The AirWatch Mobile Device Management (MDM) Software 6.5 Security Technical Implementation Guide (STIG) provides security policy and configuration requirements for the use of the AirWatch MDM Software suite to provide administrative management of Samsung Knox and iOS 7.X MOS in the Department of Defense (DoD). Guidance in these documents applies only to AirWatch MDM Software and related components and applications mentioned herein, and excludes any other components relying on the AirWatch MDM Software suite.
The AirWatch MDM Software is installed entirely on DoD host network servers or virtual machines running Windows Server 2008 R2 or 2012 operating systems, and works in conjunction with several services on these servers in order to manage a mobile device fleet. In addition to the software the mobile devices to be managed have their specific MOSs, services, and in some cases wireless network systems. Due to this structure, the application of the AirWatch MDM Software requires the review and application of several STIGs to ensure a maximum security posture, and the STIGs listed below should be referenced and applied in addition to the AirWatch MDM Software STIG.
The AirWatch MDM system architecture is installed entirely on the host DoD network, and exists between the host system DMZ and internal network. The below Figure 3-1 shows the architecture of the AirWatch system that is approved for DoD networks and described within this STIG.
When deployed within an organization's network infrastructure, AirWatch can adhere to DISA security policies by storing all data onsite. In addition, AirWatch has been designed to run in virtual environments, which allows for seamless deployments on a number of different configurations. When determining the hardware requirements needed to build out an AirWatch environment, it is important to consider the number of managed devices, the device transaction frequency, the device check-in interval, and also the number of administrative users that AirWatch will be managing. It may also be beneficial to consider the growth potential of the organization’s device fleet as well. Below are the listed minimum hardware requirements for installation of the AirWatch MDM Software. Note that some AirWatch components can be installed on the same internal or external server as the AirWatch Administration Console or Device Services components. In these cases, hardware requirements should be added to provide proper support. For AirWatch hardware components and minimum requirements, please reference AirWatch installation and architecture guides provided with the AirWatch MDM Software.
- Specialized Security-Limited Functionality (SSLF)
This section covers the required software setup for each listed server before the installation can occur. AirWatch MDM Software runs on a Windows Server 2008 R2 or Windows Server 2012 operating system with specific services installed and running. All services and the operating system should be properly hardened in accordance with their specific STIG. For AirWatch Software requirements, which are matched specifically to the size and anticipated data traffic of the environment, reference the AirWatch installation and architecture guides provided with the AirWatch MDM Software.
The AirWatch MDM Software requires bidirectional communication between the mobile devices under management and the AirWatch Device Services and SEG servers. This traffic occurs via port 443 on both servers and requires the usage of an organization-procured, publicly trusted SSL Certificate. This SSL Certificate should meet the requirements of this STIG and be bound to port 443 via IIS on the applicable servers, and matched to the externally accessible DNS names assigned to those servers. This enables mobile devices to reach the services via the Internet and to be managed by the AirWatch MDM Software components.
AirWatch MDM Software is installed on host network servers running Windows Server 2008 R2 or 2012 operating systems. As a result, all server-related requirements for Access Control, including Administrator Account creation (but not specific role management), and operating system updates and maintenance are managed by the host operating system.
The integrity of remote sessions between the AirWatch MDM Server is accomplished via SSL (SSL Certificate obtained by the organization as outlined in this document), and connections to the host AirWatch Administration Server, set to use an internal URL, occur over organization-approved methods such as VPN, which are separate from the AirWatch MDM Software system.
DoD Instruction (DoDI) 8500.01
Comments or proposed revisions to this document should be sent via email to the following address: email@example.com. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.
Version 1 - April 16, 2014
Version 1, Release 2 - 30 October 2014
Updated status to "Final" - 07 January 2015
Updated URL to reflect change to the DISA website - http --> https
Updated URLs - 6/24/19
Updated URLs - 9/11/19
NIST checklist record last modified on 09/11/2019