Ivanti MobileIron Sentry 9.x ALG STIG Version Comparison

There are 1 differences between versions v1 r1 (Sept. 14, 2021) (the "left" version) and v2 r1 (July 24, 2024) (the "right" version).

Check MOIS-AL-000900 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

The Sentry providing mobile device authentication intermediary services must implement multifactor authentication for remote access to non-privileged nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

Check Content

If the Sentry does not provide user authentication intermediary services, this is not applicable. Verify the Sentry implements multifactor authentication for remote access to non-privileged nonprivileged accounts. Verify the MobileIron Core has a device-level password policy enforcing password or biometric and is applied to managed devices. This should be done by default. Verify the Sentry is configured for certificate-based authentication. If the Sentry is set up as an intermediary service for backend resources: 1. In the MobileIron Core Portal, select Services >> Sentry. 2. Click the "Edit" icon for the Standalone Sentry entry. 3. In the "Device Authentication Configuration" section, select an option appropriate for this implementation. 4. Depending on the option selected, follow the instructions in one of the following sections to verify the configuration is correct: - Group Certificate - Identity Certificate - Identity Certificate with Kerberos constrained delegation If the "Device Authentication Configuration" is not set up correctly, this is a finding.

Discussion

For remote access to non-privileged nonprivileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD DOD common access card. A privileged account is defined as an information system account with authorizations of a privileged user. Remote access is access to DOD DoD-nonpublic nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. An example of compliance with this requirement is the use of a one-time password token and PIN coupled with a password; or the use of a CAC/PIV card and PIN coupled with a password.

Fix

If user authentication intermediary services are provided, configure the Sentry to implement multifactor authentication for remote access to non-privileged nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access. 1. In the MobileIron Core Portal, select Services >> Sentry. 2. Click the "Edit" icon for the Standalone Sentry entry. 3. In the "Device Authentication Configuration" section, select an option appropriate for this implementation. 4. Depending on the option selected, follow the instructions in one of the following section to complete the configuration: - Group Certificate Refer to "Configuring authentication using a group certificate" for next steps. - Identity Certificate Refer to "Configuring authentication using an identity certificate and Pass Through" for next steps. OR Refer to "Configuring authentication using an identity certificate and Kerberos constrained delegation" for next steps. For more information, in the "MobileIron Sentry 9.8.0 Guide for Core", refer to the main section "Device and Server Authentication", which contains the subsection "Configuring device and server authentication".