ISO Procedure PCI Mobile Device Management Configuration and Deployment

This procedure defines the process for joining Apple mobile devices to the MDM solution when used as a Point of Sale device in conjunction with payment cards.

Procedure for Configuration, Management, and Deployment of Apple Mobile Devices for use in PCI

Procedure Description:  This procedure is a step-by-step process designed to provide support staff guidelines and practices to initiate and complete the configuration of mobile device management for PCI services through the JAMF manager on IOS devices.  The procedure is maintained for standardization and repetition of the process.

The Information Security Office o Procedure aligns with and extends the Rice University and Information Security Policies. In order to minimize risks associated with incidental or malicious acts that cause the unintended exposure of confidential and sensitive information associated with Rice University, this document defines a process for managing Rice mobile Point of Sale PCI devices.  The processes and procedures defined here are meant to be part of an overall measure of due care and diligence for managing Rice data.  These processes should be periodically reviewed and as required repeated over time to ensure that changes to the service and function do not modify the risk profile in such a manner as to inappropriately place Rice's confidential and sensitive information at undue risk.

ISO Table
 Date  Modification Type  Modified by  Approver
 3/6/2019  Created  bribbeck  


Scope: This procedure applies to any system or service storing, displaying for general access as a server, or transiting Rice University confidential or sensitive data defined in Rice Policy 808 or 832 and in alignment with Rice Policy 841.

  • This process covers all iOS devices used for Point Of Sale (POS) with payment cards (PCI)
  • The iOS devices used for POS are single-use and not designed or configured for use beyond POS as per PCI DSS rules
Operating Standards:
  • The operation of the devices is beyond the scope of this document.  Devices for use that are within scope should be presented to OIT for configuration and deployment.  Mobile Device Management (MDM) of POS devices that incorporate payment card transactions is a compliance requirement.
Communications and documentation:
  • This document is for use by Campus Services and Information Security as a technical guide for the configuration of PCI iOS devices prior to deployment.  There are multiple use case deployments for which separate configuration profiles have been developed, however, all profiles are consistent with the requirements under PCI DSS.
 
Step by Step Process to complete deployment of an IOS device for PCI use with a Rice Entity.

REQUIREMENTS: 
  1. Access to Apple School Manager Program https://school.apple.com with minimum Site Administrator Privileges. This is the Device Enrollment Program (DEP)
  2. Access to Jamfcloud service https://rice.jamfcloud.com with a Site Scoped administrative access.
  3. Physical access to the device(s) being provisioned.
  4. Knowledge of which PCI Service Unit the device will be deployed (Rice Coffeehouse or Athletics)
PROCESS:
Prologue:  The process for provisioning MDM of Apple iOS devices at Rice includes the use of Apple School Manager.  This Apple service allows Rice to control the use of devices sold to the university and permits OIT to identify and maintain an inventory of Rice's purchased Apple devices.  The service also enables the inclusion of an MDM solution option for the management of the devices.  This prevents a stolen device from being able to be used on any network once provisioned.  The process involves registering the device serial number, then assigning that device to a group in the JAMF MDM service which will enforce configuration options defined in the configuration profile the first time the device is rebooted and joined to the network after provisioning.
Steps:
  1. Acquire the device and locate its Serial Number(s).   For iPads this is located on the back under the word iPad
  2. From a Safari or Chrome browser connected to the internet, connect to https://school.apple.com and log in.
  3. Under Choose Devices, Select Serial Number and paste or type in the serial numbers of the iOS devices.  Under Choose Action,  select Assign to Server under Perform Action and choose JamfCloud - Rice University under MDM Server.
  4. Apple SMP
  5. This action will link the Apple Serial number to the Jamf MDM solution and make the device accessible in JAMF
  6. From any browser connected to the internet, connect to https://rice.jamfcloud.com and log in.
  7. In the side panel, click on the Devices Tab then Static Device Groups, and select CoffeeHouse PCI Static Group or Rice Athletics PCI Static Group depending on the service deployment from Requirement # 4 above.  In this example, we will use CoffeeHouse.  By adding the device to this group, it will enherit all of the configuration requirements associated with the Coffeehouse device requirements.
  8. Group
  9. Click on Assignments at the top then the Blue Edit button at the bottom right of the screen.  Use the Filter Results to locate the serial number of the device to be included in the Coffeehouse Static Group.  Click the check box to the right of the device(s) you want to add into the group then Save when done
  10. Group Assign
  11. In the left hand menu, select PreStage Enrollments, then Coffeehouse to enroll a device for the Coffeehouse.
  12. Prestage 1
  13. Select Scope to add your new device to the Coffeehouse Scope of managed devices. Click Edit at the bottom of the page to enable selection then use the search tool to find your device serial number.  Once located, click the check box to mark the iPad you want to add then click Save to pre-enroll the device.
  14. Prestage2
  15. All configuration elements are completed.  Now just reboot the device manually and connect it to the Rice Visitor network in the Settings.
  16. To test the iPad you should notice that the device has rebooted and is going through a reinitialize cycle.  On the Jamf management page Click on the Devices Tab, then Search Inventory, and use the Filter Results to locate your device serial number.  Click on the Device Name to view and manage the device.
  17. Test1
  18. Notice that the Device shows that it is managed, supervised and institutionally owned.
  19. Test 2
  20.  Click on the Management Tab to see how the device is configured and send management commands such as restart the device
  21. Test3
  22. If the device is on the network, it will respond to the restart devices command and it will be cleared from the Pending Commands window.
  23. At this point, the device is enrolled, managed, and supervised and is available for functional testing beyond the scope of this document.

Coffeehouse Configuration Profile
General:
  • Name:  Coffeehouse PCI Configuration Profile
  • Category: PCI
  • Distribution Method: Install Automatically
Passcode:
  • Require Alphanumeric Value
  • 9-character minimum length
  • 50 count history for old passwords
  • 5 minute grace period for device lock
  • 10 maximum number of failed login attempts before erasing the device
Restrictions:
  • Allow automatic Updates to certificate trust settings
  • Allow modifying Bluetooth settings (Supervisor Only)
  • Allow modifying passcode (Supervisor Only)
  • Show Control Center in Lock Screen
  • Show Notification Center in Lock Screen
WIFI:
  • Force Auto Join to Coffeehouse PCI network (when in range)
  • Allow access to Rice Visitor (outside of PCI range)
Applications:
  • Shopkeep
  • Safari
  • Settings
VPP Content:
  • Shopkeep Point of Sale (POS)  2 of 4 in use
Mobile Device Apps:
  • PCI
  • Shopkeep
Prestage Enrollment: Coffeehouse
Static Device Group: Coffeehouse PCI Static Group
Site:
 




Keywords:Information Security, Procedure, PCI, MDM, JAMF, Apple School Management Program   Doc ID:90877
Owner:Barry R.Group:Rice University
Created:2019-04-05 13:31 CSTUpdated:2022-12-06 00:58 CST
Sites:Rice University
Feedback:  0   0