Checklist Details for AirWatch MDM Software 6.5 STIG Version 1, Release 2

(Archived Revisions)

Checklist Highlights

Checklist Name:
AirWatch MDM Software 6.5 STIG
Version:
Version 1, Release 2
Tier:
II*
Review Status:
Under Review
Authority:
Governmental Authority: Defense Information Systems Agency
Target Product:
Target Product CPE Name Product Category
AirWatch Mobile Device Management (MDM) Software 6.5 cpe:/a:air-watch:air-watch_mobile_device_management_software:6.5 (View CVEs)
  • Mobile Solution
Checklist Summary:
The AirWatch Mobile Device Management (MDM) Software 6.5 Security Technical Implementation Guide (STIG) provides security policy and configuration requirements for the use of the AirWatch MDM Software suite to provide administrative management of Samsung Knox and iOS 7.X MOS in the Department of Defense (DoD). Guidance in these documents applies only to AirWatch MDM Software and related components and applications mentioned herein, and excludes any other components relying on the AirWatch MDM Software suite. The AirWatch MDM Software is installed entirely on DoD host network servers or virtual machines running Windows Server 2008 R2 or 2012 operating systems, and works in conjunction with several services on these servers in order to manage a mobile device fleet. In addition to the software the mobile devices to be managed have their specific MOSs, services, and in some cases wireless network systems. Due to this structure, the application of the AirWatch MDM Software requires the review and application of several STIGs to ensure a maximum security posture, and the STIGs listed below should be referenced and applied in addition to the AirWatch MDM Software STIG. The AirWatch MDM system architecture is installed entirely on the host DoD network, and exists between the host system DMZ and internal network. The below Figure 3-1 shows the architecture of the AirWatch system that is approved for DoD networks and described within this STIG. When deployed within an organization's network infrastructure, AirWatch can adhere to DISA security policies by storing all data onsite. In addition, AirWatch has been designed to run in virtual environments, which allows for seamless deployments on a number of different configurations. When determining the hardware requirements needed to build out an AirWatch environment, it is important to consider the number of managed devices, the device transaction frequency, the device check-in interval, and also the number of administrative users that AirWatch will be managing. It may also be beneficial to consider the growth potential of the organization’s device fleet as well. Below are the listed minimum hardware requirements for installation of the AirWatch MDM Software. Note that some AirWatch components can be installed on the same internal or external server as the AirWatch Administration Console or Device Services components. In these cases, hardware requirements should be added to provide proper support. For AirWatch hardware components and minimum requirements, please reference AirWatch installation and architecture guides provided with the AirWatch MDM Software.
Checklist Role:
  • Mobile Solution
Known Issues:
Not Provided
Target Audience:
Not Provided
Target Operational Environment:
  • Managed
  • Specialized Security-Limited Functionality (SSLF)
Testing Information:
This section covers the required software setup for each listed server before the installation can occur. AirWatch MDM Software runs on a Windows Server 2008 R2 or Windows Server 2012 operating system with specific services installed and running. All services and the operating system should be properly hardened in accordance with their specific STIG. For AirWatch Software requirements, which are matched specifically to the size and anticipated data traffic of the environment, reference the AirWatch installation and architecture guides provided with the AirWatch MDM Software. The AirWatch MDM Software requires bidirectional communication between the mobile devices under management and the AirWatch Device Services and SEG servers. This traffic occurs via port 443 on both servers and requires the usage of an organization-procured, publicly trusted SSL Certificate. This SSL Certificate should meet the requirements of this STIG and be bound to port 443 via IIS on the applicable servers, and matched to the externally accessible DNS names assigned to those servers. This enables mobile devices to reach the services via the Internet and to be managed by the AirWatch MDM Software components. AirWatch MDM Software is installed on host network servers running Windows Server 2008 R2 or 2012 operating systems. As a result, all server-related requirements for Access Control, including Administrator Account creation (but not specific role management), and operating system updates and maintenance are managed by the host operating system. The integrity of remote sessions between the AirWatch MDM Server is accomplished via SSL (SSL Certificate obtained by the organization as outlined in this document), and connections to the host AirWatch Administration Server, set to use an internal URL, occur over organization-approved methods such as VPN, which are separate from the AirWatch MDM Software system.
Regulatory Compliance:
DoD Instruction (DoDI) 8500.01
Comments/Warnings/Miscellaneous:
Comments or proposed revisions to this document should be sent via email to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.
Disclaimer:
Not Provided
Product Support:
Not Provided
Point of Contact:
Comments or proposed revisions to this document should be sent via email to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.
Sponsor:
Not Provided
Licensing:
Not Provided
Change History:
Version 1 - April 16, 2014
Version 1, Release 2 - 30 October 2014
NIST checklist record last modified on 11/02/2014

* This checklist is still undergoing review for inclusion into the NCP at this tier ranking.