ISO Procedure PCI Mobile Device Management Configuration and Deployment
This procedure defines the process for joining Apple mobile devices to the MDM solution when used as a Point of Sale device in conjunction with payment cards.
Procedure for Configuration, Management, and Deployment of Apple Mobile Devices for use in PCI
Procedure Description: This procedure is a step-by-step process designed to provide support staff guidelines and practices to initiate and complete the configuration of mobile device management for PCI services through the JAMF manager on IOS devices. The procedure is maintained for standardization and repetition of the process.
The Information Security Office o Procedure aligns with and extends the Rice University and Information Security Policies. In order to minimize risks associated with incidental or malicious acts that cause the unintended exposure of confidential and sensitive information associated with Rice University, this document defines a process for managing Rice mobile Point of Sale PCI devices. The processes and procedures defined here are meant to be part of an overall measure of due care and diligence for managing Rice data. These processes should be periodically reviewed and as required repeated over time to ensure that changes to the service and function do not modify the risk profile in such a manner as to inappropriately place Rice's confidential and sensitive information at undue risk.
|Date||Modification Type||Modified by||Approver|
Scope: This procedure applies to any system or service storing, displaying for general access as a server, or transiting Rice University confidential or sensitive data defined in Rice Policy 808 or 832 and in alignment with Rice Policy 841.
- This process covers all iOS devices used for Point Of Sale (POS) with payment cards (PCI)
- The iOS devices used for POS are single-use and not designed or configured for use beyond POS as per PCI DSS rules
- The operation of the devices is beyond the scope of this document. Devices for use that are within scope should be presented to OIT for configuration and deployment. Mobile Device Management (MDM) of POS devices that incorporate payment card transactions is a compliance requirement.
- This document is for use by Campus Services and Information Security as a technical guide for the configuration of PCI iOS devices prior to deployment. There are multiple use case deployments for which separate configuration profiles have been developed, however, all profiles are consistent with the requirements under PCI DSS.
- Access to Apple School Manager Program https://school.apple.com with minimum Site Administrator Privileges. This is the Device Enrollment Program (DEP)
- Access to Jamfcloud service https://rice.jamfcloud.com with a Site Scoped administrative access.
- Physical access to the device(s) being provisioned.
- Knowledge of which PCI Service Unit the device will be deployed (Rice Coffeehouse or Athletics)
- Acquire the device and locate its Serial Number(s). For iPads this is located on the back under the word iPad
- From a Safari or Chrome browser connected to the internet, connect to https://school.apple.com and log in.
- Under Choose Devices, Select Serial Number and paste or type in the serial numbers of the iOS devices. Under Choose Action, select Assign to Server under Perform Action and choose JamfCloud - Rice University under MDM Server.
- This action will link the Apple Serial number to the Jamf MDM solution and make the device accessible in JAMF
- From any browser connected to the internet, connect to https://rice.jamfcloud.com and log in.
- In the side panel, click on the Devices Tab then Static Device Groups, and select CoffeeHouse PCI Static Group or Rice Athletics PCI Static Group depending on the service deployment from Requirement # 4 above. In this example, we will use CoffeeHouse. By adding the device to this group, it will enherit all of the configuration requirements associated with the Coffeehouse device requirements.
- Click on Assignments at the top then the Blue Edit button at the bottom right of the screen. Use the Filter Results to locate the serial number of the device to be included in the Coffeehouse Static Group. Click the check box to the right of the device(s) you want to add into the group then Save when done
- In the left hand menu, select PreStage Enrollments, then Coffeehouse to enroll a device for the Coffeehouse.
- Select Scope to add your new device to the Coffeehouse Scope of managed devices. Click Edit at the bottom of the page to enable selection then use the search tool to find your device serial number. Once located, click the check box to mark the iPad you want to add then click Save to pre-enroll the device.
- All configuration elements are completed. Now just reboot the device manually and connect it to the Rice Visitor network in the Settings.
- To test the iPad you should notice that the device has rebooted and is going through a reinitialize cycle. On the Jamf management page Click on the Devices Tab, then Search Inventory, and use the Filter Results to locate your device serial number. Click on the Device Name to view and manage the device.
- Notice that the Device shows that it is managed, supervised and institutionally owned.
- Click on the Management Tab to see how the device is configured and send management commands such as restart the device
- If the device is on the network, it will respond to the restart devices command and it will be cleared from the Pending Commands window.
- At this point, the device is enrolled, managed, and supervised and is available for functional testing beyond the scope of this document.
Coffeehouse Configuration Profile
- Name: Coffeehouse PCI Configuration Profile
- Category: PCI
- Distribution Method: Install Automatically
- Require Alphanumeric Value
- 9-character minimum length
- 50 count history for old passwords
- 5 minute grace period for device lock
- 10 maximum number of failed login attempts before erasing the device
- Allow automatic Updates to certificate trust settings
- Allow modifying Bluetooth settings (Supervisor Only)
- Allow modifying passcode (Supervisor Only)
- Show Control Center in Lock Screen
- Show Notification Center in Lock Screen
- Force Auto Join to Coffeehouse PCI network (when in range)
- Allow access to Rice Visitor (outside of PCI range)
- Shopkeep Point of Sale (POS) 2 of 4 in use