Ivanti Blog: Posts by

Secure the Mobile Edge: Android 16 & iOS 26 STIGs Require MTD

Wed, 03 Dec 2025 20:06:11 Z

Whether it’s Warfighters deployed in the field or remote analysts supporting missions across the globe, mobile devices make these operations possible. But, these endpoints (and your data) need serious protection.

That’s where the Defense Information Systems Agency’s Security Technical Implementation Guides (STIG) come in, setting the baseline for hardened endpoint and application security.

DISA has released new Android 16 and iOS 26 STIGs, and with each major operating system release, these STIGs are updated to ensure mobile security keeps pace with modern threats and capabilities. One of the most significant requirement changes this cycle is that all managed mobile devices must have a mobile threat defense (MTD) solution deployed to remain compliant.

In this post I’ll walk you through the importance of STIGs, why MTD is critical to safeguarding sensitive data and how an MTD solution simplifies compliance across the mobile edge.

STIGs: The gold standard for device security

Think of STIGs as detailed guidelines that tell you exactly how to configure and lock down technology, software, hardware or entire systems to meet Department of War (DoW) security standards.

STIGs ultimately help organizations protect Controlled User Information (CUI) and higher levels of data. Each STIG contains specific requirements (or “controls”) that make up the security baseline.

They (and associated security requirements guides) are linked to security controls defined by National Institute of Standards and Technology (NIST) Special Publication 800-53, breaking them down into actionable, measurable items.

For example, a mobile device STIG might stipulate that:

Device passcodes must be complex, with at least X characters.
The device must encrypt all data.
USB debugging must be disabled.
A mobile threat defense app must be installed.

U.S. military and government agencies rely on STIGs to harden systems that support mission-critical operations. While they’re mandatory for DoW and federal agencies, many defense contractors, healthcare and finance organizations adopt STIGs because they represent proven security best practices.

STIGs provide a baseline to help these organizations maintain compliance with a variety of requirements and policy mandates, such as Cybersecurity Maturity Model Certification (CMMC), NIST, CIS, HIPAA, etc.

Your new mandate: iOS 26 & Android 16 STIGs now require MTD

On the Apple side, the iOS 26/iPadOS 26 STIG added an explicit requirement: to remain compliant, an MTD app must be installed and managed on all DoW iPhones and iPads.

The latest Android 16 STIGs (i.e., Google Android 16 STIG and Samsung Android 16 STIG) introduce a clear mandate as well: a mobile threat defense (MTD) application must be deployed on every managed device. Failure to do so is flagged as a finding during compliance review.

These controls underscore a pivotal shift: Mobile endpoint risk management is no longer just about configuration and lockdown settings. It now includes actively enforcing real-time mobile threat defense to prevent device, network, application and phishing attack vectors on modern devices.

Here's the exact language on MTD from the Android 16 STIG:

"In the mobile device management (MDM) console, verify an MTD app is listed as a managed app being deployed to site-managed devices. If an MTD app is not installed on the device, this is a finding."

Translation: No MTD means you're out of compliance. It's that simple. However, deploying an MTD solution and ensuring it’s actively protecting against mobile threat vectors is more complex.

Integrating an MDM/MTD approach

Having worked with countless federal and enterprise organizations, I’ve seen firsthand what truly works in the field. Installing and managing an MTD agent is not enough to ensure active protection on mobile endpoints.

Standalone MTD agents often require manual activation after installation and application programming interface (API) integrations with MDM solutions to take action. The most effective approach requires tight integration between your MTD and MDM platforms, and an integrated MDM/MTD agent to ensure seamless activation and protection from mobile threats.

A unified single-agent architecture enables continuous mobile threat protection while automatically enforcing MDM compliance controls, eliminating the complexity and gaps that come with managing separate solutions.

That's where Ivanti Neurons for Mobile Threat Defense comes into play. With Ivanti Neurons for Mobile Threat Defense integrated in both the SaaS-based Ivanti Neurons for MDM and on-prem-based Ivanti Endpoint Manager for Mobile (EPMM), you get a single-agent architecture that's seamless to users but gives administrators complete control and security visibility.

This is what it looks like in practice:

Automatic and scalable STIG baseline enforcement for Android and iOS.
Users experience a seamless workflow with no additional apps or agents to manage.
Risk visibility and policy management live in one unified console.
On-device threat protection works even in disconnected, deployed scenarios to protect against device, network, application and phishing attacks.
An integrated MDM that manages any modern operating system including iOS, Android, Windows, macOS or ChromeOS.

MDM & MTD for holistic mobile security

Deploying an MTD app is no longer optional. With the Android 16 and iOS 26 STIG both calling for MTD on managed devices via explicit controls, you can’t rely solely on MDM configuration baselines. You need active MTD that gives you holistic security.

With mobile threat vectors like operating system vulnerabilities, malicious mobile apps, phishing via SMS/MMS and network man-in-the-middle attacks, rising rapidly, you need protection that lives on the device itself — not just in the cloud.

Compliance, mission assurance and mobile edge security are top priorities for every modern organization. Ivanti Mobile Threat Defense delivers on all three. Providing STIG-aligned protection across Android and iOS devices, integrating seamlessly into your broader device management platform and defending against device, network, application and phishing attacks to keep your organization resilient and compliant.

Schedule a demo today to see how Ivanti Mobile Threat Defense can keep your agency’s data safe and your mobile fleet audit-ready. For full STIG references and downloads, consult the Defense Information System Agency’s (DISA) STIG library.

Ivanti Derived Credentials: A Zero Sign-On Solution for Smart Card-Enabled Organizations

Tue, 14 Sep 2021 22:44:48 Z

What is a smart card?

Government agencies and some regulated industries have adopted standards (such as NIST SP 800-157) for issuing smart cards, based on the user’s validated and confirmed identity. The smart cards have digital certificates such as an authentication certification, a signing certificate, and an encryption private key (certificate). Often the smart cards also act as human recognizable identity validation cards and contain the user’s picture (for a guard to validate at a door or gate). The cards also may have a proximity chip for entrance to a facility, and they may contain biometrics as well.

The smart cards are then used for access to secure buildings and to log in to traditional enterprise workstations like laptops, desktops, and enterprise web services. Typically, an employee inserts their smart card into a reader on a workstation and enters a pin to access the authentication certificate, allowing the user to log in to the device or enterprise applications including cloud-based and web applications. This authentication method replaces usernames and passwords and provides two-factor authentication. That’s because the smart card is a physical entity that the user has, and the pin is something only they know – so neither the card nor the pin are sufficient, individually. These rules are described in the FIPS 201-2 definition of multifactor authentication and NIST SP 800-63-3.

What is a derived credential?

The difficulty of requiring smart cards for two-factor authentication is that as workers move from traditional workstations to more modern and mobile devices, smartcard readers are not practical. Therefore, a process is defined to securely create and provision digital certificates on mobile devices directly, based on the smart card. These certificates are derived from the initially assigned certificates and therefore are referred to as derived certificates or credentials. Derived credentials allow organizations that are using smart cards for authentication to easily extend this technology to mobile devices, providing strong, passwordless authentication to the most sensitive of resources. The end user securely authenticates to a portal using their physical smart card on an enterprise workstation. Then, using the information on the smart card, a mobile-friendly soft token is created and stored in a secure enclave on the mobile device as a digital certificate. The derived digital certificate is tied to a certificate on the smart card for revocation and validity. These certificates can be used for secure authentication to enterprise and web applications and resources, to sign emails and documents, and to encrypt messages on mobile devices.

What kinds of smart cards are out there?

U.S. civilian government agencies have standardized on smart cards called Personal Identity Verification (PIV) (based on a Homeland Security Presidential Directive HSPD-12), while the U.S. Military and Defense agencies have standardized on the Common Access Card (CAC). These smart cards and underlying technologies differ slightly, but both can be used for derived credentials.

Ivanti’s solution

The Ivanti team recognized the challenge our customers faced when complying with smart card and derived credential regulations in a mobile environment and have a solution to make the deployment of derived credentials easy. Working with trusted certificate and smartcard solutions like Entrust, DISA Purebred, Xtec and Intercede, we leverage derived credentials to enable organizations to extend their existing security investments in smart cards to their mobile infrastructure.

The Ivanti PIV-D manager solution integrates with Public Key Infrastructure (PKI) systems to seamlessly deploy derived credentials and manage the lifecycle of the credentials in any mobile enterprise or government organization. Ivanti PIV-D Manager stores the derived credentials securely in our encrypted Ivanti AppConnect framework, which is FIPS 140-2 enabled. The credentials can then be seamlessly shared with other secure AppConnect apps such as Email+, Docs@Work, Web@Work and native mobile OS apps for secure single sign-on, and S/MIME use on iOS and Android devices.

Prior to its acquisition by Ivanti, MobileIron assisted government agencies such as the Federal Emergency Management Agency (FEMA) and the DoD’s Defense Information Systems Agency (DISA) to deploy derived credentials seamlessly. These agencies now have tens of thousands of devices leveraging derived credentials, enabling their end users to access enterprise resources securely from mobile devices using their device.

The next level: Zero Sign-On

While derived credentials provide a strong authentication mechanism backed by PKI, Zero Sign-On enables derived credentials in conjunction with a comprehensive set of attributes, to be validated before granting access to enterprise resources. Ivanti’s approach to end-to-end, zero trust security significantly reduces risk by giving organizations complete control over enterprise data as it flows across devices, apps, networks and cloud services. This is essential as the world adjusts to a permanent shift to the Everywhere Workplace.

If you want to learn more about Ivanti’s world-class derived credential solution, please contact us.

MobileIron Derived Credentials: A Zero Sign-on Solution for Smart Card Enabled Organizations

Wed, 29 May 2019 18:57:59 Z

*This post originally appeared on the MobileIron blog prior to the acquisition in December 2020, when MobileIron became part of Ivanti.

MobileIron has been an innovator in the modern identity and mobile device management space since we shipped our first product in 2009. Since that time, MobileIron has worked with government agencies, the National Institute of Standards and Technology (NIST), and industry partners to pioneer derived credentials on mobile devices, allowing government entities and regulated industry customers to evolve traditional desktop security models to mobile.

What is a derived credential?

If you aren't in the government space or a highly regulated industry you’ve probably never heard of derived credentials. Many government agencies and regulated industries have standardized on using smart cards to log into traditional enterprise workstations like laptops, desktops, and enterprise web services. An employee inserts their smart card into a reader embedded on a workstation and enters a pin to log into the device and enterprise web services. This authentication method replaces username and passwords and provides a second factor of authentication, because the smart card is something the user has and the pin is something only they know (these rules are described in the FIPS 201-2 definition of multifactor authentication).

Derived credentials allow organizations that are using smart cards for authentication to easily extend this technology to mobile devices, providing strong, password-less authentication to the most sensitive of resources. Derived credentials are a mobile-focused evolution of smart card identity because the credentials are created or “derived” from the physical smart card. The end user securely authenticates to a portal using their physical smart card on an enterprise workstation. Then, using the information on the smart card, a mobile-friendly soft token is created and stored in a secure enclave on the mobile device as a digital certificate. The derived digital certificate is tied to a certificate on the smart card for revocation and validity. These certificates can be used for secure authentication to enterprise web services, to sign emails and documents, and to encrypt messages on mobile devices.

What kind of smart cards are out there?

U.S. civilian government agencies have standardized on smart cards called Personal Identity Verification (PIV) while the U.S. Military and Defense agencies have standardized on the Common Access Card (CAC). These types of smart cards and underlying technologies differ slightly, but both can be used with derived credentials.

While smart cards work well in traditional desktop and laptop environments, they aren't well adapted for mobile devices. Many government desktops and laptops have built in smart card readers, or if they don’t, users can plug in a USB smart card reader. This doesn’t work well on mobile devices. Although, smart card readers exist for mobile devices, the user experience is poor, readers are expensive, and they aren't exactly easy to carry around.

MobileIron to the rescue

MobileIron recognized the challenge our customers faced when complying with smart card and derived credential regulations in a mobile environment and created a solution to make the deployment of derived credentials easy. Working with trusted certificate and smartcard solutions like Entrust, DISA Purebred, Xtec, and Intercede, we created a derived credential solution that enables organizations to extend their existing security investments in smart cards to their mobile infrastructure. The solution supports government regulations and security standards such as Homeland Security Presidential Directive-12 (HSPD-12), OMB ICAM initiatives, FIPS 201, and NIST SP:800-157.

The MobileIron PIV-D manager solution integrates with Public Key Infrastructure (PKI) systems to seamlessly deploy derived credentials and manage the lifecycle of the credentials in any mobile enterprise or government organization. MobileIron PIV-D Manager stores the derived credentials securely in our encrypted MobileIron AppConnect framework, which is FIPS 140-2 enabled. The credentials can then be seamlessly shared with other secure AppConnect apps such as Email+, Docs@Work, Web@Work, and native mobile OS apps for secure single sign-on, and S/MIME use on iOS and Android devices.

MobileIron assisted government agencies such as the Federal Emergency Management Agency (FEMA) and the DoD’s Defense Information Systems Agency (DISA) to deploy derived credentials seamlessly. These agencies now have tens of thousands of devices leveraging derived credentials, enabling their end users to access enterprise resources securely from mobile devices using their device as their identity.

FEMA implemented derived credentials agency wide with the MobileIron PIV-D manager solution, enabling access to enterprise services and email from their mobile devices. FEMA disaster recovery personnel now use derived credentials on their mobile devices to seamlessly login into mission critical apps while eliminating usernames and passwords along the way.

What’s next?

While derived credentials provide a strong authentication mechanism backed by PKI, Zero Sign-On enables derived credentials for use with a comprehensive set of attributes before granting access to enterprise resources. MobileIron’s approach to mobile-centric, zero trust security significantly reduces risk by giving organizations complete control over enterprise data as it flows across devices, apps, networks, and cloud services.

If you want to learn more about MobileIron’s world class derived credential solution please contact us.