Windows 10 Mobile must disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.

From Microsoft Windows 10 Mobile Security Technical Implementation Guide

Part of PP-MDF-201021

Associated with: CCI-000381

SV-84743r1_rule Windows 10 Mobile must disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.

Vulnerability discussion

Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real world field behavior and improve the product based on that information. Unfortunately, it can also reveal information about what DoD users are doing with the systems and what causes them to fail. An adversary embedded within the software development team or elsewhere could use the information acquired to breach mobile operating system security. Disabling automatic transfer of such information mitigates this risk.SFR ID: FMT_SMF_EXT.1.1#45

Check content

Review Windows 10 Mobile configuration settings to determine if the device automatically sends diagnostic data to an external server other than an MDM service with which the device has enrolled. This validation procedure is performed on both the MDM administration console and the Windows 10 Mobile device. It assumes there is an existing device timeout policy in place that will lock the device after a certain period. On the MDM administration console: 1. Ask the MDM administrator to verify the phone compliance policy. 2. Find the setting for "Allow diagnostic and usage data to be sent". 3. Verify that setting restriction is turned off/disallowed. On the Windows 10 Mobile device: 1. Launch "Settings". 2. Select "Privacy". 3. Select "Feedback & diagnostics". 4. Verify that the drop-down list item under Diagnostics and usage data titled "Send your device data to Microsoft" is set to "Basic" and is disabled/read-only. If the MDM console does not have the "Allow diagnostic and usage data to be sent" policy disabled or on the phone the "Send your device data to Microsoft" is not disabled/read-only and set to "Basic" in the specified location on the "Feedback & diagnostics" screen of the Settings app, this is a finding.

Fix text

Configure the MDM system to require the "Allow diagnostic and usage data to be sent" policy to be disabled for Windows 10 Mobile devices. Deploy the MDM policy to managed devices.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer