U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Checklist Program

National Checklist Program

NCP

  1. Checklist Repository

AirWatch MDM Software 6.5 STIG Version 1, Release 3 Checklist Details (Checklist Revisions)

Supporting Resources:

Target:

Target CPE Name
AirWatch Mobile Device Management (MDM) Software 6.5 cpe:/a:air-watch:air-watch_mobile_device_management_software:6.5 (View CVEs)

Checklist Highlights

Checklist Name:
AirWatch MDM Software 6.5 STIG
Checklist ID:
484
Version:
Version 1, Release 3
Type:
Compliance
Review Status:
Final
Authority:
Governmental Authority: Defense Information Systems Agency
Original Publication Date:
04/16/2014

Checklist Summary:

The AirWatch Mobile Device Management (MDM) Software 6.5 Security Technical Implementation Guide (STIG) provides security policy and configuration requirements for the use of the AirWatch MDM Software suite to provide administrative management of Samsung Knox and iOS 7.X MOS in the Department of Defense (DoD). Guidance in these documents applies only to AirWatch MDM Software and related components and applications mentioned herein, and excludes any other components relying on the AirWatch MDM Software suite. The AirWatch MDM Software is installed entirely on DoD host network servers or virtual machines running Windows Server 2008 R2 or 2012 operating systems, and works in conjunction with several services on these servers in order to manage a mobile device fleet. In addition to the software the mobile devices to be managed have their specific MOSs, services, and in some cases wireless network systems. Due to this structure, the application of the AirWatch MDM Software requires the review and application of several STIGs to ensure a maximum security posture, and the STIGs listed below should be referenced and applied in addition to the AirWatch MDM Software STIG. The AirWatch MDM system architecture is installed entirely on the host DoD network, and exists between the host system DMZ and internal network. The below Figure 3-1 shows the architecture of the AirWatch system that is approved for DoD networks and described within this STIG. When deployed within an organization's network infrastructure, AirWatch can adhere to DISA security policies by storing all data onsite. In addition, AirWatch has been designed to run in virtual environments, which allows for seamless deployments on a number of different configurations. When determining the hardware requirements needed to build out an AirWatch environment, it is important to consider the number of managed devices, the device transaction frequency, the device check-in interval, and also the number of administrative users that AirWatch will be managing. It may also be beneficial to consider the growth potential of the organization’s device fleet as well. Below are the listed minimum hardware requirements for installation of the AirWatch MDM Software. Note that some AirWatch components can be installed on the same internal or external server as the AirWatch Administration Console or Device Services components. In these cases, hardware requirements should be added to provide proper support. For AirWatch hardware components and minimum requirements, please reference AirWatch installation and architecture guides provided with the AirWatch MDM Software.

Checklist Role:

  • Desktop or Mobile Client

Known Issues:

Not Provided

Target Audience:

Not Provided

Target Operational Environment:

  • Managed
  • Specialized Security-Limited Functionality (SSLF)

Testing Information:

This section covers the required software setup for each listed server before the installation can occur. AirWatch MDM Software runs on a Windows Server 2008 R2 or Windows Server 2012 operating system with specific services installed and running. All services and the operating system should be properly hardened in accordance with their specific STIG. For AirWatch Software requirements, which are matched specifically to the size and anticipated data traffic of the environment, reference the AirWatch installation and architecture guides provided with the AirWatch MDM Software. The AirWatch MDM Software requires bidirectional communication between the mobile devices under management and the AirWatch Device Services and SEG servers. This traffic occurs via port 443 on both servers and requires the usage of an organization-procured, publicly trusted SSL Certificate. This SSL Certificate should meet the requirements of this STIG and be bound to port 443 via IIS on the applicable servers, and matched to the externally accessible DNS names assigned to those servers. This enables mobile devices to reach the services via the Internet and to be managed by the AirWatch MDM Software components. AirWatch MDM Software is installed on host network servers running Windows Server 2008 R2 or 2012 operating systems. As a result, all server-related requirements for Access Control, including Administrator Account creation (but not specific role management), and operating system updates and maintenance are managed by the host operating system. The integrity of remote sessions between the AirWatch MDM Server is accomplished via SSL (SSL Certificate obtained by the organization as outlined in this document), and connections to the host AirWatch Administration Server, set to use an internal URL, occur over organization-approved methods such as VPN, which are separate from the AirWatch MDM Software system.

Regulatory Compliance:

DoD Instruction (DoDI) 8500.01

Comments/Warnings/Miscellaneous:

Comments or proposed revisions to this document should be sent via email to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.

Disclaimer:

Not Provided

Product Support:

Not Provided

Point of Contact:

Comments or proposed revisions to this document should be sent via email to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.

Sponsor:

Not Provided

Licensing:

Not Provided

Change History: 

Version 1 - April 16, 2014

Dependency/Requirements:

URL Description
http://iase.disa.mil/stigs/Documents/u_AirWatch_mdm_v1_release_memo.pdf AirWatch MDM Software 6.5 STIG Release Memo

References:

Reference URL Description
http://iase.disa.mil/stigs/Documents/u_Apple_iOS_7_v1r1_stig.zip Apple iOS 7 STIG
http://iase.disa.mil/stigs/Documents/u_cmd_management_server_policy_v2r2_manual_stig.zip CMD Management Server Policy Version 2 Release 2 Manual STIG
http://iase.disa.mil/stigs/Documents/u_mobile_policy_v1r2_srg.zip Mobile Policy SRG, Version 1, Release 2
http://iase.disa.mil/stigs/Documents/u_samsung_knox_android_1.0_v1r1_stig.zip Samsung Knox Android 1.0 STIG Version 1
http://iase.disa.mil/stigs/Documents/u_sql2012db_v1r2_stig.zip SQL Server 2012 STIG - Version 1, Release 2
http://iase.disa.mil/stigs/Documents/u_windows_2008_r2_dc_v1r12_stig_benchmark.zip Windows 2008 R2 DC STIG Benchmark Version 1, Release 12
http://iase.disa.mil/stigs/Documents/u_windows_2008_r2_ms_v1r12_stig_benchmark.zip Windows 2008 R2 MS STIG Benchmark Version 1, Release 12
http://iase.disa.mil/stigs/Documents/u_windows_2008_r2_v1r10_stig.zip Windows 2008 R2 STIG - Version 1, Release 10

NIST checklist record last modified on 05/19/2014