{"stig":{"title":"Ivanti MobileIron Core MDM Server Security Technical Implementation Guide","version":"1","release":"1"},"checks":[{"vulnId":"V-251400","ruleId":"SV-251400r806332_rule","severity":"medium","ruleTitle":"The Ivanti MobileIron Core server must limit the number of concurrent sessions per privileged user account to three or less concurrent sessions.","description":"Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks.\n\nThis requirement may be met via the application or by utilizing information system session control provided by a web server with specialized session management capabilities. If it has been specified that this requirement will be handled by the application, the capability to limit the maximum number of concurrent single user sessions must be designed and built into the application. \n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be defined based upon mission needs and the operational environment for each system. \n\nSatisfies: FMT_SMF.1.1(2) b \nReference: PP-MDM-431010","checkContent":"Perform the following procedure to limit concurrent sessions per privileged users:\n\nOn the Admin page for each privileged user, verify Actions Edit Role select \"Enforce single session (all spaces)\" is selected.\n\nIf \"Enforce single session (all spaces)\" is not selected for each user, this is a finding.","fixText":"Use the following procedure to limit the number of concurrent sessions:\n\nIn the Admin Portal, go to \"Admin\" Actions edit Roles \"Enforce single session (all spaces)\".","ccis":["CCI-000054"]},{"vulnId":"V-251401","ruleId":"SV-251401r806335_rule","severity":"medium","ruleTitle":"The Ivanti MobileIron Core server must initiate a session lock after a 15-minute period of inactivity.","description":"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system level and results in a system lock, but may be at the application level where the application interface window is secured instead.\n\nSatisfies: FMT_SMF.1.1(2) c.8 \nReference: PP-MDM-411047","checkContent":"Verify the session timeout is set to 15 minutes or less.\n\nIn the Admin Portal, go to Settings >> General >> Timeout. Verify the session timeout is set to 5, 10, or 15.\n\nIf the session timeout is not set to 5, 10, or 15, this is a finding.","fixText":"Configure the session timeout with this procedure:\n\nIn the Admin Portal, go to Settings >> General >> Timeout.\n\nFrom the dropdown menu, choose a timeout value of 5, 10, or 15 minutes.","ccis":["CCI-000057"]},{"vulnId":"V-251402","ruleId":"SV-251402r806338_rule","severity":"medium","ruleTitle":"The Ivanti MobileIron Core server must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.","description":"By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.\n\nSatisfies: FMT_SMF.1(2)b.\nReference: PP-MDM-431028","checkContent":"Verify the Ivanti MobileIron Core server is configured to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.\n\nIn the Core server, navigate to the following: Settings >> Security >> Password Policy.\n\nVerify the number of failed attempts is set to 3 and Auto-Lock Time is set to 900 seconds.\n\nIf the number of failed attempts is not set to 3 and Auto-Lock Time is not set to 900 seconds, this is a finding.","fixText":"Configure the Ivanti MobileIron Core server to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.\n\nGo to Settings >> Security >> Password Policy. Set Number of Failed attempts to 3 and set Auto-Lock Time to 900 seconds.","ccis":["CCI-000044"]},{"vulnId":"V-251403","ruleId":"SV-251403r806341_rule","severity":"medium","ruleTitle":"The Ivanti MobileIron Core server must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.","description":"Display of the DoD-approved use notification before granting access to the application ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with DTM-08-060. Use the following verbiage for applications that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"\n\nSatisfies: FTA_TAB.1.1, FMT_SMF.1.1(2) c.2 \nReference: PP-MDM-411056","checkContent":"Review MDM server documentation and configuration settings to determine if the MDM server is using the warning banner and the wording of the banner is the required text.\n\nOn the MDM console, do the following:\n1. Connect to the MobileIron Core Server using SSH.\n2. Type in a user name and press enter.\n3. Verify the required banner is displayed before the password prompt. The required text is found in the Vulnerability Discussion.\nIf the required banner is not presented, this is a finding.\n\n1. Connect to the MobileIron Core Server system manager portal using a web browser.\n2. Verify the required banner is displayed on the web page. The required text is found in the Vulnerability Discussion.\nIf the required banner is not presented, this is a finding.\n\n1. Connect to the MobileIron Core Server administrator portal using a web browser.\n2. Verify the required banner is displayed on the web page.\nIf the required banner is not presented, this is a finding.","fixText":"Configure the MDM server to display the appropriate warning banner text.\n\nOn the MDM console, do the following:\n1. Log in to the MobileIron Core Server administrator portal as  a user with the security configuration administrator role using a web browser.\n2. Select Settings on the web page.\n3. Select General on the web page.\n4. Select Login on the web page.\n5. Check the \"Enable Login Text Box\" on the web page.\n6. Type the required banner text in the \"Text to Display\" dialog on the web page.\n7. Select \"Save\" on the web page.","ccis":["CCI-000048"]},{"vulnId":"V-251404","ruleId":"SV-251404r806344_rule","severity":"medium","ruleTitle":"The Ivanti MobileIron Core server must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. \n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. \n\nSatisfies: FAU_ALT_EXT.1.1 \nReference: PP-MDM-412059","checkContent":"Verify Core is configured to alert the ISSO and SA in the event of an audit processing failure:\n\nIn the Core console, go to Logs >> Event Settings >> Add New System Event.\n\nVerify System Storage Threshold has been reached is checked.\n\nIf System Storage Threshold has been reached is not checked, this is a finding.","fixText":"Configure Core to alert the ISSO and SA in the event of an audit processing failure:\n\nLogs >> Event Settings >> Add New System Event >> ensure System Storage Threshold has been reached is checked.","ccis":["CCI-000139"]},{"vulnId":"V-251405","ruleId":"SV-251405r806347_rule","severity":"medium","ruleTitle":"The Ivanti MobileIron Core server must back up audit records at least every seven days onto a log management server.","description":"Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media from the system being audited on an organizationally defined frequency helps ensure, in the event of a catastrophic system failure, the audit records will be retained.\n\nThis helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records.\n\nThis requirement only applies to applications that have a native backup capability for audit records. Operating system backup requirements cover applications that do not provide native backup functions.\n\nSatisfies: FAU_STG_EXT.1.1, FMT_SMF.1.1(2) Refinement b","checkContent":"Verify that Splunk is configured for automated log export.\n\nStep 1: Verify the Splunk Forwarder is enabled.\n1. Log in to System Manager.\n2. Go to Settings >> Services.\n3. Verify that the \"Enable\" toggle is ON and \"Running\" is displayed.\nIf \"Enable\" toggle is not ON or \"Running\" is not displayed, this is a finding.\n\nStep 2: Verify that Splunk Indexer is configured.\n1. Log in to System Manager.\n2. Go to Settings >> Data Export >> Splunk Indexer.\n3. Verify that there is an entry and the Status is \"Connected\".\nIf there is no entry for Splunk Indexer or the Status is \"Not Connected\", this is a finding.\n\nStep 3: Verify \"Audit Log\" is enabled in the Splunk \"data to index\".\n1. Log in to System Manager.\n2. Go to Settings >> Data Export >> Splunk Data to open the \"Data to Index\" window.\n3. Verify \"Audit Log\" is included in the \"Data To Index\".\nIf \"Audit Log\" is not included in the \"Data To Index\", this is a finding.\n\nNote: Syslog can be used instead of Splunk.","fixText":"Complete the following activities to configure the transfer of MobileIron Core 10 server logs:\n\nConfigure Splunk for automated log export:\n\nStep 1: Enable Core to turn on the Splunk Forwarder so it can push data to the Splunk Indexer.\n\nTo enable the Splunk Forwarder:\n1. Log in to System Manager.\n2. Go to Settings >> Services.\n3. Select \"Enable\" next to Splunk Forwarder.\n4. Click Apply >> OK to save the changes.\n\nStep 2: Add a Splunk Indexer to configure which external Splunk Indexer will receive and manipulate the data from the Splunk Forwarder.\n\nTo add a Splunk Indexer:\n1. Log in to System Manager.\n2. Go to Settings >> Data Export >> Splunk Indexer.\n3. Click \"Add\" to open the Add Splunk Indexer window.\n4. Modify the fields as necessary in the \"Add Splunk Indexer\" window. The following are fields and descriptions in the Add Splunk Indexer window:\n- Splunk Indexer - Add the IP address of your Splunk Enterprise Server.\n- Port - Add the port of your Splunk Enterprise Server.\n- Enable SSL - Click this check box to enable SSL.\n5. Click Apply >> OK to save the changes.\n\nStep 3: Configure Splunk Data to configure which data Splunk Forwarder sends to the Splunk Indexer.\n\nTo configure Splunk Data:\n1. Log in to System Manager.\n2. Go to Settings >> Data Export >> Splunk Data to open the \"Data to Index\" window.\n3. Modify the fields as necessary.\n- Click \"Show/Hide Advanced Options\" to further customize which data to send to Splunk.\n- Check \"Audit Log\" at a minimum.\n4. Click Apply >> OK.\n5. Restart the Splunk Forwarder by disabling it and then enabling it again.\n  a. Go to Settings >> Services.\n  b. Select \"Disable\" next to Splunk Forwarder.\n  c. Click Apply >> OK.\n  d. Select \"Enable\" next to Splunk Forwarder.\n6. Click Apply >> OK to save the changes.\n\nNote: Syslog can be used instead of Splunk.","ccis":["CCI-001348"]},{"vulnId":"V-251406","ruleId":"SV-251406r806350_rule","severity":"medium","ruleTitle":"The Ivanti MobileIron Core server must be configured to use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.","description":"A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MDM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the MDM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos). \n\nSatisfies: FIA \nReference: PP-MDM-414003","checkContent":"On the MDM console, do the following:\n1. Log in to the MobileIron Core Server administrator portal as a user with the security configuration administrator role using a web browser.\n2. Select \"Services\" on the web page.\n3. Select \"LDAP\" on the web page.\n4. Click the edit icon on an existing LDAP configuration to be tested.\n5. Select \"Test\" on the LDAP server configuration dialog.\n6. Enter a valid LDAP user ID and select \"Submit\".\n7. Verify the LDAP query is successful and shows user attributes in a dialog box.\n\nNote: All administrator accounts must be configured for LDAP authentication unless a select number of local accounts have been approved by the AO. Verify AO approval if local accounts (not using LDAP authentication) are configured on the Core server.\n\nIf the MDM server does not leverage the MDM platform user accounts and groups for MDM server user identification and authentication, this is a finding.","fixText":"Configure the MDM server to leverage the MDM platform user accounts and groups for MDM server user identification and authentication.\n\nOn the MDM console, do the following:\n1. Log in to the MobileIron Core Server administrator portal as a user with the security configuration administrator role using a web browser.\n2. Select \"Services\" on the web page.\n3. Select \"LDAP\" on the web page.\n4. Select \"Add New\" (or click the edit icon on an existing LDAP configuration).\n5. Complete the LDAP configuration dialog providing the URL for the LDAP server, alternate URL if there is a backup LDAP server, user ID and password for the LDAP server, and for additional settings see \"Configuring LDAP Servers\" section in the On-Premise Installation Guide.\n6. Select \"Save\" to save the LDAP configuration.\n\nNote: All administrator accounts will be configured to use LDAP-based authentication, unless there is an operational need for a select number of local accounts, with the approval of the AO.","ccis":["CCI-000765"]},{"vulnId":"V-251407","ruleId":"SV-251407r806353_rule","severity":"medium","ruleTitle":"The Ivanti MobileIron Core server must enforce a minimum 15-character password length.","description":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. \n\nUse of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.\n\nSatisfies: FMT_SMF.1(2)b \nReference: PP-MDM-431018","checkContent":"Verify a 15-character length for local user accounts has been configured:\n\n1. Log in to the Core console.\n2. Security >> Password Policy.\n3. Verify the Min Password Length is set to 15.\n\n If the Min Password Length is not set to 15, this is a finding.","fixText":"Configure a 15-character length for local user accounts:\n\n1. Log in to the Core console.\n2. Security >> Password Policy.\n3. Set Min Password Length to 15.","ccis":["CCI-000205"]},{"vulnId":"V-251408","ruleId":"SV-251408r806356_rule","severity":"medium","ruleTitle":"The Ivanti MobileIron Core server must prohibit password reuse for a minimum of four generations.","description":"Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nTo meet password policy requirements, passwords need to be changed at specific policy-based intervals.\n\nIf the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.\n\nSatisfies: FMT_SMF.1(2)b \nReference: PP-MDM-431025","checkContent":"Verify Core is configured to enforce password history reuse of four last passwords:\n\n1. Log in to the Core console.\n2. Security >> Password Policy.\n3. Verify  \"Enforce Password History (Last 4 passwords)\" is enabled.\n\n If \"Enforce Password History (Last 4 passwords)\" is not enabled, this is a finding.","fixText":"Configure Core to enforce password history reuse of four last passwords:<br /><br />1. Log in to the Core console.<br />2. Security >> Password Policy.<br />3. Check \"Enable\" for \"Enforce Password History (Last 4 passwords)\".","ccis":["CCI-000200"]},{"vulnId":"V-251409","ruleId":"SV-251409r806359_rule","severity":"medium","ruleTitle":"The Ivanti MobileIron Core server must enforce password complexity by requiring that at least one uppercase character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. \n\nSatisfies: FMT_SMF.1(2)b \nReference: PP-MDM-431020","checkContent":"Verify the local user account uses at least one uppercase character:<br /><br />1. Log in to the Core console.<br />2. Security >> Password Policy.<br />3. Verify \"Upper Case\" is checked.<br /><br /> If \"Upper Case\" is not checked, this is a finding.","fixText":"Configure a password with at least one uppercase character:\n\n1. Log in to the Core console.\n2. Security >> Password Policy.\n3. Check \"Upper Case\".","ccis":["CCI-000192"]},{"vulnId":"V-251410","ruleId":"SV-251410r806362_rule","severity":"medium","ruleTitle":"The Ivanti MobileIron Core server must enforce password complexity by requiring that at least one lowercase character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nSatisfies: FMT_SMF.1(2)b \nReference: PP-MDM-431019","checkContent":"Verify the local user account uses at least one lowercase character:\n\n1. Log in to the Core console.\n2. Security >> Password Policy.\n3. Verify \"Lower Case\" is checked.\n\n If \"Lower Case\" is not checked, this is a finding.","fixText":"Configure a password with at least one lowercase character:\n\n1. Log in to the Core console.\n2. Security >> Password Policy.\n3. Check \"Lower Case\".","ccis":["CCI-000193"]},{"vulnId":"V-251411","ruleId":"SV-251411r806365_rule","severity":"medium","ruleTitle":"The Ivanti MobileIron Core server must enforce password complexity by requiring that at least one numeric character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nSatisfies: FMT_SMF.1(2)b \nReference: PP-MDM-431021","checkContent":"Verify the local user account uses at least one numeric character:\n\n1. Log in to the Core console.\n2. Security >> Password Policy.\n3. Verify \"Numeric\" is checked.\n\n If \"Numeric\" is not checked, this is a finding.","fixText":"Configure a password with at least one numeric character:\n\n1. Log in to the Core console.\n2. Security >> Password Policy.\n3. Check \"Numeric\".","ccis":["CCI-000194"]},{"vulnId":"V-251412","ruleId":"SV-251412r806368_rule","severity":"medium","ruleTitle":"The Ivanti MobileIron Core server must enforce password complexity by requiring that at least one special character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. \n\nSpecial characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.\n\nSatisfies: FMT_SMF.1(2)b \nReference: PP-MDM-431022","checkContent":"Verify the local user account uses at least one special character:\n\n1. Log in to the Core console.\n2. Security >> Password Policy.\n3. Verify \"Special\" is checked.\n\n If \"Special\" is not checked, this is a finding.","fixText":"Configure a password with at least one special character:\n\n1. Log in to the Core console.\n2. Security >> Password Policy.\n3. Check \"Special\".","ccis":["CCI-001619"]},{"vulnId":"V-251413","ruleId":"SV-251413r806371_rule","severity":"high","ruleTitle":"The Ivanti MobileIron Core server must use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.","description":"Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nNonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network.\n\nNote: Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DoD systems should not be configured to use SHA-1 for integrity of remote access sessions.\n\nTo protect the integrity of the authenticator and authentication mechanism used for the cryptographic module used by the network device, the application, operating system, or protocol must be configured to use one of the following hash functions for hashing the password or other authenticator in accordance with SP 800-131Ar1: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, and SHA3-512.\n\nApplications also include HMAC, KDFs, Random Bit Generation, and hash-only applications (e.g., hashing passwords and use for compute a checksum). For digital signature verification, SP800-131Ar1 allows SHA-1 for legacy use only, but this is discouraged by DoD.\n\nSeparate requirements for configuring applications and protocols used by each product (e.g., SNMPv3, SSH, NTP, and other protocols and applications that require server/client authentication) are required to implement this requirement.\n\nSatisfies: FCS_COP.1.1(2)","checkContent":"Verify MobileIron Core is in FIPS mode. \n\nssh to command line console of the Core. Enable >> show fips. Verify FIPS mode is configured. \n\nIf FIPS mode is not configured, this is a finding.","fixText":"Configure Core to be in FIPS mode.\n\nssh to command line console of the Core. Enable >> show fips. Configure fips >> reload.","ccis":["CCI-000803"]},{"vulnId":"V-251414","ruleId":"SV-251414r806374_rule","severity":"medium","ruleTitle":"The Ivanti MobileIron Core server must automatically terminate a user session after an organization-defined period of user inactivity.","description":"Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions.\n\nSession termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated.\n\nConditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.\n\nThis capability is typically reserved for specific application system functionality where the system owner, data owner, or organization requires additional assurance. Based upon requirements and events specified by the data or application owner, the application developer must incorporate logic into the application that will provide a control mechanism that disconnects users upon the defined event trigger. The methods for incorporating this requirement will be determined and specified on a case-by-case basis during the application design and development stages.\n\nSatisfies: FMT_SMF.1.1(2) b \nReference: PP-MDM-431014","checkContent":"Review the MDM server or platform configuration and verify the server is configured to lock after 15 minutes of inactivity.\n\nIf, in the Admin Portal, Settings >> General >> Timeout is not set to 15 minutes or less, this is a finding.\n\nThe current value for the session timeout will be displayed in minutes.","fixText":"Configure the MDM server or platform to lock the server after 15 minutes of inactivity.\n\nIn the Admin Portal, go to Settings >> General >> Timeout.\n\nFrom the dropdown menu, choose a timeout value of 5, 10, or 15 minutes.","ccis":["CCI-002361"]},{"vulnId":"V-251415","ruleId":"SV-251415r810417_rule","severity":"medium","ruleTitle":"The Ivanti MobileIron Core server must be configured to transfer Ivanti MobileIron Core server logs to another server for storage, analysis, and reporting. Note: Ivanti MobileIron Core server logs include logs of UEM events and logs transferred to the Ivanti MobileIron Core server by UEM agents of managed devices. ","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.<br /><br />Off-loading is a common process in information systems with limited audit storage capacity.<br /><br />Note: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices.<br /><br />Satisfies: FMT_SMF.1.1(2) c.8, FAU_STG_EXT.1.1(1) <br />Reference: PP-MDM-411054","checkContent":"Verify that Splunk is configured for automated log export.\n\nStep 1: Verify that the Splunk Forwarder is enabled.\n1. Log in to System Manager.\n2. Go to Settings >> Services.\n3. Verify that the \"Enable\" toggle is ON and \"Running\" is displayed.\nIf \"Enable\" toggle is not ON or \"Running\" is not displayed, this is a finding.\n\nStep 2: Verify that Splunk Indexer is configured.\n1. Log in to System Manager.\n2. Go to Settings >> Data Export >> Splunk Indexer.\n3. Verify that there is an entry and the Status is \"Connected\".\nIf there is no entry for Splunk Indexer or the Status is \"Not Connected\", this is a finding.\n\nStep 3: Verify \"Audit Log\" is enabled in the Splunk \"data to index\".\n1. Log in to System Manager.\n2. Go to Settings >> Data Export >> Splunk Data to open the \"Data to Index\" window.\n3. Verify \"Audit Log\" is included in the \"Data To Index\".\nIf \"Audit Log\" is not included in the \"Data To Index\", this is a finding.\n\nNote: Syslog can be used instead of Splunk.","fixText":"Complete the following activities to configure the transfer of MobileIron Core 10 server logs:<br /><br />Configure Splunk for automated log export:<br /><br />Step 1: Enable Core to turn on the Splunk Forwarder so it can push data to the Splunk Indexer.<br /><br />To enable the Splunk Forwarder:<br />1. Log in to System Manager.<br />2. Go to Settings >> Services.<br />3. Select \"Enable\" next to Splunk Forwarder.<br />4. Click Apply >> OK to save the changes.<br /><br />Step 2: Add a Splunk Indexer to configure which external Splunk Indexer will receive and manipulate the data from the Splunk Forwarder.<br /><br />To add a Splunk Indexer:<br />1. Log in to System Manager.<br />2. Go to Settings >> Data Export >> Splunk Indexer.<br />3. Click \"Add\" to open the Add Splunk Indexer window.<br />4. Modify the fields, as necessary, in the \"Add Splunk Indexer\" window. The following fields and descriptions are in the Add Splunk Indexer window:<br />- Splunk Indexer - Add the IP address of your Splunk Enterprise Server.<br />- Port - Add port of your Splunk Enterprise Server.<br />- Enable SSL - Click this check box to enable SSL.<br />5. Click Apply >> OK to save the changes.<br /><br />Step 3: Configure Splunk Data to configure which data Splunk Forwarder sends to the Splunk Indexer.<br /><br />To configure Splunk Data:<br />1. Log in to System Manager.<br />2. Go to Settings >> Data Export >> Splunk Data to open the \"Data to Index\" window.<br />3. Modify the fields, as necessary.<br />- Click Show/Hide Advanced Options to further customize which data to send to Splunk.<br />- Check \"Audit Log\" at a minimum.<br />4. Click Apply >> OK.<br />5. Restart the Splunk Forwarder by disabling it, then enabling it again.<br />  a. Go to Settings >> Services.<br />  b. Select Disable next to Splunk Forwarder.<br />  c. Click Apply >> OK.<br />  d. Select Enable next to Splunk Forwarder.<br />6. Click Apply >> OK to save the changes.<br /><br />Note: Syslog can be used instead of Splunk.","ccis":["CCI-001851"]},{"vulnId":"V-251416","ruleId":"SV-251416r806403_rule","severity":"high","ruleTitle":"The Ivanti MobileIron Core server must configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.","description":"Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.<br /><br />Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network.","checkContent":"Verify MobileIron Core is in FIPS mode. \n\nssh to command line console of the Core. Enable >> show fips. Verify FIPS mode is configured.\n\nIf FIPS mode is not configured, this is a finding.","fixText":"Configure Core to be in FIPS mode.\n\nssh to command line console of the Core. Enable >> show fips. Configure fips >> reload.","ccis":["CCI-003123"]},{"vulnId":"V-251417","ruleId":"SV-251417r806383_rule","severity":"medium","ruleTitle":"The Ivanti MobileIron Core server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.","description":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of TLS certificates.\n\nThis requirement focuses on communications protection for the application session rather than for the network packet.\n\nThis requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA).\n\nSatisfies: FIA_X509_EXT.1.1(1)","checkContent":"Verify the MDM server is configured with TLS server certificate chain to a DOD certificate Authority.\n\nGo into the Certificate Manager >> System Manager >> Security >> Certificate Management >> Portal HTTPS. Verify DoD certificates are installed.\n\nIf DoD digital certificates are not installed on Core, this is a finding.","fixText":"Install DoD digital certificates.\n\nConfigure the MDM server. System Manager >> Security >> Certificate Management >> Portal HTTPS. Install DOD certificate chain.","ccis":["CCI-002470"]},{"vulnId":"V-251418","ruleId":"SV-251418r806386_rule","severity":"high","ruleTitle":"The Ivanti MobileIron Core server must be maintained at a supported version.","description":"The UEM vendor maintains specific product versions for a specific period of time. MDM/EMM server versions no longer supported by the vendor will not receive security updates for new vulnerabilities, which leaves them subject to exploitation.\n\nSatisfies: FPT_TUD_EXT.1.1, FPT_TUD_EXT.1.2 \nReference: PP-MDM-414005","checkContent":"Verify the Core server version is a supported version. This requirement is Not Applicable for the cloud version of Core.\n\nFind the list of currently supported on-prem versions of Core server here: https://help.ivanti.com/mi/help/en_us/EML/3.16.1/rni/Content/EmailPlusiOSReleaseNotes/Support_and_compatibilit.htm\n\nLog onto the Core console and determine the installed version of Core:\n1. Click on the round person icon in the top right corner of the Core console.\n2. In the drop-down menu, select \"About\".\n3. View the version of Core that is installed.\n4. Verify the version is a supported version.\n\nIf the installed version of the Core server is not a supported version, this is a finding.","fixText":"Update Core to the most current version. If using the cloud version of Core, this requirement is automatically met.","ccis":["CCI-002605"]},{"vulnId":"V-251419","ruleId":"SV-251419r806404_rule","severity":"medium","ruleTitle":"The Ivanti MobileIron Core server must be configured with the periodicity of the following commands to the agent of six hours or less: - query connectivity status - query the current version of the managed device firmware/software - query the current version of installed mobile applications - read audit logs kept by the managed device. ","description":"Without verification, security functions may not operate correctly and this failure may go unnoticed.<br /><br />Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.<br /><br />This requirement applies to applications performing security functions and the applications performing security function verification/testing.<br /><br />Satisfies: FAU_NET_EXT.1.1, FMT_SMF.1.1(2) c.3 <br />Reference: PP-MDM-411057","checkContent":"Review the MDM server configuration settings and verify the server is configured with a periodicity for reachable events of six hours or less for the following commands to the agent: \n- query connectivity status;\n- query the current version of the MD firmware/software;\n- query the current version of the hardware model of the device;\n- query the current version of installed mobile applications;\n- read audit logs kept by the MD.\n\nVerify the sync interval for a device:\n1. In the Admin Portal, go to Policies & Config >> Policies.\n2. Select the default sync policy.\n3. Verify that the Sync Interval is set to 360 minutes or less.\n\nIf the Sync interval is not set to 360 minutes or less, this is a finding.","fixText":"Configure the MDM server with a periodicity for reachable events of six hours or less for the following commands to the agent: \n- query connectivity status;\n- query the current version of the MD firmware/software;\n- query the current version of the hardware model of the device;\n- query the current version of installed mobile applications;\n-read audit logs kept by the MD.\n\nConfigure the sync interval for a device:\nTo configure the frequency for starting the synchronization process between a device in MobileIron Core:\n1. In the Admin Portal, go to Policies & Config >> Policies.\n2. Select the default sync policy.\n3. Set Sync Interval to the number of minutes between synchronizations to be 360 minutes or less.\n4. Click \"Save\".","ccis":["CCI-002696"]},{"vulnId":"V-251420","ruleId":"SV-251420r806392_rule","severity":"high","ruleTitle":"The Ivanti MobileIron Core server must use a FIPS-validated cryptographic module to generate cryptographic hashes.","description":"FIPS 140-2 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as providing no protection to the information or data. In effect, the data would be considered unprotected plaintext. If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 is applicable. In essence, if cryptography is required, it must be validated. Cryptographic modules that have been approved for classified use may be used in lieu of modules that have been validated against the FIPS 140-2 standard.\n\nThe cryptographic module used must have at least one validated hash algorithm. This validated hash algorithm must be used to generate cryptographic hashes for all cryptographic security function within the product being evaluated.\n\nSatisfies: FCS_COP.1.1(2)","checkContent":"On the MDM console, do the following:\n1. SSH to MobileIron Core Server from any SSH client.\n2. Enter the administrator credentials you set when you installed MobileIron Core.\n3. Enter show fips.\n4. Verify \"FIPS 140 mode is enabled\" is displayed.\n\nIf the MobileIron Server Core does not report that FIPS mode is enabled, this is a finding.","fixText":"Configure the MDM server to use a FIPS 140-2 validated cryptographic module.\n\nOn the MDM console, do the following:\n1. SSH to MobileIron Core Server from any SSH client.\n2. Enter the administrator credentials you set when you installed MobileIron Core.\n3. Enter enable.\n4. When prompted, enter the enable secret you set when you installed MobileIron Core.\n5. Enter configure terminal.\n6. Enter the following command to enable FIPS: fips\n7. Enter the following command to proceed with the necessary reload: do reload","ccis":["CCI-002450"]},{"vulnId":"V-251421","ruleId":"SV-251421r806395_rule","severity":"medium","ruleTitle":"The Ivanti MobileIron Core server must, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nSatisfies: FMT_SMF.1.1(2) c.8, FAU_STG_EXT.1.1(1) \nReference: PP-MDM-411054","checkContent":"Verify that Splunk is configured for automated log export.\n\nStep 1: Verify that the Splunk Forwarder is enabled.\n1. Log in to System Manager.\n2. Go to Settings >> Services.\n3. Verify that the \"Enable\" toggle is ON and \"Running\" is displayed.\nIf \"Enable\" toggle is not ON or \"Running\" is not displayed, this is a finding.\n\nStep 2: Verify that Splunk Indexer is configured.\n1. Log in to System Manager.\n2. Go to Settings >> Data Export >> Splunk Indexer.\n3. Verify that there is an entry and the Status is \"Connected\".\nIf there is no entry for Splunk Indexer or the Status is \"Not Connected\", this is a finding.\n\nStep 3: Verify \"Audit Log\" is enabled in the Splunk \"data to index\".\n1. Log in to System Manager.\n2. Go to Settings >> Data Export >> Splunk Data to open the \"Data to Index\" window.\n3. Verify \"Audit Log\" is included in the \"Data To Index\".\nIf \"Audit Log\" is not included in the \"Data To Index\", this is a finding.","fixText":"Complete the following activities to configure the transfer of MobileIron Core 11 server logs:\n\nConfigure Splunk for automated log export:\n\nStep 1: Enable Core to turn on the Splunk Forwarder so it can push data to the Splunk Indexer.\n\nTo enable the Splunk Forwarder:\n1. Log in to System Manager.\n2. Go to Settings >> Services.\n3. Select \"Enable\" next to Splunk Forwarder.\n4. Click Apply >> OK to save the changes.\n\nStep 2: Add a Splunk Indexer to configure which external Splunk Indexer will receive and manipulate the data from the Splunk Forwarder.\n\nTo add a Splunk Indexer:\n1. Log in to System Manager.\n2. Go to Settings >> Data Export >> Splunk Indexer.\n3. Click \"Add\" to open the Add Splunk Indexer window.\n4. Modify the fields, as necessary, in the \"Add Splunk Indexer\" window. The following fields and descriptions are in the Add Splunk Indexer window:\n- Splunk Indexer - Add the IP address of your Splunk Enterprise Server.\n- Port - Add port of your Splunk Enterprise Server.\n- Enable SSL - Click this check box to enable SSL.\n5. Click Apply >> OK to save the changes.\n\nStep 3: Configure Splunk Data to configure which data Splunk Forwarder sends to the Splunk Indexer.\n\nTo configure Splunk Data:\n1. Log in to System Manager.\n2. Go to Settings >> Data Export >> Splunk Data to open the \"Data to Index\" window.\n3. Modify the fields, as necessary.\n- Click Show/Hide Advanced Options to further customize which data to send to Splunk.\n- Check \"Audit Log\" at a minimum.\n4. Click Apply >> OK.\n5. Restart the Splunk Forwarder by disabling it, then enabling it again.\n  a. Go to Settings >> Services.\n  b. Select Disable next to Splunk Forwarder.\n  c. Click Apply >> OK.\n  d. Select Enable next to Splunk Forwarder.\n6. Click Apply >> OK to save the changes.","ccis":["CCI-001851"]},{"vulnId":"V-251422","ruleId":"SV-251422r806398_rule","severity":"medium","ruleTitle":"The Ivanti MobileIron Core server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.","description":"Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.","checkContent":"Review the MDM server documentation, Mobile Device Management Protection Profile Guide.\n\nIf Core is not configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs, this is a finding.","fixText":"Configure the MDM Server per the Mobile Device Management Protection Profile and this document.","ccis":["CCI-000366"]},{"vulnId":"V-251423","ruleId":"SV-251423r806401_rule","severity":"high","ruleTitle":"The Ivanti MobileIron Core server must be configured to implement FIPS 140-2 mode for all server and agent encryption.","description":"Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.\n\nRemote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.\n\nA block cipher mode is an algorithm that features the use of a symmetric key block cipher algorithm to provide an information service, such as confidentiality or authentication.\n\nAES is the FIPS-validated cipher block cryptographic algorithm approved for use in DoD. For an algorithm implementation to be listed on a FIPS 140-2 cryptographic module validation certificate as an approved security function, the algorithm implementation must meet all the requirements of FIPS 140-2 and must successfully complete the cryptographic algorithm validation process. Currently, NIST has approved the following confidentiality modes to be used with approved block ciphers in a series of special publications: ECB, CBC, OFB, CFB, CTR, XTS-AES, FF1, FF3, CCM, GCM, KW, KWP, and TKW.\n\nSatisfies: FCS_COP.1.1(1), FTP_TRP.1.1(1)  \nReference: PP-MDM-414001","checkContent":"On the MDM console, do the following:\n1. SSH to MobileIron Core Server from any SSH client.\n2. Enter the administrator credentials you set when you installed MobileIron Core.\n3. Enter show fips.\n4. Verify \"FIPS 140 mode is enabled\" is displayed.\n5. If the MobileIron Server Core does not report that FIPS mode is enabled, this is a finding.","fixText":"Configure the MDM server to use a FIPS 140-2 validated cryptographic module.\n\nOn the MDM console, do the following:\n1. SSH to MobileIron Core Server from any SSH client.\n2. Enter the administrator credentials you set when you installed MobileIron Core.\n3. Enter enable.\n4. When prompted, enter the enable secret you set when you installed MobileIron Core.\n5. Enter configure terminal.\n6. Enter the following command to enable FIPS: fips\n7. Enter the following command to proceed with the necessary reload: do reload.","ccis":["CCI-002450"]},{"vulnId":"V-251774","ruleId":"SV-251774r810435_rule","severity":"medium","ruleTitle":"The Ivanti MobileIron Core server must configured to lock administrator accounts after three unsuccessful login attempts.","description":"By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. <br /><br />Satisfies:FMT_SMF.1(2)b <br />Reference:PP-MDM-431030","checkContent":"Verify the Ivanti MobileIron Core server has been configured to lock administrator accounts after three unsuccessful login attempts.<br /><br />Log in to the Core Admin Console >> Settings >> Security >> Password Policy.<br />Verify \"Number of Failed attempts\" is set to \"3\".<br /><br />If the Ivanti MobileIron Core server does not lock administrator accounts after three unsuccessful login attempts, this is a finding.","fixText":"Configure the Ivanti MobileIron Core server to lock administrator accounts after three unsuccessful login attempts.<br /><br />Log in to the Core Admin Console >> Settings >> Security >> Password Policy.<br />Set \"Number of Failed attempts\" to \"3\".","ccis":["CCI-002238"]},{"vulnId":"V-251777","ruleId":"SV-251777r810439_rule","severity":"medium","ruleTitle":"The Ivanti MobileIron Core server must be configured to lock an administrator's account for at least 15 minutes after the account has been locked because the maximum number of unsuccessful login attempts has been exceeded.","description":"By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. <br /><br />Satisfies:FMT_SMF.1(2)b <br />Reference:PP-MDM-431030","checkContent":"Verify the Ivanti MobileIron Core server has been configured to lock an administrator's account for at least 15 minutes after the account has been locked because the maximum number of unsuccessful login attempts has been exceeded.<br /><br />Log in to the Core Admin Console >> Settings >> Security >> Password Policy.<br />Verify \"Auto-Lock Time\" is set to 15 minutes (900 seconds).<br /><br />If the Ivanti MobileIron Core server does not lock an administrator's account for at least 15 minutes after the account has been locked because the maximum number of unsuccessful login attempts has been exceeded, this is a finding.","fixText":"Configure the Ivanti MobileIron Core server to lock an administrator's account for at least 15 minutes after the account has been locked because the maximum number of unsuccessful login attempts has been exceeded.<br /><br />Log in to the Core Admin Console >> Settings >> Security >> Password Policy.<br />Set \"Auto-Lock Time\" to 15 minutes (900 seconds).","ccis":["CCI-002238"]}]}