STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 1 hour ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Ivanti EPMM Server Security Technical Implementation Guide

Version

V3R1

Release Date

Jul 30, 2024

SCAP Benchmark ID

Ivanti_MI_Core_MDM_Server_STIG

Total Checks

26

Tags

other

CAT I: 5CAT II: 21CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (26)

V-251400MEDIUMThe Ivanti EPMM server must limit the number of concurrent sessions per privileged user account to three or less concurrent sessions.V-251401MEDIUMThe Ivanti EPMM server must initiate a session lock after a 15-minute period of inactivity.V-251402MEDIUMThe Ivanti EPMM server must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.V-251403MEDIUMThe Ivanti EPMM server must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.V-251404MEDIUMThe Ivanti EPMM server must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.V-251405MEDIUMThe Ivanti EPMM server must back up audit records at least every seven days onto a log management server.V-251406MEDIUMThe Ivanti EPMM server must be configured to use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.V-251407MEDIUMThe Ivanti EPMM server must enforce a minimum 15-character password length.V-251408MEDIUMThe Ivanti EPMM server must prohibit password reuse for a minimum of four generations.V-251409MEDIUMThe Ivanti EPMM server must enforce password complexity by requiring that at least one uppercase character be used.V-251410MEDIUMThe Ivanti EPMM server must enforce password complexity by requiring that at least one lowercase character be used.V-251411MEDIUMThe Ivanti EPMM server must enforce password complexity by requiring that at least one numeric character be used.V-251412MEDIUMThe Ivanti EPMM server must enforce password complexity by requiring that at least one special character be used.V-251413HIGHThe Ivanti EPMM server must use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.V-251414MEDIUMThe Ivanti EPMM server must automatically terminate a user session after an organization-defined period of user inactivity.V-251415MEDIUMThe Ivanti EPMM server must be configured to transfer Ivanti EPMM server logs to another server for storage, analysis, and reporting. Note: Ivanti EPMM server logs include logs of UEM events and logs transferred to the Ivanti EPMM server by UEM agents of managed devices.V-251416HIGHThe Ivanti EPMM server must configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.V-251417MEDIUMThe Ivanti EPMM server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.V-251418HIGHThe Ivanti EPMM server must be maintained at a supported version.V-251419MEDIUMThe Ivanti EPMM server must be configured with the periodicity of the following commands to the agent of six hours or less: - query connectivity status - query the current version of the managed device firmware/software - query the current version of installed mobile applications - read audit logs kept by the managed device.V-251420HIGHThe Ivanti EPMM server must use a FIPS-validated cryptographic module to generate cryptographic hashes.V-251421MEDIUMThe Ivanti EPMM server must, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly.V-251422MEDIUMThe Ivanti EPMM server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.V-251423HIGHThe Ivanti EPMM server must be configured to implement FIPS 140-2 mode for all server and agent encryption.V-251774MEDIUMThe Ivanti EPMM server must configured to lock administrator accounts after three unsuccessful login attempts.V-251777MEDIUMThe Ivanti EPMM server must be configured to lock an administrator's account for at least 15 minutes after the account has been locked because the maximum number of unsuccessful login attempts has been exceeded.