: - Splunk Indexer - Add the IP address of your Splunk Enterprise Server. - Port - Add the port of your Splunk Enterprise Server. - Enable SSL - Click this check box to enable SSL. 5. Click Apply >> OK to save the changes. Step 3: Configure Splunk Data to configure which data Splunk Forwarder sends to the Splunk Indexer. To configure Splunk Data: 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Data to open the "Data to Index" window. 3. Modify the fields as necessary. - Click "Show/Hide Advanced Options" to further customize which data to send to Splunk. - Check "Audit Log" at a minimum. 4. Click Apply >> OK. 5. Restart the Splunk Forwarder by disabling it and then enabling it again. a. Go to Settings >> Services. b. Select "Disable" next to Splunk Forwarder. c. Click Apply >> OK. d. Select "Enable" next to Splunk Forwarder. 6. Click Apply >> OK to save the changes. Note: Syslog can be used instead of Splunk.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
IMIC-11-012500: The Ivanti MobileIron Core server must, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly.
Verify that Splunk is configured for automated log export. Step 1: Verify that the Splunk Forwarder is enabled. 1. Log in to System Manager. 2. Go to Settings >> Services. 3. Verify that the "Enable" toggle is ON and "Running" is displayed. If "Enable" toggle is not ON or "Running" is not displayed, this is a finding. Step 2: Verify that Splunk Indexer is configured. 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Indexer. 3. Verify that there is an entry and the Status is "Connected". If there is no entry for Splunk Indexer or the Status is "Not Connected", this is a finding. Step 3: Verify "Audit Log" is enabled in the Splunk "data to index". 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Data to open the "Data to Index" window. 3. Verify "Audit Log" is included in the "Data To Index". If "Audit Log" is not included in the "Data To Index", this is a finding.
Discussion
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Satisfies: FMT_SMF.1.1(2) c.8, FAU_STG_EXT.1.1(1) Reference: PP-MDM-411054
Fix
Complete the following activities to configure the transfer of MobileIron Core 11 server logs: Configure Splunk for automated log export: Step 1: Enable Core to turn on the Splunk Forwarder so it can push data to the Splunk Indexer. To enable the Splunk Forwarder: 1. Log in to System Manager. 2. Go to Settings >> Services. 3. Select "Enable" next to Splunk Forwarder. 4. Click Apply >> OK to save the changes. Step 2: Add a Splunk Indexer to configure which external Splunk Indexer will receive and manipulate the data from the Splunk Forwarder. To add a Splunk Indexer: 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Indexer. 3. Click "Add" to open the Add Splunk Indexer window. 4. Modify the fields, as necessary, in the "Add Splunk Indexer" window. The following fields and descriptions are in the Add Splunk Indexer window: - Splunk Indexer - Add the IP address of your Splunk Enterprise Server. - Port - Add port of your Splunk Enterprise Server. - Enable SSL - Click this check box to enable SSL. 5. Click Apply >> OK to save the changes. Step 3: Configure Splunk Data to configure which data Splunk Forwarder sends to the Splunk Indexer. To configure Splunk Data: 1. Log in to System Manager. 2. Go to Settings >> Data Export >> Splunk Data to open the "Data to Index" window. 3. Modify the fields, as necessary. - Click Show/Hide Advanced Options to further customize which data to send to Splunk. - Check "Audit Log" at a minimum. 4. Click Apply >> OK. 5. Restart the Splunk Forwarder by disabling it, then enabling it again. a. Go to Settings >> Services. b. Select Disable next to Splunk Forwarder. c. Click Apply >> OK. d. Select Enable next to Splunk Forwarder. 6. Click Apply >> OK to save the changes.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
IMIC-11-000300: The Ivanti MobileIron Core server must initiate a session lock after a 15-minute period of inactivity.
Verify the session timeout is set to 15 minutes or less. In the Admin Portal, go to Settings >> General >> Timeout. Verify the session timeout is set to 5, 10, or 15. If the session timeout is not set to 5, 10, or 15, this is a finding.
Discussion
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system level and results in a system lock, but may be at the application level where the application interface window is secured instead. Satisfies: FMT_SMF.1.1(2) c.8 Reference: PP-MDM-411047
Fix
Configure the session timeout with this procedure: In the Admin Portal, go to Settings >> General >> Timeout. From the dropdown menu, choose a timeout value of 5, 10, or 15 minutes.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
IMIC-11-005200: The Ivanti MobileIron Core server must enforce password complexity by requiring that at least one numeric character be used.
Verify the local user account uses at least one numeric character: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Verify "Numeric" is checked. If "Numeric" is not checked, this is a finding.
Discussion
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Satisfies: FMT_SMF.1(2)b Reference: PP-MDM-431021
Fix
Configure a password with at least one numeric character: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Check "Numeric".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
IMIC-11-005300: The Ivanti MobileIron Core server must enforce password complexity by requiring that at least one special character be used.
Verify the local user account uses at least one special character: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Verify "Special" is checked. If "Special" is not checked, this is a finding.
Discussion
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *. Satisfies: FMT_SMF.1(2)b Reference: PP-MDM-431022
Fix
Configure a password with at least one special character: 1. Log in to the Core console. 2. Security >> Password Policy. 3. Check "Special".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
IMIC-11-012400: The Ivanti MobileIron Core server must use a FIPS-validated cryptographic module to generate cryptographic hashes.
On the MDM console, do the following: 1. SSH to MobileIron Core Server from any SSH client. 2. Enter the administrator credentials you set when you installed MobileIron Core. 3. Enter show fips. 4. Verify "FIPS 140 mode is enabled" is displayed. If the MobileIron Server Core does not report that FIPS mode is enabled, this is a finding.
Discussion
FIPS 140-2 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as providing no protection to the information or data. In effect, the data would be considered unprotected plaintext. If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 is applicable. In essence, if cryptography is required, it must be validated. Cryptographic modules that have been approved for classified use may be used in lieu of modules that have been validated against the FIPS 140-2 standard. The cryptographic module used must have at least one validated hash algorithm. This validated hash algorithm must be used to generate cryptographic hashes for all cryptographic security function within the product being evaluated. Satisfies: FCS_COP.1.1(2)
Fix
Configure the MDM server to use a FIPS 140-2 validated cryptographic module. On the MDM console, do the following: 1. SSH to MobileIron Core Server from any SSH client. 2. Enter the administrator credentials you set when you installed MobileIron Core. 3. Enter enable. 4. When prompted, enter the enable secret you set when you installed MobileIron Core. 5. Enter configure terminal. 6. Enter the following command to enable FIPS: fips 7. Enter the following command to proceed with the necessary reload: do reload
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
IMIC-11-012800: The Ivanti MobileIron Core server must be configured to implement FIPS 140-2 mode for all server and agent encryption.
On the MDM console, do the following: 1. SSH to MobileIron Core Server from any SSH client. 2. Enter the administrator credentials you set when you installed MobileIron Core. 3. Enter show fips. 4. Verify "FIPS 140 mode is enabled" is displayed. 5. If the MobileIron Server Core does not report that FIPS mode is enabled, this is a finding.
Discussion
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. A block cipher mode is an algorithm that features the use of a symmetric key block cipher algorithm to provide an information service, such as confidentiality or authentication. AES is the FIPS-validated cipher block cryptographic algorithm approved for use in DoD. For an algorithm implementation to be listed on a FIPS 140-2 cryptographic module validation certificate as an approved security function, the algorithm implementation must meet all the requirements of FIPS 140-2 and must successfully complete the cryptographic algorithm validation process. Currently, NIST has approved the following confidentiality modes to be used with approved block ciphers in a series of special publications: ECB, CBC, OFB, CFB, CTR, XTS-AES, FF1, FF3, CCM, GCM, KW, KWP, and TKW. Satisfies: FCS_COP.1.1(1), FTP_TRP.1.1(1) Reference: PP-MDM-414001
Fix
Configure the MDM server to use a FIPS 140-2 validated cryptographic module. On the MDM console, do the following: 1. SSH to MobileIron Core Server from any SSH client. 2. Enter the administrator credentials you set when you installed MobileIron Core. 3. Enter enable. 4. When prompted, enter the enable secret you set when you installed MobileIron Core. 5. Enter configure terminal. 6. Enter the following command to enable FIPS: fips 7. Enter the following command to proceed with the necessary reload: do reload.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
IMIC-11-010900: The Ivanti MobileIron Core server must be configured with the periodicity of the following commands to the agent of six hours or less: - query connectivity status - query the current version of the managed device firmware/software - query the current version of installed mobile applications - read audit logs kept by the managed device.
Review the MDM server configuration settings and verify the server is configured with a periodicity for reachable events of six hours or less for the following commands to the agent: - query connectivity status; - query the current version of the MD firmware/software; - query the current version of the hardware model of the device; - query the current version of installed mobile applications; - read audit logs kept by the MD. Verify the sync interval for a device: 1. In the Admin Portal, go to Policies & Config >> Policies. 2. Select the default sync policy. 3. Verify that the Sync Interval is set to 360 minutes or less. If the Sync interval is not set to 360 minutes or less, this is a finding.
Discussion
Without verification, security functions may not operate correctly and this failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. This requirement applies to applications performing security functions and the applications performing security function verification/testing. Satisfies: FAU_NET_EXT.1.1, FMT_SMF.1.1(2) c.3 Reference: PP-MDM-411057
Fix
Configure the MDM server with a periodicity for reachable events of six hours or less for the following commands to the agent: - query connectivity status; - query the current version of the MD firmware/software; - query the current version of the hardware model of the device; - query the current version of installed mobile applications; -read audit logs kept by the MD. Configure the sync interval for a device: To configure the frequency for starting the synchronization process between a device in MobileIron Core: 1. In the Admin Portal, go to Policies & Config >> Policies. 2. Select the default sync policy. 3. Set Sync Interval to the number of minutes between synchronizations to be 360 minutes or less. 4. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
IMIC-11-001400: The Ivanti MobileIron Core server must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
Verify the Ivanti MobileIron Core server is configured to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. In the Core server, navigate to the following: Settings >> Security >> Password Policy. Verify the number of failed attempts is set to 3 and Auto-Lock Time is set to 900 seconds. If the number of failed attempts is not set to 3 and Auto-Lock Time is not set to 900 seconds, this is a finding.
Discussion
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. Satisfies: FMT_SMF.1(2)b. Reference: PP-MDM-431028
Fix
Configure the Ivanti MobileIron Core server to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. Go to Settings >> Security >> Password Policy. Set Number of Failed attempts to 3 and set Auto-Lock Time to 900 seconds.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None