Free DISA STIG and SRG Library | Vaulted

Good for Enterprise 8.x Security Technical Implementation Guide

Version 1 Release 2
2017-10-27
U_Good_for_Enterprise_8-x_STIG_V1R2_Manual-xccdf.xml
Developed by Good Technology in coordination with DISA for the DoD.

Vulnerabilities (66)

The Good Mobility Suite must implement separation of administrator duties by requiring a specific role to be assigned to each administrator account.

Finding ID
GOOD-00-000010
Rule ID
SV-67235r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000062-MDM-000003-SRV
CCI
CCI-000037
Target Key
(None)
Documentable
No
Discussion

Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. Employing a separation of duties model reduces the threat that one individual has the authority to make changes to a system and the authority to delete any record of those changes. This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of a role is intended to address those situations where an access control policy, such as Role-Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and a non-privileged account. It is recommended that the following or similar roles be supported: 1) Good Mobility Suite administrative account administrator is responsible for server installation, initial configuration, and maintenance functions. 2) Security configuration policy administrator (IA technical professional) is responsible for security configuration of the server and setting up and maintenance of mobile device security policies. 3) Device management administrator (Technical operator) is responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. 4) Auditor (internal auditor or reviewer) is responsible for reviewing and maintaining server and mobile device audit logs.

Fix Text

Configure the Good Mobility Suite to implement separation of administrator duties by requiring a specific role to be assigned to each administrator account. - Launch the Good Mobile Control Web console, select the roles tab. - Validate that administrative users are assigned to different roles based upon job function as defined by local policy. Service Administrator - Service account super-user Administrator - Server administrator Helpdesk - Add/remove users Self-service - Users take action on their own devices - DO NOT USE

Check Content

Review the Good Mobility Suite configuration to determine if separation of administrator duties has been implemented by assigning a specific role to each administrator account. Otherwise, this is a finding.

The Good Mobility Suite server must accept alerts from the mobile operating system when the mobile OS has detected integrity check failures.

Finding ID
GOOD-00-000650
Rule ID
SV-67243r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000237-MDM-000176-MDIS
CCI
CCI-001274
Target Key
(None)
Documentable
No
Discussion

Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. Alerting a Good Mobility Suite mitigates the potential for attacks triggering integrity failures to have further consequences to the enterprise.

Fix Text

Configure the Good Mobility Suite server to accept alerts from the mobile operating system when the mobile OS has detected integrity check failures. -Good Logs are Saved in standard .log format. The Default location for these logs are in the Good install directory (C:/Program Files (x86)/Good Technology/Good Mobile Control) Log Directory. This allows data to be consumed by any third-party SYSLog tool. Please refer to Third-Party Documentation to Configure required Alerts/Notification.

Check Content

Review the Good Mobility Suite configuration to determine if alerts are accepted from the mobile operating system when the mobile OS has detected integrity check failures. Otherwise, this is a finding.

The Good Mobility Suite server must perform required actions when a security-related alert is received.

Finding ID
GOOD-00-000640
Rule ID
SV-67245r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000286-MDM-000164-MDM
CCI
CCI-001265
Target Key
(None)
Documentable
No
Discussion

Incident response functions are intended to monitor, detect, and alarm on defined events occurring on the system or on the network. A large part of their functionality is accurate and timely notification of events. Notifications can be made more efficient by the creation of notification groups containing members who would be responding to a particular alarm or event. Types of actions the Good Mobility Suite must be able to perform after a security alert include: log the alert, send email to a system administrator, wipe the managed mobile device, lock the mobile device account on the Good Mobility Suite, disable the security container, wipe the security container, and delete an unapproved application. Security alerts include any alert from the MDIS or MAM component of the Good Mobility Suite.

Fix Text

Use a Good Mobility Suite that can perform required actions after receiving security related alerts. -Launch the Good Mobile Control Web console and click on the Policies tab -Select a policy set to review and click on the policy -On the left tab, select Compliance Manager under Mobile Device Management and click Add Rule - Select the Compliance Rule - Under Failure Action, select the appropriate action

Check Content

Review the Good Mobility Suite configuration to determine if it has the capability to perform required actions after receiving a security-related alert. Otherwise, this is a finding.

The Good Mobility Suite server must detect and report the version of the operating system, device drivers, and application software for managed mobile devices.

Finding ID
GOOD-00-000630
Rule ID
SV-67247r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000270-MDM-000162-MDM
CCI
CCI-001233
Target Key
(None)
Documentable
No
Discussion

Organizations are required to identify information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) and report this information to designated organizational officials with information security responsibilities (e.g., senior information security officers, information system security managers, information systems security officers). To support this requirement, an automated process or mechanism is required. This mechanism also ensures the network configuration is known for risk mitigation when known issues are found with certain versions of the operating system or applications.

Fix Text

Configure the Good Mobility Suite server to detect and report the version of the operating system, device drivers, and application software for managed mobile devices. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on iOS Configuration -Verify all checkboxes are checked on the General tab

Check Content

Review the Good Mobility Suite server configuration to determine if the Good Mobility Suite detects and reports the version of the operating system, device drivers, and application software for managed mobile devices. Otherwise, this is a finding.

The Good Mobility Suite email client must support retrieving encryption certificates not stored in the local trust anchor store for S/MIME purposes.

Finding ID
GOOD-00-000620
Rule ID
SV-67249r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-APP-000196-MDM-000215-MEM
CCI
CCI-001144
Target Key
(None)
Documentable
No
Discussion

Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the requirement stated that the email client must support retrieving certificates not stored in the local trust anchor store.

Fix Text

Configure the Good Mobility Suite server to retrieve encryption certificates not stored in the local trust anchor store for S/MIME purposes. -Launch the Good Mobile Control Web console and click on the Settings tab -On the left side, select Secure Messaging (S/MIME) -Verify Enable Secure Messaging (S/MIME) is checked and the LDAP and OCSP URL values are configured properly -Click on Save

Check Content

Review the Good Mobility Suite server configuration to verify the mobile email client that supports retrieving encryption certificates not stored in the local trust anchor store for S/MIME purposes. Otherwise, this is a finding.

The Good Mobility Suite email client must provide a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP.

Finding ID
GOOD-00-000610
Rule ID
SV-67251r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000196-MDM-000213-MEM
CCI
CCI-001144
Target Key
(None)
Documentable
No
Discussion

Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the requirement states that the email client must validate certificates through a trusted OCSP, CRL, or SCVP.

Fix Text

Configure the Good Mobility Suite server to provide a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP. -Launch the Good Mobile Control Web console and click on the Settings tab -On the left side, select Secure Messaging (S/MIME) -Verify Enable Secure Messaging (S/MIME) is checked and the LDAP and OCSP URL values are configured properly -Click on Save and proceed to the Policies tab -Select the policy set for the smart phone and select Good For Enterprise Authentication -Verify Enable S/MIME is checked Optional: To enable CAC/PIV (hard token), ensure Good Vault is selected; otherwise, soft token will be the default.

Check Content

Review the Good Mobility Suite server configuration to verify the mobile email client provides a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP. Otherwise, this is a finding.

The Good Mobility Suite email client must provide the mobile device user the capability to decrypt incoming email messages using software- or hardware-based digital certificates.

Finding ID
GOOD-00-000600
Rule ID
SV-67253r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000196-MDM-000212-MEM
CCI
CCI-001144
Target Key
(None)
Documentable
No
Discussion

Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the requirement states that the email client must be able to decrypt incoming email messages.

Fix Text

Configure the Good Mobility Suite server to provide the mobile device user the capability to decrypt incoming email messages using software- or hardware-based digital certificates. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select Good For Enterprise Authentication -Verify Enable S/MIME is checked Optional: To enable CAC/PIV (hard token), ensure Good Vault is selected; otherwise, soft token will be the default.

Check Content

Review the Good Mobility Suite server configuration to verify the mobile email client that provides the mobile device user the capability to decrypt incoming email messages using software- or hardware-based digital certificates. Otherwise, this is a finding.

The Good Mobility Suite email client must provide the mobile device user the capability to digitally sign and encrypt outgoing email messages using software- or hardware-based digital certificates.

Finding ID
GOOD-00-000590
Rule ID
SV-67255r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000196-MDM-000211-MEM
CCI
CCI-001144
Target Key
(None)
Documentable
No
Discussion

Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the requirement states that the email client must be able to sign and/or encrypt outgoing messages.

Fix Text

Configure the Good Mobility Suite to provide the mobile device user the capability to digitally sign and encrypt outgoing email messages using software- or hardware-based digital certificates. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select Good For Enterprise Authentication -Verify Enable S/MIME is checked Optional: To enable CAC/PIV (hard token), ensure Good Vault is selected; otherwise, soft token will be the default.

Check Content

Review the Good Mobility Suite server configuration to verify the mobile email client provides the mobile device user the capability to digitally sign and encrypt outgoing email messages using software- or hardware-based digital certificates. Otherwise, this is a finding.

The Good Mobility Suite email client must set the Smart Card or Certificate Store Password caching timeout period to 120 minutes.

Finding ID
GOOD-00-000580
Rule ID
SV-67257r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000196-MDM-000210-MEM
CCI
CCI-001144
Target Key
(None)
Documentable
No
Discussion

Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the requirement states that Smart Card/Certificate Store password caching must time out.

Fix Text

Configure the Good Mobility Suite to set the Smart Card or Certificate Store Password caching timeout period to 120 minutes. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select Good For Enterprise Authentication -Verify Re-challenge for password every is checked and set to 120 minutes

Check Content

Review the Good Mobility Suite server configuration to verify the mobile email client sets the Smart Card or Certificate Store Password caching timeout period to 120 minutes. Otherwise, this is a finding.

The Good Mobility Suite email client S/MIME must be fully interoperable with DoD PKI and CAC/PIV. CAC/PIV (hard token) and PKCS#12 (soft token) certificate stores must be supported.

Finding ID
GOOD-00-000570
Rule ID
SV-67259r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-APP-000196-MDM-000204-MEM
CCI
CCI-001144
Target Key
(None)
Documentable
No
Discussion

Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the CAC is the required mechanism for that protection.

Fix Text

Configure the Good Mobility Suite email client to utilize DoD PKI and CAC/PIV. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select Good For Enterprise Authentication -Verify Enable S/MIME is checked Optional: To enable CAC/PIV (hard token), ensure Good Vault is selected; otherwise, soft token will be the default.

Check Content

Review the Good Mobility Suite server configuration to verify the mobile email client S/MIME feature is fully interoperable with DoD PKI and CAC/PIV. CAC/PIV (hard token) and PKCS#12 (soft token) certificate stores must be supported. Otherwise, this is a finding.

The Good Mobility Suite email client must be capable of providing S/MIME v3 (or later version) encryption of email.

Finding ID
GOOD-00-000560
Rule ID
SV-67261r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000196-MDM-000203-MEM
CCI
CCI-001144
Target Key
(None)
Documentable
No
Discussion

Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, S/MIME is the required mechanism for encryption of email.

Fix Text

Configure the Good Mobility Suite server to provide S/MIME v3 (or later version) encryption of email. -Launch the Good Mobile Control Web console and click on the Settings tab -On the left side, select Secure Messaging (S/MIME) -Verify Enable Secure Messaging (S/MIME) is checked and the LDAP and OCSP URL values are configured properly -Click on Save and proceed to the Policies tab -Select the policy set for the smart phone and select Good For Enterprise Authentication -Verify Enable S/MIME is checked Optional: To enable CAC/PIV (hard token), ensure Good Vault is selected; otherwise, soft token will be the default.

Check Content

Review the Good Mobility Suite server configuration to verify the mobile email client provides S/MIME v3 (or later version) encryption of email. Otherwise, this is a finding.

The Good Mobility Suite email client must restrict contact list data elements transferred to the phone application.

Finding ID
GOOD-00-000550
Rule ID
SV-67263r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-APP-000243-MDM-000230-MEM
CCI
CCI-001090
Target Key
(None)
Documentable
No
Discussion

The contact list data elements may contain sensitive or PII information; therefore, the data elements accessed outside the security container must be limited so sensitive data is not exposed.

Fix Text

Configure the Good Mobility Suite to restrict contact list data elements transferred to the phone application. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select the Messaging tab -Verify Enable access to Good Contacts is checked -Click on Choose Fields to select the fields to sync - Name and Phone Number

Check Content

Review the Good Mobility Suite server configuration to determine whether the email client restricts contact list data elements transferred to the phone application. Otherwise, this is a finding.

The Good Mobility Suite server must disable copying data from inside a security container to a non-secure data area on a mobile device via centrally managed policy.

Finding ID
GOOD-00-000540
Rule ID
SV-67265r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000151-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately. If this control is not available, sensitive DoD data stored inside the security container could be exposed if it is copied to a non-secure area on the device.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to disable the copying of data stored inside the security container to an unsecured area outside the container. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select the Messaging tab -Verify Do not allow data to be copied from the Good application is unchecked -Select the File Handling tab and make sure Enable importing to Good only is selected -Verify Exceptions to importing/exporting between Good and 3rd party is checked and Trust only these external applications is selected

Check Content

Review the Good Mobility Suite server configuration to determine whether the capability to disable the copying of data stored inside the security container to an unsecured area outside the container has been disabled. Otherwise, this is a finding.

The Good Mobility Suite server must specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user.

Finding ID
GOOD-00-000530
Rule ID
SV-67267r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000150-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source. To prevent access to unapproved sources, the operating system, in most cases, can be configured to disable user access to public application stores. In some cases, some applications are required for secure operation of the mobile devices controlled by the Good Mobility Suite. In these cases, the ability for users to remove the application is needed to ensure proper secure operations of the device.

Fix Text

Configure the Good Mobility Suite to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select the Application Management tab -Verify Required applications have been assigned under Enterprise Applications and are marked as Managed under the 'Type' field -Click Save

Check Content

Review the Good Mobility Suite server configuration to determine whether there is a list of approved applications that must be installed on the mobile device and cannot be removed by the user. Otherwise, this is a finding.

The Good Mobility Suite server must configure the mobile device agent to prohibit the download of software from a non-DoD approved source.

Finding ID
GOOD-00-000520
Rule ID
SV-67269r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000149-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source. To prevent access to unapproved sources, the operating system, in most cases, can be configured to disable user access to public application stores.

Fix Text

Configure the Good Mobility Suite mobile device agent to prohibit the download of software from a DoD non-approved source. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify Allow installing apps is unchecked

Check Content

Review the Good Mobility Suite server configuration to determine if the mobile device agent prohibits the download of software from a DoD non-approved source. Otherwise, this is a finding.

The Good Mobility Suite server must prohibit the mobile device user from installing unapproved applications on the mobile device.

Finding ID
GOOD-00-000510
Rule ID
SV-67271r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000148-MAM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. Preventing a user from installing unapproved applications mitigates this risk. All OS core applications, third-party applications, and carrier-installed applications must be approved. In this case, applications include any applets, browse channel apps, and icon apps.

Fix Text

Configure the Good Mobility Suite to prohibit the mobile device user from installing unapproved applications on the mobile device. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify Allow installing apps is unchecked

Check Content

Review the Good Mobility Suite server configuration to determine if the mobile device user is prohibited from installing unapproved applications on the mobile device. Otherwise, this is a finding.

The Good Mobility Suite server application white list for managed mobile devices must be set to Deny All by default when no applications are listed.

Finding ID
GOOD-00-000500
Rule ID
SV-67273r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000135-MDM-000147-MAM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. If the system administrator has control over what applications are downloaded, then the system administrator can check that only known good programs are installed, which significantly mitigates the risk posed by malicious software.

Fix Text

Configure the Good Mobility Suite application white list for managed mobile devices to "Deny All" by default when no applications are listed. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select the Compliance Manager tab -Verify An iOS rule Exists with the 'Application Exceptions' rule type and is set to enabled -select Edit for the iOS rule -Verify Trust only these applications is Selected -verify only allowed applications are added to the "Apps Selected' list

Check Content

Review the Good Mobility Suite server configuration to determine if the Good Mobility Suite application white list for managed mobile devices is set to "Deny All" by default when no applications are listed. Otherwise, this is a finding.

The Good Mobility Suite server must configure the Good Mobility Suite agent to prohibit the download of applications on mobile operating system devices without system administrator control.

Finding ID
GOOD-00-000490
Rule ID
SV-67275r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000146-MAM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. If the system administrator has control over what applications are downloaded, then the system administrator can check that only known good programs are installed, which significantly mitigates the risk posed by malicious software.

Fix Text

Configure the Good Mobility Suite so the Good Mobility Suite agent is configured to prohibit the download of applications on mobile operating system devices without system administrator control. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and select the iOS Management tab -Verify Enable iOS Configuration is checked -select the Restrictions under iOS Management tab -Verify Allow use of iTunes Music Store is Unchecked

Check Content

Review the Good Mobility Suite server configuration to determine if the Good Mobility Suite agent prohibits the download of applications on mobile operating system devices without administrator control. If this function is not present, this is a finding.

The Good Mobility Suite server must enable iOS Force encrypted backups via centrally managed policy.

Finding ID
GOOD-00-000480
Rule ID
SV-67277r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000087-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to enable iOS Force encrypted backups. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Require iTunes backups to be encrypted is checked

Check Content

Review the Good Mobility Suite server policy configuration to determine whether iOS Force encrypted backups has been enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must disable iOS Allow diagnostic data to be sent to Apple via centrally managed policy.

Finding ID
GOOD-00-000470
Rule ID
SV-67279r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000087-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Allow diagnostic data to be sent to Apple. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow diagnostic data to be sent to Apple is unchecked

Check Content

Review the Good Mobility Suite server policy configuration to determine whether iOS Allow diagnostic data to be sent to Apple has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must disable iOS Auto-fill via centrally managed policy.

Finding ID
GOOD-00-000460
Rule ID
SV-67281r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000087-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Auto-fill. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow Auto-fill is unchecked

Check Content

Review the Good Mobility Suite server policy configuration to determine whether iOS Auto-fill has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must disable iOS Allow documents from unmanaged apps in managed apps via centrally managed policy.

Finding ID
GOOD-00-000450
Rule ID
SV-67283r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000087-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Allow documents from unmanaged apps in managed apps. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow "Open In" from unmanaged to managed is unchecked

Check Content

Review the Good Mobility Suite server policy configuration to determine whether iOS Allow documents from unmanaged apps in managed apps has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must disable iOS Allow documents from managed apps in unmanaged apps via centrally managed policy.

Finding ID
GOOD-00-000440
Rule ID
SV-67285r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000087-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Allow documents from managed apps in unmanaged apps. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow "Open In" from managed to unmanaged is unchecked

Check Content

Review the Good Mobility Suite server policy configuration to determine whether iOS Allow documents from managed apps in unmanaged apps has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must disable iOS Touch ID to unlock device via centrally managed policy.

Finding ID
GOOD-00-000430
Rule ID
SV-67287r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000087-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Touch ID to unlock device. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow fingerprint unlock is unchecked

Check Content

Review the Good Mobility Suite server policy configuration to determine whether iOS Touch ID to unlock device has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must disable the iOS Today View in lock screen via centrally managed policy.

Finding ID
GOOD-00-000420
Rule ID
SV-67289r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000087-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to disable the iOS Today View in lock screen. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow lock screen Today View is unchecked

Check Content

Review the Good Mobility Suite server policy configuration to determine whether the iOS Today View in lock screen has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must disable iOS Airdrop via centrally managed policy.

Finding ID
GOOD-00-000410
Rule ID
SV-67291r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000087-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Airdrop. This setting can only be enforced by User-Based Enforcement.

Check Content

Review the Good Mobility Suite server policy configuration to determine whether iOS Airdrop has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must disable the iOS notification center in lock screen via centrally managed policy.

Finding ID
GOOD-00-000400
Rule ID
SV-67293r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000087-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to disable the iOS notification center in lock screen. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow lock screen notifications view is unchecked

Check Content

Review the Good Mobility Suite server policy configuration to determine whether the iOS notification center in lock screen has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must disable iOS voice dialing via centrally managed policy.

Finding ID
GOOD-00-000390
Rule ID
SV-67295r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000087-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS voice dialing. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow voice dialing is unchecked

Check Content

Review the Good Mobility Suite server policy configuration to determine whether the use of iOS voice dialing has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must disable iOS Siri while the device is locked via centrally managed policy.

Finding ID
GOOD-00-000380
Rule ID
SV-67297r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000087-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Siri while the device is locked. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow Siri While device is locked is unchecked

Check Content

Review the Good Mobility Suite server policy configuration to determine whether the use of iOS Siri while the device is locked has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must enable iOS force limited ad tracking via centrally managed policy.

Finding ID
GOOD-00-000370
Rule ID
SV-67299r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000087-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to enable iOS force limited ad tracking. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Force limit ad tracking is checked

Check Content

Review the Good Mobility Suite server policy configuration to determine whether the use of iOS force limited ad tracking has been enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must disable iOS iCloud documents and data via centrally managed policy.

Finding ID
GOOD-00-000360
Rule ID
SV-67301r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000087-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS iCloud documents and data. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow document syncing is unchecked

Check Content

Review the Good Mobility Suite server policy configuration to determine whether the use of iOS iCloud documents and data has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must disable iOS iCloud backup via centrally managed policy.

Finding ID
GOOD-00-000350
Rule ID
SV-67303r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000087-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS iCloud backup. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow iCloud backup is unchecked

Check Content

Review the Good Mobility Suite server policy configuration to determine whether the use of iOS iCloud backup has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must disable iOS iCloud keychain sync via centrally managed policy.

Finding ID
GOOD-00-000340
Rule ID
SV-67305r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000087-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS iCloud keychain. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow iCloud keychain sync is unchecked

Check Content

Review the Good Mobility Suite server policy configuration to determine whether the use of iOS iCloud keychain sync has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must disable iOS photo streams via centrally managed policy.

Finding ID
GOOD-00-000330
Rule ID
SV-67307r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000087-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS photo streams. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow Photo Stream is unchecked

Check Content

Review the Good Mobility Suite server policy configuration to determine whether the ability to use iOS photo streams has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must disable iOS shared photo streams via centrally managed policy.

Finding ID
GOOD-00-000320
Rule ID
SV-67309r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000087-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS shared photo streams. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow Shared Photo Stream is unchecked

Check Content

Review the Good Mobility Suite server policy configuration to determine whether the ability to use iOS shared photo streams has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must disable iOS screenshots via centrally managed policy.

Finding ID
GOOD-00-000310
Rule ID
SV-67311r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000087-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS screenshots. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify the Enable Restrictions Checkbox is checked -Verify Allow screen capture is unchecked

Check Content

Review the Good Mobility Suite server policy configuration to determine whether the ability to take iOS screenshots has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite email client must either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device.

Finding ID
GOOD-00-000020
Rule ID
SV-67313r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-APP-000196-MDM-000217-MEM
CCI
CCI-000086
Target Key
(None)
Documentable
No
Discussion

HTML code embedded in emails can contain links to malicious sites. Requiring that all emails are viewed in plain text helps remediate phishing attempts.

Fix Text

Configure the Good Mobility Suite to either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device. Verify that the following registry entry exists on servers running the Good GMM/ Good Link Service [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GoodLinkServer\parameters\sync] "HtmlEmail"=0

Check Content

Review the Good Mobility Suite configuration to determine if the mobile email server/client either blocks or converts all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device. Otherwise, this is a finding.

The Good Mobility Suite must transfer audit logs from managed mobile devices to the Good Mobility Suite.

Finding ID
GOOD-00-000030
Rule ID
SV-67315r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000102-MDM-000248-MDM
CCI
CCI-000136
Target Key
(None)
Documentable
No
Discussion

Good Mobility Suite auditing capability is critical for accurate forensic analysis. The ability to transfer audit logs often is necessary to quickly isolate them, protect their integrity, and analyze their contents.

Fix Text

Configure the Good Mobility Suite to transfer audit logs from managed mobile devices to the Good Mobility Suite. -Good Logs are saved in standard .log format. The Default location for these logs are in the Good install directory (C:/Program Files (x86)/Good Technology/Good Mobile Control) Log Directory. This allows data to be consumed by any third-party SYSLog tool. Please refer to Third-Party Documentation to configure required Alerts/Notification. - To Enable Good Mobile Messaging Server Diagnostic Logging, the following 3 Registry entries must be configured as String Values. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GoodLinkServer\parameters\diagnostics "cachesize" = 0 "encrypt" = 0 "expand" = 1

Check Content

Review the Good Mobility Suite mobile device account configuration to verify the audit logs can be transferred from managed mobile devices to the Good Mobility Suite. Have the system administrator show the logs of managed mobile devices on the Good Mobility Suite and whether audit logs are being transferred on request or on a period schedule. Otherwise, this is a finding.

The Good Mobility Suite email client must notify the user if it cannot verify the revocation status of the certificate.

Finding ID
GOOD-00-000040
Rule ID
SV-67317r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-APP-000175-MDM-000187-MEM
CCI
CCI-000185
Target Key
(None)
Documentable
No
Discussion

If the user is aware that the revocation status of a certificate could not be verified, the user is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can use revoked certificates without detection.

Fix Text

Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if it cannot verify the certificate's revocation status. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

Check Content

Review the Good Mobility Suite configuration to verify the mobile email client notifies the user if it cannot verify the revocation status of the certificate. Otherwise, this is a finding.

The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if it cannot verify the certificates revocation status.

Finding ID
GOOD-00-000050
Rule ID
SV-67319r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-APP-000175-MDM-000188-MEM
CCI
CCI-000185
Target Key
(None)
Documentable
No
Discussion

When additional assurance is required, the system should deny acceptance of a certificate if it cannot verify its revocation status. Otherwise, there is the potential that it is accepting the credentials of an unauthorized system. Allowing the operating system or user to deny certificates with unverified revocation status mitigates the risk associated with the acceptance of such certificates.

Fix Text

Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if it cannot verify the certificate's revocation status. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

Check Content

Review the Good Mobility Suite configuration to verify the mobile email client gives the user the option to deny acceptance of a certificate if it cannot verify the certificate's revocation status. Otherwise, this is a finding.

The Good Mobility Suite email client must alert the user if it receives a public-key certificate issued from an untrusted certificate authority.

Finding ID
GOOD-00-000060
Rule ID
SV-67321r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000175-MDM-000189-MEM
CCI
CCI-000185
Target Key
(None)
Documentable
No
Discussion

If the user is aware that a certificate has been issued from an untrusted certificate authority, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.

Fix Text

Configure the Good Mobility Suite to alert the user if it receives a public-key certificate issued from an untrusted certificate authority. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

Check Content

Review the Good Mobility Suite configuration to verify the mobile email client alerts the user if it receives a public-key certificate issued from an untrusted certificate authority. Otherwise, this is a finding.

The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the certificate was issued by an untrusted certificate authority.

Finding ID
GOOD-00-000070
Rule ID
SV-67323r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000175-MDM-000190-MEM
CCI
CCI-000185
Target Key
(None)
Documentable
No
Discussion

When the operating system accepts the use of certificates issued from untrusted certificate authorities, there is the potential that the system or object presenting the certificate is malicious and can compromise sensitive information or system integrity. When additional assurance is required, the system must deny acceptance of a certificate if it was issued by an untrusted certificate authority.

Fix Text

Configure the Good Mobility Suite to provide users with the option to deny acceptance of a certificate when the certificate was issued by an untrusted certificate authority. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

Check Content

Review the Good Mobility Suite configuration to verify the email client provides users with the option to deny acceptance of a certificate when the certificate was issued by an untrusted certificate authority. Otherwise, this is a finding.

The Good Mobility Suite email client must alert the user if it receives an invalid public-key certificate.

Finding ID
GOOD-00-000080
Rule ID
SV-67325r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000175-MDM-000191-MEM
CCI
CCI-000185
Target Key
(None)
Documentable
No
Discussion

If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.

Fix Text

Configure the Good Mobility Suite to alert the user if it receives an invalid public-key certificate. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

Check Content

Review the Good Mobility Suite configuration to verify the mobile email client alerts the user if it receives an invalid public-key certificate. Otherwise, this is a finding.

The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is invalid.

Finding ID
GOOD-00-000090
Rule ID
SV-67327r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000175-MDM-000192-MEM
CCI
CCI-000185
Target Key
(None)
Documentable
No
Discussion

When the operating system accepts the use of invalid certificates, there is the potential that the system or object presenting the certificate is malicious and can compromise sensitive information or system integrity. When additional assurance is required, the system must deny acceptance of invalid certificates.

Fix Text

Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is invalid. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

Check Content

Review the Good Mobility Suite configuration to verify the email client gives the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is invalid. Otherwise, this is a finding.

The Good Mobility Suite email client must not accept certificate revocation information without verifying its authenticity.

Finding ID
GOOD-00-000100
Rule ID
SV-67329r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-APP-000175-MDM-000193-MEM
CCI
CCI-000185
Target Key
(None)
Documentable
No
Discussion

If the operating system does not verify the authenticity of revocation information, there is the potential that an authorized system is providing false information. Acceptance of the false information could result in the installation of unauthorized software or connection to rogue networks, depending on the use for which the certificate is intended. Verifying the authenticity of revocation information mitigates this risk.

Fix Text

Configure the Good Mobility Suite to not accept certificate revocation information without verifying its authenticity. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

Check Content

Review the Good Mobility Suite configuration to verify the mobile email client does not accept certificate revocation information without verifying its authenticity. Otherwise, this is a finding.

The Good Mobility Suite email client must verify all digital certificates in the certificate chain when performing PKI transactions.

Finding ID
GOOD-00-000110
Rule ID
SV-67331r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-APP-000175-MDM-000194-MEM
CCI
CCI-000185
Target Key
(None)
Documentable
No
Discussion

If an adversary is able to compromise one of the certificates in the certificate chain, the adversary may be able to sign lower-level certificates in the chain. This would enable the adversary to masquerade as other users or systems. By providing the mobile user with such false assurance, the adversary may be able obtain DoD information, capture authentication credentials, and perform other unauthorized functions. Verifying all digital certificates in the chain mitigates this risk.

Fix Text

Configure the Good Mobility Suite verifies all digital certificates in the certificate chain (user, intermediate, and root) when performing PKI transactions. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

Check Content

Review the Good Mobility Suite configuration to verify the mobile email client verifies all digital certificates in the certificate chain (user, intermediate, and root) when performing PKI transactions. Otherwise, this is a finding.

The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is unverified.

Finding ID
GOOD-00-000120
Rule ID
SV-67333r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000175-MDM-000195-MEM
CCI
CCI-000185
Target Key
(None)
Documentable
No
Discussion

When the operating system accepts the use of invalid certificates, there is the potential that the system or object presenting the certificate is malicious and can compromise sensitive information or system integrity. When additional assurance is required, the system must deny acceptance of invalid certificates.

Fix Text

Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is unverified. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

Check Content

Review the Good Mobility Suite configuration to verify the mobile email client gives the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is unverified. Otherwise, this is a finding.

The Good Mobility Suite email client must alert the user if it receives a public-key certificate with a non-FIPS approved algorithm.

Finding ID
GOOD-00-000130
Rule ID
SV-67341r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000175-MDM-000196-MEM
CCI
CCI-000185
Target Key
(None)
Documentable
No
Discussion

If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.

Fix Text

Configure the Good Mobility Suite to alert the user if it receives a public-key certificate with a non-FIPS approved algorithm. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

Check Content

Review the Good Mobility Suite configuration to verify the mobile email client alerts the user if it receives a public-key certificate with a non-FIPS approved algorithm. Otherwise, this is a finding.

The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate uses a non-FIPS approved algorithm.

Finding ID
GOOD-00-000140
Rule ID
SV-67343r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000175-MDM-000197-MEM
CCI
CCI-000185
Target Key
(None)
Documentable
No
Discussion

When the operating system accepts the use of invalid certificates, there is the potential that the system or object presenting the certificate is malicious and can compromise sensitive information or system integrity. When additional assurance is required, the system must deny acceptance of invalid certificates.

Fix Text

Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate uses a non-FIPS approved algorithm. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

Check Content

Review the Good Mobility Suite configuration to verify the mobile email client gives the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate uses a non-FIPS approved algorithm. Otherwise, this is a finding.

The Good Mobility Suite email client must alert the user if it receives an unverified public-key certificate.

Finding ID
GOOD-00-000170
Rule ID
SV-67345r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000175-MDM-000200-MEM
CCI
CCI-000185
Target Key
(None)
Documentable
No
Discussion

If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.

Fix Text

Configure the Good Mobility Suite to alert the user if it receives an unverified public-key certificate. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

Check Content

Review the Good Mobility Suite configuration to verify the mobile email client alerts the user if it receives an unverified public-key certificate. Otherwise, this is a finding.

The Good Mobility Suite must be configured to provide the administrative functionality to transmit a remote Data Wipe command, including removable media cards, to a managed mobile device.

Finding ID
GOOD-00-000180
Rule ID
SV-67349r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000086-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Without a Data Wipe capability, the data on the mobile device can be compromised in the event of a lost or stolen device.

Fix Text

Configure the Good Mobility Suite so it has the administrative functionality to transmit a remote data wipe command, including removable media cards, to a managed mobile device. Enable iOS MDM Profile 1. Select each security policy iOS devices are assigned to, and, in turn, verify the required settings are in the policy. Verify the latest available version of the MDM agent is set in the compliance rule. -Verify "Enable MDM profile" is checked. -Verify "Enable remote full device wipe" is checked.

Check Content

Review the Good Mobility Suite configuration to determine whether there is administrative functionality to transmit a remote data wipe command, including removable media cards, to a managed mobile device. Otherwise, this is a finding.

The Good Mobility Suite must enforce the minimum password length for the device unlock password via centrally managed policy.

Finding ID
GOOD-00-000190
Rule ID
SV-67351r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000093-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite server policy rule to enable a device unlock password with a minimum length of 4 characters. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Passcode Tab -Verify require passcode is checked and minimum length is set to 4

Check Content

Review the Good Mobility Suite server policy configuration to determine if the minimum password length for the device unlock password is at least 4 characters. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must set the device inactivity timeout to 15 minutes via centrally managed policy.

Finding ID
GOOD-00-000200
Rule ID
SV-67353r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000095-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite server policy rule to set the device inactivity timeout to 15 minutes. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Passcode Tab -Verify Auto-lock is checked and set to the appropriate value

Check Content

Review the Good Mobility Suite server policy configuration to determine whether the device inactivity timeout is set to 15 minutes. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must set the device inactivity timeout grace period to be immediate via centrally managed policy.

Finding ID
GOOD-00-000210
Rule ID
SV-67359r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000095-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite server policy rule to set the device inactivity timeout grace period to be immediate. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Passcode Tab -Verify Grace Period checkbox is checked and its dropdown menu set to Immediate

Check Content

Review the Good Mobility Suite server policy configuration to determine whether the device inactivity timeout grace period is set to be immediate. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must disable the mobile device users access to an application store or repository via centrally managed policy.

Finding ID
GOOD-00-000220
Rule ID
SV-67361r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000115-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite server policy rule to disable the mobile device user's access to an application store or repository. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Restrictions Tab -Verify Allow installing apps is unchecked and set to the appropriate value

Check Content

Review the Good Mobility Suite server policy configuration to determine whether the mobile device user's access to an application store or repository has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must block access to specific web sites via centrally managed policy.

Finding ID
GOOD-00-000230
Rule ID
SV-67365r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000116-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite server policy rule to block access to specific web sites. -Launch the Good Mobile Control Web console and click on the Settings tab -On the left tab, select Good Mobile Access (Secure Browser) -Populate the Approved DoD Proxy settings applicable to your Network -Click on Policies Tab -Select the policy set for the smart phone and click on Good Mobile Access (Secure Browser) -Check Enable access to the Intranet, click on Edit and add routeall.gmm.good, click ok and click Save. At this point the Secure Browser will utilize your DoD proxy settings.

Check Content

Review the Good Mobility Suite server policy configuration to determine whether access to specific web sites has been blocked. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must force the display of a warning banner on the mobile device via centrally managed policy.

Finding ID
GOOD-00-000240
Rule ID
SV-67369r2_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000123-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately. The warning banner must be displayed before or immediately after the user successfully unlocks the mobile device or unlocks a secure application where sensitive DoD data is stored: "I've read & consent to terms in IS user agreement." (Wording must be exactly as specified.)

Fix Text

Configure the centrally managed Good Mobility Suite server policy rule to force the display of a warning banner on the mobile device. -Create a Notepad text file, and enter the following and then save as disclaimer.xml (DO NOT DEVIATE FROM BELOW CONTENT) : <disclaimer> <dtext value="I've read & consent to terms in IS user agreem't."/> </disclaimer> -Launch the Good Mobile Control Web console and click on the Policies tab -Select a policy set to review and click on the policy -On the left tab, select Compliance Manager and click Add Rule -Select iOS as the Rule Platform - Under Check to run select custom - Enter a Name and Description for your Rule - Under Perform Checks select Rule file and upload your Disclaimer.xml - Click Okay to save the rule to compliance manger - Select the newly created rule and click enable - Click Save to save the Policy

Check Content

Review the Good Mobility Suite server policy configuration to determine the display of a warning banner on the mobile device is being forced. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must set the number of incorrect password attempts before a data wipe procedure is initiated to 10 via centrally managed policy.

Finding ID
GOOD-00-000250
Rule ID
SV-67371r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000131-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite server policy rule to set the number of incorrect password attempts before a data wipe procedure is initiated to 10. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Passcode Tab -Verify Maximum Failed Attempts checkbox is checked and its dropdown menu set to a value of 10 or less

Check Content

Review the Good Mobility Suite server policy configuration to determine whether the number of incorrect password attempts before a data wipe procedure is initiated is set to 10. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must enable a Good Mobility Suite agent password via centrally managed policy.

Finding ID
GOOD-00-000260
Rule ID
SV-67373r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000135-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to enable a Good Mobility Suite Agent password. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Password-protected (with or without soft token and S/MIME) is selected

Check Content

Review the Good Mobility Suite server policy configuration to determine whether a Good Mobility Suite Agent password has been enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must enable the Good Mobility Suite agent password length to be six or more characters.

Finding ID
GOOD-00-000270
Rule ID
SV-67377r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000142-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to set the minimum Good Mobility Suite agent password length of six or more characters. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Require minimum length is checked and is set to 6 characters

Check Content

Review the Good Mobility Suite server policy configuration to determine whether the Good Mobility Suite agent password is at least 6 characters. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite must set the Good Mobility Suite agent inactivity timeout to 15 minutes via centrally managed policy.

Finding ID
GOOD-00-000280
Rule ID
SV-67379r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000144-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to set the Good Mobility Suite agent inactivity timeout to 15 minutes. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Require password when idle for is checked and is set to 15 minutes

Check Content

Review the Good Mobility Suite server policy configuration to determine whether the Good Mobility Suite agent inactivity timeout is set to 15 minutes. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must disable the automatic removal of the iOS configuration profile via centrally managed policy.

Finding ID
GOOD-00-000290
Rule ID
SV-67381r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000087-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to disable the automatic removal of the iOS configuration profile. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the General Tab -Verify Automatically Remove Profile is set to Never

Check Content

Review the Good Mobility Suite server policy configuration to determine whether the automatic removal of the iOS configuration profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite server must disable the use of simple values within the iOS Good Mobility Server agent password via centrally managed policy.

Finding ID
GOOD-00-000300
Rule ID
SV-67383r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000135-MDM-000087-MDM
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Fix Text

Configure the centrally managed Good Mobility Suite security policy rule to disable the use of simple values within the iOS Good Mobility Server agent password. -Launch the Good Mobile Control Web console and click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -On the left tab, select iOS Configuration and select the Passcode Tab -Verify Allow Simple Value is unchecked

Check Content

Review the Good Mobility Suite server policy configuration to determine whether the use of simple values within the iOS Good Mobility Server agent password has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

The Good Mobility Suite email client must alert the user if the certificate uses an unverified CRL.

Finding ID
GOOD-00-000150
Rule ID
SV-67467r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000175-MDM-000198-MEM
CCI
CCI-000185
Target Key
(None)
Documentable
No
Discussion

If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.

Fix Text

Configure the Good Mobility Suite to alert the user if the certificate uses an unverified CRL. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

Check Content

Review the Good Mobility Suite configuration to verify the mobile email client alerts the user if the certificate uses an unverified CRL. Otherwise, this is a finding.

The Good Mobility Suite email client must give the user the option to deny acceptance of a certificate if the mobile email client determines the CRL of the certificate is unverified.

Finding ID
GOOD-00-000160
Rule ID
SV-67469r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000175-MDM-000199-MEM
CCI
CCI-000185
Target Key
(None)
Documentable
No
Discussion

If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.

Fix Text

Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if the mobile email client determines the CRL of the certificate is unverified. -Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section -Verify Enable Secure Messaging (S/MIME) is checked -In addition, click on the Policies tab -Select the policy set for the smart phone and click on Good For Enterprise Authentication -Verify Enable S/MIME is checked

Check Content

Review the Good Mobility Suite configuration to verify the mobile email client gives the user the option to deny acceptance of a certificate if the mobile email client determines the CRL of the certificate is unverified. Otherwise, this is a finding.

Only supported versions of the Good for Enterprise must be used.

Finding ID
GOOD-00-000700
Rule ID
SV-91373r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000135-MDM-000123-MDM
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

If an unsupported version of the Good for Enterprise is being used, the device is not being updated with security patches and may contain vulnerabilities that may expose sensitive DoD data to unauthorized people. Good for Enterprise supports old and obsolete technologies and is no longer being supported by BlackBerry.

Fix Text

Remove all versions of Good for Enterprise server installed at the site.

Check Content

Determine if any version of Good for Enterprise server is installed at the site. BlackBerry stopped supporting all versions of this server on 30 September 2017. If any version of Good for Enterprise server is installed at the site, this is a finding. CCI-000370