Topics: 

SS-25-003

Effective Date: 1/15/2025

PURPOSE

The purpose of this Mobile Device Management (MDM) standard is to establish the minimum-security requirements for managing and securing agency-owned mobile devices that access the State's enterprise networks and information systems. As mobile technologies enable greater flexibility, remote access, and productivity for employees, they also introduce increased risks and vulnerabilities. This standard applies exclusively to agency-owned devices, not personal devices and ensures that any mobile device connecting to state resources is properly managed, monitored, and secured to protect the confidentiality, integrity, and availability of state information assets.

SCOPE and AUTHORITY 

O.C.G.A 50-25-4(a)(8) – State Government, Georgia Technology, General Powers

O.C.G.A 50-25-4(a)(20) - State Government, Georgia Technology, General Powers

PM-04-001 – Information Technology Policies, Standards and Guidelines

PS-08-005 – Enterprise Information Security Policy

TERMS AND DEFINITIONS

Remote Access - access to an organization’s information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet).

Telework/Telecommute/Work From Home (WFH) - ability of an organization’s employees, contractors, business partners, vendors, and other users to perform work from locations other than the organization’s facilities.

Mobile Device - portable computing device (e.g., smart phones and tablets) that has a compact form that allows it to easily be carried by a single individual, is designed to operate without a physical connection (e.g., wirelessly transmit or receive information), possesses local, non-removable data storage, and is powered-on for extended periods of time with a self-contained power source.

STANDARD

Prior to deploying agency-owned mobile devices and related technologies, agencies shall fully assess the technical, operational, and security implications associated with their use. 

To reduce the security risks associated with mobile computing, agencies shall implement robust Mobile Device Management (MDM) solutions that enforce strong security controls including, but not limited to, device encryption, user authentication, remote wipe capabilities, and endpoint protection. Agencies shall ensure that access to state resources via mobile devices is restricted, monitored, and aligned with established security standards.

Agencies shall develop and implement a mobile device baseline that defines the required configuration, management, and security settings for all agency-owned mobile devices.  This baseline must reflect the agency’s current security and operational requirements and must be enforced through a Mobile Device Management (MDM) solution. The baseline must include, at a minimum, the following configuration requirements:

  1. All mobile and endpoint devices accessing state systems and resources must be enrolled in MDM.
    • Unmanaged or unsecured agency devices are prohibited from accessing state resources
  2. Only devices meeting approved configurations (e.g., supported OS, approved models, not jailbroken or in developer mode) shall access state resources.
    • Deauthorize devices after 90 days of inactivity
  3. Enforce strong authentication (password, PIN, biometric) and auto-lock after 2 minutes of inactivity.
    • Multifactor Authentication (MFA) is required for access to state systems
  4. Continuously monitor devices for unauthorized changes to security settings, configurations, or policies.
    • At a minimum, agencies shall review agency-owned mobile devices on an annual basis for security and compliance
  5. Automatically wipe mobile devices after 10 failed unlock attempts or 90 days without MDM check in (device fails to contact the Mobile Device Management System).
  6. Allow MDM administrators to remotely track and lock lost or stolen devices.
  7. Encrypt all data at rest and in transit using FIPS 140-2 or higher.
  8. The Microsoft Outlook Application shall be the exclusive application used to access state email on mobile devices, third-party or native mail applications are not allowed.
  9. Terminate connections automatically if SSL/TLS certificates are invalid or untrusted.
  10. Limit clipboard/data sharing between managed and unmanaged apps to 50 characters.
  11. Control app installations through allowlisting or blocklisting.
    • Maintain an approved app inventory
    • Block installation of unapproved apps
    • Only allow app distribution via the official app store
  12. Disable native cloud storage, password managers, backups, and document synchronization features on mobile devices.
  13. Factory reset devices before reissuance or retirement.

RELATED ENTERPRISE POLICIES, STANDARDS AND GUIDELINES

Appropriate Use of Information Technology Resources (PS-08-003)

Change Management (PS-08-015)

Remote Access (PS-08-023)

Use of Cryptography (PS-08-024)

Media Controls (PS-08-026)

Authorization and Access Management (SS-08-010)

Operational Change Control (SS-08-026)

Malicious Code Incident Prevention (SS-08-033)

Secure Remote Access (SS-08-038) 

Cryptographic Controls (SS-08-040)

Mobile Device Management Guidelines (GM-15-004)

REFERENCES

NIST SP 800-124 Rev.2