Controls/EDCA-IAC-022.json
|
{
"id": "EDCA-IAC-022", "title": "Mobile device mailbox policy requires device encryption", "description": "The RequireDeviceEncryption property on the default mobile device mailbox policy MUST be True. Requiring device-level encryption ensures that data stored on the device is protected if the device is lost or stolen. The CIS benchmark requires device encryption to be enforced.", "verify": true, "subject": "Organization", "category": "Identity and Access Control", "severity": "High", "severityWeight": 8, "frameworks": [ "Best Practice", "CIS" ], "references": [ { "name": "CIS 3.9 (L1): Ensure Require encryption on device is set to True", "url": "https://www.cisecurity.org/benchmark/microsoft_exchange_server" }, { "name": "Mobile device mailbox policies in Exchange Server", "url": "https://learn.microsoft.com/exchange/clients/exchange-activesync/mobile-device-mailbox-policies" } ], "remediation": { "automatable": true, "description": "Require device encryption in the default mobile device mailbox policy.", "scriptTemplate": "# Require device encryption in the default mobile device mailbox policy.\nSet-MobileDeviceMailboxPolicy -Identity Default -RequireDeviceEncryption $true" }, "considerations": "Some older devices do not support device encryption and will be blocked if this setting is enabled together with AllowNonProvisionableDevices $false. Review the device inventory before enforcing.", "roles": [ "Mailbox" ] } |