Advanced: HSTS

Use Security > Advanced > HSTS to enable HTTP Strict Transport Security (HSTS). HSTS provides an additional layer of security for HTTPS. It helps prevent man-in-the-middle attacks by greatly reducing the ability to intercept requests and responses between a user and a web application server.

When you enable HSTS on Core, web browsers enforce a secure HTTPS connection for all communication with Core. If Core uses a self-signed certificate or if the portal certificate on Core has expired, a warning message is displayed in the browser and users cannot access the resource. Users do not have the option to bypass the warning message to access the MobileIron resource. By default, HSTS is disabled.

MobileIron recommends caution before enabling HSTS. Enabling HSTS may cause browsers to block access to MobileIron resources if a self-signed certificate is in use or the certificate has expired.

The following MobileIron services are impacted by HSTS:

• MobileIron Core Admin Portal
• MobileIron Core System Manager
• MobileIron Core Self-Service User Portal

When you enable HSTS, provisional protocol access over port 8080 must be disabled. Access will be allowed only for HTTPS over port 443.

This section includes the following topics:

• Before enabling HSTS
• Enabling HSTS
• Disabling HSTS

Before enabling HSTS

Before enabling HSTS ensure the following:

• MobileIron Core uses a root or intermediate certificate from a publicly trusted CA.
• You have policies and processes in place that ensure that the certificate is current and has not expired.
• Ensure that port 443 is open.
• Provisioning protocol must be set as HTTPS, and the provisioning port must be set as 443. Provisioning protocol and port are set in the MobileIron System Manager, under Settings > Port Settings.

Enabling HSTS

Procedure 

1. Log into System Manager.
2. Go to Security > Advanced > HSTS.

3. Make the following selections:

   Status: select Enabled from the drop down list.

   Max Age: enter a number.

   The number indicates, in seconds, the length of time HSTS will be enabled on the browser. After the set time, the browser will not enforce HSTS connections.

4. Click Apply > OK.

Disabling HSTS

You can also disable HSTS using MobileIron Core command line interface (CLI). For information about using the MobileIron Core CLI to disable HSTS, see "hsts-disable" in the Core Command Line Interface (CLI) Reference.

Procedure 

1. Log into System Manager.
2. Go to Security > Advanced > HSTS.

3. Change the Max Age to 0.

   When you set Max Age to 0, MobileIron Core sends the HSTS header with the 0 value to the browser. This effectively results in the expiration of the HSTS policy and allows immediate access without requiring trusted SSL certificates.

For additional information see Security Bulletin: HTTP Strict Transport Security (HSTS) in Core 9.0.