From MobileIron Core v9.x MDM Security Technical Implementation Guide
Part of PP-MDM-202105
Associated with: CCI-000366
Having several roles for the MDM server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations they may not understand or approve of, which can weaken overall security and increase the risk of compromise.
Review the MobileIron Core Server configuration settings, and verify the server is configured with the Administrator roles. Note: Reviewers should reference the following document to see which roles must be assigned to each type of server administrator (these are the DoD required roles for each type of administrator): MobileIron Core and Android Client Mobile Device Management Protection Profile Guide. Note: any user of a registered MD is automatically assigned the MD User role (applicable-Inherently Meets). 1. Verify at least one user is in the Server primary administrator role. 1a. Login to the MobileIron Core Server's system manager portal as a user with the server primary administrator role using a web browser. 1b. Select Security >> Identity Source >> Local Users 1c. Verify at least one user is listed under "Local User". All local users are automatically assigned the Server primary administrator role. If there are no users in the server primary administrator role, this is a finding. 2. Verify at least one user is in the Security configuration administrator role and has been assigned required roles. 2a. Login to the MobileIron Core Server's system manager portal as a user with the server primary administrator role using a web browser. 2b. Select Security >> Identity Source >> Local Users 2c. Verify a User ID of a user expected to be in the server configuration administrator role is listed. 2d. Login to the MobileIron Core Server's administrator portal as a user with the server primary administrator role using a web browser. 2e. Select Admin >> Admins. 2f. Find a server configuration administrator user and verify their assigned roles match the DoD definition of server configuration administrator as follows: Select the user and click Actions >> Edit Roles. If there are no users assigned the server configuration administrator role or the roles assigned to any server configuration administrator user are not correct, this is a finding. 3. Verify a user is in the Device user group administrator role and has been assigned required roles. 3a. Login to the MobileIron Core Server's system manager portal as a user with the server primary administrator role using a web browser. 3b. Select Security >> Identity Source >> Local Users 3c. Verify a User ID of a user expected to be in the Device user group administrator role is listed. 3d. Login to the MobileIron Core Server's administrator portal as a user with the server primary administrator role using a web browser. 3e. Select Admin >> Admins. 3f. Find a Device user group administrator user and verify their assigned roles match the DoD definition of Device user group administrator as follows: Select the user and click Actions >> Edit Roles. If there are no users assigned the Device user group administrator role or the roles assigned to any Device user group administrator user are not correct, this is a finding. 4. Verify a user is in the Auditor role and has been assigned required roles. 4a. Login to the MobileIron Core Server's system manager portal as a user with the server primary administrator role using a web browser. 4b. Select Security >> Identity Source >> Local Users 4c. Verify a User ID of a user expected to be in the Auditor role is listed. 4d. Login to the MobileIron Core Server's administrator portal as a user with the server primary administrator role using a web browser. 4e. Select Admin >> Admins. 4f. Find an Auditor user and verify their assigned roles match the DoD definition of Device user group administrator as follows: Select the user and click Actions >> Edit Roles. If there are no users assigned the Auditor role or the roles assigned to any Auditor user are not correct, this is a finding.
Configure the MobileIron Core Server with the Administrator roles: 1. Follow the instructions in the MobileIron Core and Android Client Mobile Device Management Protection Profile Guide beginning on pg. 13 "Configuring administrators to have roles defined by federal requirements": 1a. Follow the instructions on page 16 "Configuring administrators to be a server primary administrator" 1b. Follow the instructions on page 17 "Configuring administrators to be a security configuration administrator" 1c. Follow the instructions on page 21 "Configuring administrators to be a device user group administrator" 1d. Follow the instructions on page 23 "Configuring administrators to be an auditor" 2. In each case instructions are provided to create a new user with the identified role.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer