Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

BlackBerry Enterprise Service v10.2.x BlackBerry Device Service STIG

  • Version/Release: V1R5
  • Published: 2015-07-23
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

Developed by BlackBerry Ltd. in coordination with DISA for use in the DoD. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil
c
The BlackBerry Device Service server must implement separation of administrator duties by requiring a specific role be assigned to each administrator account.
AC-5 - High - CCI-000037 - V-48503 - SV-61375r1_rule
RMF Control
AC-5
Severity
High
CCI
CCI-000037
Version
BBDS-00-000100
Vuln IDs
  • V-48503
Rule IDs
  • SV-61375r1_rule
Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. Employing a separation of duties model reduces the threat that one individual has the authority to make changes to a system, and the authority to delete any record of those changes. This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of a role is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. It is recommended that the following or similar roles be supported: - MDM administrative account administrator: responsible for server installation, initial configuration, and maintenance functions. - Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies. - Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. - Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs.
Checks: C-50845r2_chk

Review the BlackBerry Device Service server configuration to ensure there are multiple administrator roles configured as assigned by the site. Otherwise, this is a finding.

Fix: F-52111r1_fix

Create and configure accounts to be aligned with the following roles as assigned by the site. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Administrator users > Manage users > <User Name> > Roles" and verify the roles required by the site are assigned. Note: The roles in BlackBerry Device services are as follows: Security Administrator - This role has permission to perform all tasks in the BlackBerry Device Service. Enterprise Administrator - This role has permission to perform all tasks in the BlackBerry Device Service except changing role assignments. This role can only view role assignments. Senior Helpdesk Administrator - This role has permission to perform advanced administrative tasks in the BlackBerry Device Service. Junior Helpdesk Administrator - This role has permission to perform basic administrative tasks in the BlackBerry Device Service. Server Only Administrator - This role has permissions to perform system management tasks in the BlackBerry Device Service. User Only Administrator - This role has permission to perform user management tasks in the BlackBerry Device Service.

b
The BlackBerry Device Service server must bind removable storage media cards to the mobile device via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-48509 - SV-61381r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
BBDS-00-000125
Vuln IDs
  • V-48509
Rule IDs
  • SV-61381r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50847r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether removable media storage cards are bound to the mobile device. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52115r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to bind removable storage media cards to the mobile device. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy >Software" and verify "Media Card Encryption" is set to "Yes". Note: The above is only required "Work space only" activation types, and remains optional for "Balance-Corporate" or "Balance-Regulated" activation types.

b
The BlackBerry Device Service server must enforce the email client S/MIME encryption algorithm to be 3DES or AES256 via centrally managed policy.
SC-13 - Medium - CCI-001144 - V-48513 - SV-61385r1_rule
RMF Control
SC-13
Severity
Medium
CCI
CCI-001144
Version
BBDS-00-000132
Vuln IDs
  • V-48513
Rule IDs
  • SV-61385r1_rule
Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case the requirement states that S/MIME must utilize a 3DES or AES encryption algorithm.
Checks: C-50849r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether the encryption algorithms used to encrypt S/MIME protected email messages are 3DES or AES256. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52119r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to enforce the email client S/MIME encryption algorithm to be 3DES or AES256 via centrally managed policy. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Profiles > Manage email profiles > <Profile Name> > Email profile settings" and verify "Allowed content ciphers" is set to "AES (256-bit), or "Triple DES."

b
The BlackBerry Device Service server must disable the Advanced Audio Distribution Profile (A2DP) Bluetooth profile via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-48517 - SV-61389r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
BBDS-00-000146
Vuln IDs
  • V-48517
Rule IDs
  • SV-61389r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50851r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether the Advanced Audio Distribution Profile (A2DP) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52123r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable the Advanced Audio Distribution Profile (A2DP) Bluetooth profile. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Bluetooth A2DP" is set to "Disallow". Note: The above is only applicable for devices with "Balance-Regulated" and "Work space only" activation types.

b
The BlackBerry Device Service server must disable the Audio/Video Remote Control Profile (AVRCP) Bluetooth profile via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-48519 - SV-61391r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
BBDS-00-000147
Vuln IDs
  • V-48519
Rule IDs
  • SV-61391r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50853r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether the Audio/Video Remote Control Profile (AVRCP) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52127r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable the Audio/Video Remote Control Profile (AVRCP) Bluetooth profile. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Bluetooth AVRCP" is set to "Disallow". Note: The above is only applicable for devices with "Balance-Regulated" and "Work space only" activation types.

b
The BlackBerry Device Service server must disable the Phone Book Access Profile (PBAP) Bluetooth profile via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-48523 - SV-61395r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
BBDS-00-000148
Vuln IDs
  • V-48523
Rule IDs
  • SV-61395r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50855r2_chk

Review the BlackBerry Device Service server policy configuration to determine whether the Phone Book Access Profile (PBAP) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52129r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable the Phone Book Access Profile (PBAP) Bluetooth profile. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify both "Transfer Work Contacts Using Bluetooth PBAP or HFP" and "Bluetooth Contacts Transfer Using PBAP" are set to "Disallow".

b
The BlackBerry Device Service server must disable the Hands-Free Profile (HFP) Bluetooth profile via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-48525 - SV-61397r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
BBDS-00-000149
Vuln IDs
  • V-48525
Rule IDs
  • SV-61397r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50857r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether the Hands-Free Profile (HFP) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52131r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable the Hands-Free Profile (HFP) Bluetooth profile. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify both "Transfer Work Contacts Using Bluetooth PBAP or HFP" and "Bluetooth HFP" are set to "Disallow".

b
The BlackBerry Device Service server must disable the Message Access Profile (MAP) Bluetooth profile via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-48527 - SV-61399r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
BBDS-00-000151
Vuln IDs
  • V-48527
Rule IDs
  • SV-61399r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50859r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether the Message Access Profile (MAP) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52133r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable the Message Access Profile (MAP) Bluetooth profile. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify all of "Transfer Work Messages Using Bluetooth MAP", "Transfer Work Messages Using Bluetooth MAP Without Prompt" and "Bluetooth MAP" are set to "Disallow".

b
The BlackBerry Device Service server must disable the Personal Area Networking Profile (PAN) Bluetooth profile via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-48529 - SV-61401r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
BBDS-00-000152
Vuln IDs
  • V-48529
Rule IDs
  • SV-61401r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50861r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether the Personal Area Networking (PAN) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52135r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable the Personal Area Networking Profile (PAN) Bluetooth profile.

b
The BlackBerry Device Service server must disable Bluetooth Discoverable Mode via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-48537 - SV-61409r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
BBDS-00-000155
Vuln IDs
  • V-48537
Rule IDs
  • SV-61409r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50865r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether Bluetooth Discoverable Mode has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52141r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable Bluetooth Discoverable Mode. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Bluetooth Discoverable Mode" is set to "Disallow". Note: The above is only for devices with EMM-Regulated (Work Space only).

c
The BlackBerry Device Service server must disable the transfer of any file-based data via Bluetooth via centrally managed policy.
CM-6 - High - CCI-000370 - V-48543 - SV-61417r1_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000370
Version
BBDS-00-000156
Vuln IDs
  • V-48543
Rule IDs
  • SV-61417r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50869r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether the transfer of any file-based data via Bluetooth has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52149r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable the transfer of any file-based data via Bluetooth. For EMM-Corporate (BlackBerry Balance) devices, log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Transfer Work Files Using Bluetooth OPP" is set to "Disallow." For EMM-Regulated (Work Space only) and Balance-Regulated devices, log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Bluetooth File Transfer Using OBEX" is set to "Disallow."

c
The BlackBerry Device Service server must disable the transfer of any file-based data via Bluetooth (Bluetooth MAP) via centrally managed policy.
CM-6 - High - CCI-000370 - V-48545 - SV-61419r1_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000370
Version
BBDS-00-000157
Vuln IDs
  • V-48545
Rule IDs
  • SV-61419r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50871r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether the Message Access Profile (MAP) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52151r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable the transfer of any file-based data via Bluetooth (Bluetooth MAP). Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Transfer Work Messages Using Bluetooth MAP" is set to "Disallow".

c
The BlackBerry Device Service server must disable the transfer of any file-based data via Bluetooth (Bluetooth MAP without prompt) via centrally managed policy.
CM-6 - High - CCI-000370 - V-48547 - SV-61421r1_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000370
Version
BBDS-00-000158
Vuln IDs
  • V-48547
Rule IDs
  • SV-61421r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50873r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether the Message Access Profile (MAP) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52153r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable the transfer of any file-based data via Bluetooth (Bluetooth MAP without prompt). Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Transfer Work Messages Using Bluetooth MAP Without Prompt" is set to "Disallow".

c
The BlackBerry Device Service server must disable the transfer of any file-based data via Bluetooth (Transfer Work Contacts Using Bluetooth PBAP or HFP) via centrally managed policy.
CM-6 - High - CCI-000370 - V-48549 - SV-61423r1_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000370
Version
BBDS-00-000159
Vuln IDs
  • V-48549
Rule IDs
  • SV-61423r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50875r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether the transfer of any file-based data via Bluetooth has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52155r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable the transfer of any file-based data via Bluetooth (Transfer Work Contacts Using Bluetooth PBAP or HFP). For EMM-Corporate (BlackBerry Balance) devices, log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Transfer Work Contacts Using Bluetooth PBAP or HFP" is set to "Disallow".

b
The BlackBerry Device Service server must enable Bluetooth pairing using a randomly generated passkey size of at least 8 digits via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-48553 - SV-61427r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
BBDS-00-000160
Vuln IDs
  • V-48553
Rule IDs
  • SV-61427r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50877r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether Bluetooth pairing using a randomly generated passkey size of at least 8 digits has been enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52157r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to enable Bluetooth pairing using a randomly generated passkey size of at least 8 digits. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Enforce Minimum Bluetooth Passkey Length" is set to "Yes". Note: The above is only for devices with EMM-Regulated (Work Space only).

c
The BlackBerry Device Service server must disable the transfer of any file-based data via Near Field Communication (NFC) via centrally managed policy.
CM-6 - High - CCI-000370 - V-48555 - SV-61429r1_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000370
Version
BBDS-00-000161
Vuln IDs
  • V-48555
Rule IDs
  • SV-61429r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50881r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether the transfer of any file-based data via NFC has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52161r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable the transfer of any file-based data via NFC. For EMM-Corporate and EMM-Regulated devices, log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Transfer Work Data Using NFC" is set to "Disallow".

b
The BlackBerry Device Service server must enable Bluetooth 128 bit encryption via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-48557 - SV-61431r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
BBDS-00-000165
Vuln IDs
  • V-48557
Rule IDs
  • SV-61431r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50883r1_chk

Review the BlackBerry Device Service server configuration to determine whether Bluetooth 128 bit encryption is enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52163r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to enable Bluetooth 128 bit encryption. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Minimum Bluetooth Encryption Key Length" is set to "16 Bytes". Note: The above is only for devices with EMM-Regulated (Work Space only).

b
The BlackBerry Device Service server must be configured to accept only trusted connections to back-office enclave application or web push servers. Push servers are set up to push content to BlackBerry users.
CM-6 - Medium - CCI-000366 - V-48559 - SV-61435r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BBDS-00-000300
Vuln IDs
  • V-48559
Rule IDs
  • SV-61435r1_rule
Only authorized servers should be able to push content to BlackBerry devices.
Checks: C-50887r1_chk

Verify the site has configured the BlackBerry Device Service server to require trusted connections to push enclave application or web servers. Otherwise, this is a finding.

Fix: F-52165r1_fix

Configure the BlackBerry Device Service server to push content to BlackBerry devices. Log into BlackBerry Administration Service, and under "Servers and components" on the left side of the screen, navigate to "'BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service > <MDS Connection Service Instance>". - On the "Instance information" tab, click "Edit instance". - In the "Access control" section, verify "Push authentication:" is set to "Yes".

b
BlackBerry Web Desktop Manager must be configured to permit users to activate new BlackBerry devices only.
CM-6 - Medium - CCI-000370 - V-48561 - SV-61437r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
BBDS-00-000200
Vuln IDs
  • V-48561
Rule IDs
  • SV-61437r1_rule
The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized devices are provisioned as required. When these configurations are not set as required, users may have the capability to activate unauthorized BlackBerry devices.
Checks: C-50889r1_chk

Verify the BlackBerry Administration Service (BAS) has been configured to permit users to activate new BlackBerry devices only. Otherwise, this is a finding.

Fix: F-52169r1_fix

BlackBerry Administration Service is configured to permit users to activate new BlackBerry devices only via BlackBerry Web Desktop Manager. Log into the BAS as an administrator with Security Administrator role. Under "Organization Administration", expand "Organization". - Click "My organization". - Click the "BlackBerry Web Desktop Manager Information" tab. - On the "Allowed user operations", verify "Allow user wireline activation:" is set to "Activate unused PIN only".

b
The BlackBerry Device Service server must set the number of incorrect password attempts before a data wipe procedure is initiated to 10 via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-48565 - SV-61441r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
BBDS-00-000230
Vuln IDs
  • V-48565
Rule IDs
  • SV-61441r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50891r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether the number of incorrect password attempts before a data wipe procedure is initiated is set to 10. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52173r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to set the number of incorrect password attempts before a data wipe procedure is initiated to 10. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Password" and verify "Maximum Password Attempts" is set to "10".

b
The BlackBerry Device Service server must enable a Work Space password via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-48567 - SV-61443r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
BBDS-00-000235
Vuln IDs
  • V-48567
Rule IDs
  • SV-61443r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50893r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether a Work Space password has been enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52175r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to enable a work space password. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Password" and verify "Password Required for Work Space" is set to "Yes". Note: The above is only for devices with EMM-Corporate (BlackBerry Balance). This check is not applicable to EMM-Regulated (Work Space only) devices.

b
The BlackBerry Device Service server must enable a minimum Work Space password length of six or more characters via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-48571 - SV-61447r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
BBDS-00-000260
Vuln IDs
  • V-48571
Rule IDs
  • SV-61447r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50897r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether the minimum Work Space password length is at least six characters. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52179r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to set the minimum work space password length of six or more characters. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Password" and verify "Minimum Password Length" is set to "6".

b
The BlackBerry Device Service server must set the Work Space inactivity timeout to 15 minutes via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-48573 - SV-61449r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
BBDS-00-000270
Vuln IDs
  • V-48573
Rule IDs
  • SV-61449r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50899r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether the Work Space inactivity timeout is set to 15 minutes. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52181r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to set the work space inactivity timeout to 15 minutes. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Password" and verify "Security Timeout" is set to "15 minutes".

b
The BlackBerry Device Service server must configure the Work Space to prohibit the download of software from a DoD non-approved source (e.g., a non-DoD operated mobile device application store or BlackBerry Device Service server).
CM-6 - Medium - CCI-000370 - V-48575 - SV-61451r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
BBDS-00-000275
Vuln IDs
  • V-48575
Rule IDs
  • SV-61451r1_rule
DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source. To prevent access to unapproved sources, the operating system in most cases can be configured to disable user access to public application stores.
Checks: C-50901r1_chk

Review the BlackBerry Device Service server configuration to ensure the BlackBerry Device Service server can configure the mobile device Work Space to prohibit the download of software from a DoD non-approved source (e.g., a non-DoD operated mobile device application store or BlackBerry Device Service server). Otherwise, this is a finding.

Fix: F-52183r1_fix

Configure the BlackBerry Device Service server so the Work Space is configured to prohibit the download of software from a DoD non-approved source. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Security" and verify "Development Mode Access to Work Space" is set to "Disallow".

b
The BlackBerry Device Service server must be configured to prevent users from performing self-service tasks.
CM-7 - Medium - CCI-000386 - V-48577 - SV-61453r1_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000386
Version
BBDS-00-000285
Vuln IDs
  • V-48577
Rule IDs
  • SV-61453r1_rule
The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized devices are provisioned as required. When these configurations are not set as required, users may have the capability to activate unauthorized BlackBerry devices.
Checks: C-50903r1_chk

Review Windows Services configuration to ensure the BlackBerry Device Service server has been disabled to prevent users from performing self-service tasks. Otherwise, this is a finding.

Fix: F-52185r1_fix

Configure the BlackBerry Device Service server to prevent users from performing self-service tasks. Log into the BlackBerry Device Service server as a local administrator. Open "Services" by navigating to "Start > Run... > services.msc" and ensure the "BES10 - Self-Service" service is stopped and its Startup Type is set to "Disabled".

a
BlackBerry Web Desktop Manager must be configured to disable a users capability to perform a user-initiated backup or restore.
CM-7 - Low - CCI-000386 - V-48579 - SV-61455r1_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000386
Version
BBDS-00-000286
Vuln IDs
  • V-48579
Rule IDs
  • SV-61455r1_rule
The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized devices are provisioned as required. When these configurations are not set as required, users may have the capability to activate unauthorized BlackBerry devices.
Checks: C-50905r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether a user initiated backup or restore of the Work Space of a managed mobile device has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52259r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to disallow a user initiated backup or restore of the Work Space of a managed mobile device. For BlackBerry Balance (Corporate and Regulated) devices, log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Security" and verify "Backup and Restore Work Space" is set to "Disallow". For Work Space only devices, log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Security" and verify "Backup and Restore Device" is set to "Disallow".

c
The BlackBerry Device Service server must require administrators to be authenticated with an individual authenticator prior to using a group authenticator.
IA-2 - High - CCI-000770 - V-48581 - SV-61457r1_rule
RMF Control
IA-2
Severity
High
CCI
CCI-000770
Version
BBDS-00-000290
Vuln IDs
  • V-48581
Rule IDs
  • SV-61457r1_rule
To assure individual accountability and prevent unauthorized access, MDM administrators and users (and any processes acting on behalf of users) must be individually identified and authenticated. Without individual accountability, there can be no traceability back to an individual if there were a security incident on the system. In addition, group accounts can be shared with individuals who do not have authorized access.
Checks: C-50907r1_chk

Review the BlackBerry Device Service server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism that requires administrators to be authenticated with an individual authenticator prior to using a group authenticator. To ensure correct configuration have the BlackBerry Device Service (BDS) Administrator log on to the BDS Server, and ensure authentication was performed via Active Directory. If access to the server is not being authenticated via this method, this is a finding.

Fix: F-52187r1_fix

Configure the BlackBerry Device Service server to authenticate through the Enterprise Authentication Mechanism. To configure the BDS server to authenticate via Active Directory the following process can be used: Local authentication rules are handled by the host Operating system. Remote connection via web browser can be configured to use Microsoft Active Directory authentication during the installation of the BlackBerry Device Server. Configure permissions for the service account: The service account is a Windows account that runs the services for the BlackBerry Device Service. On the computer that you want to install the BlackBerry Device Service on, you must configure permissions for the service account. Without the correct permissions, the BlackBerry Device Service cannot run. If your organization's environment includes the BlackBerry Enterprise Server, you can use the BlackBerry Enterprise Server service account to install the BlackBerry Device Service. If you do not have a BlackBerry Enterprise Server service account, in Microsoft Active Directory, create a service account that you name BDSAdmin. During the installation of the BlackBerry Device Service, steps 16 and 17 describe the setup of the Active Directory login, as follows: 16. In the Microsoft Active Directory settings dialog box, specify information for the reader account that the BlackBerry Administration Service uses to authenticate with Microsoft Active Directory. By default, the setup application uses the service account that you used in step 1. If you want to use a different account as the reader account, you must specify the username, password, and Windows domain for a Microsoft Active Directory account. The account must have permission to read the user information that is stored in the global catalog servers that the BlackBerry Administration Service can access. 17. In the Create an administrator account dialog box, perform one of the following actions: * If you select Use Microsoft Active Directory authentication, you can choose to use the Microsoft Active Directory account that you used in step 16, or you can specify the username and Windows domain for a different Microsoft Active Directory account. * If you select Use BlackBerry Administration Service authentication, type and confirm a password for the BlackBerry Administration Service administrator account. You use the account information that you specify to log in to the BlackBerry Administration Service for the first time. Log in to the BlackBerry Administration Service: When you install the BlackBerry Administration Service, you specify the credentials that you use to log in to the BlackBerry Administration Service for the first time. 1. In the browser, type "https://<server_name>/webconsole/login", where <server_name> is the name of the computer that hosts the BlackBerry Administration Service. 2. In the "User name" field, type your username. 3. In the "Password" field, type your password. 4. Perform one of the following actions: * In the "Log in using" drop-down list, click "BlackBerry Administration Service". * In the "Log in using" drop-down list, click "Active Directory" and type the Microsoft Active Directory domain in the "Domain" field. 5. Click "Log in". 6. Install the RIMWebComponents.cab add-on if you are prompted to do so. For further details regarding the BlackBerry Device Service Installation and configuration, see the accompanying Overview Document, and the "Install the BlackBerry Device Service software" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Installation and Configuration Guide.

c
The BlackBerry Device Service server must use organization defined replay-resistant authentication mechanisms for network access to privileged accounts.
IA-2 - High - CCI-000774 - V-48583 - SV-61459r1_rule
RMF Control
IA-2
Severity
High
CCI
CCI-000774
Version
BBDS-00-000295
Vuln IDs
  • V-48583
Rule IDs
  • SV-61459r1_rule
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Replay attacks, if successfully used against a MDM account could result in unfettered access to the MDM settings and data records.
Checks: C-50909r1_chk

Review the BlackBerry Device Service server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism that employs replay-resistant features. To ensure correct configuration have the BlackBerry Device Service (BDS) Administrator logon to the BDS Server, and ensure authentication was performed via Active Directory. If access to the server is not being authenticated via this method, this is a finding.

Fix: F-52189r1_fix

Configure the BlackBerry Device Service server to authenticate through the Enterprise Authentication Mechanism. To configure the BDS server to authenticate via Active Directory the following process can be used: Local authentication rules are handled by the host Operating system. Remote connection via web browser can be configured to use Microsoft Active Directory authentication during the installation of the BlackBerry Device Server. Configure permissions for the service account: The service account is a Windows account that runs the services for the BlackBerry Device Service. On the computer that you want to install the BlackBerry Device Service on, you must configure permissions for the service account. Without the correct permissions, the BlackBerry Device Service cannot run. If your organization's environment includes the BlackBerry Enterprise Server, you can use the BlackBerry Enterprise Server service account to install the BlackBerry Device Service. If you do not have a BlackBerry Enterprise Server service account, in Microsoft Active Directory, create a service account that you name BDSAdmin. During the installation of the BlackBerry Device Service, steps 16 and 17 describe the setup of the Active Directory login, as follows: 16. In the Microsoft Active Directory settings dialog box, specify information for the reader account that the BlackBerry Administration Service uses to authenticate with Microsoft Active Directory. By default, the setup application uses the service account that you used in step 1. If you want to use a different account as the reader account, you must specify the username, password, and Windows domain for a Microsoft Active Directory account. The account must have permission to read the user information that is stored in the global catalog servers that the BlackBerry Administration Service can access. 17. In the Create an administrator account dialog box, perform one of the following actions: * If you select Use Microsoft Active Directory authentication, you can choose to use the Microsoft Active Directory account that you used in step 16, or you can specify the username and Windows domain for a different Microsoft Active Directory account. * If you select Use BlackBerry Administration Service authentication, type and confirm a password for the BlackBerry Administration Service administrator account. You use the account information that you specify to log in to the BlackBerry Administration Service for the first time. Log in to the BlackBerry Administration Service: When you install the BlackBerry Administration Service, you specify the credentials that you use to log in to the BlackBerry Administration Service for the first time. 1. In the browser, type "https://<server_name>/webconsole/login", where <server_name> is the name of the computer that hosts the BlackBerry Administration Service. 2. In the "User name" field, type your username. 3. In the "Password" field, type your password. 4. Perform one of the following actions: * In the "Log in using" drop-down list, click "BlackBerry Administration Service". * In the "Log in using" drop-down list, click "Active Directory" and type the Microsoft Active Directory domain in the "Domain" field. 5. Click "Log in". 6. Install the RIMWebComponents.cab add-on if you are prompted to do so. For further details regarding the BlackBerry Device Service Installation and configuration, see the accompanying Overview Document, and the "Install the BlackBerry Device Service software" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Installation and Configuration Guide.

b
The BlackBerry Device Service server must support administrator authentication to the server via the Enterprise Authentication Mechanisms authentication.
IA-5 - Medium - CCI-000192 - V-48585 - SV-61461r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000192
Version
BBDS-00-000305
Vuln IDs
  • V-48585
Rule IDs
  • SV-61461r1_rule
In the DoD, Administrator credential requirements for authentication are defined by CTO 07-115Rev1, which is can be enforced by the Enterprise Authentication Mechanism. Non-complaint credential enforcement mechanisms make the DoD IS vulnerable to attack.
Checks: C-50911r1_chk

Review the BlackBerry Device Service server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism. To ensure correct configuration have the BlackBerry Device Service (BDS) Administrator log on to the BDS Server, and ensure authentication was performed via Active Directory. If access to the server is not being authenticated via this method, this is a finding.

Fix: F-52191r1_fix

Configure the BlackBerry Device Service server to support administrator authentication to the server via the Enterprise Authentication Mechanism's authentication. To configure the BDS server to authenticate via Active Directory the following process can be used: Local authentication rules are handled by the host Operating system. Remote connection via web browser can be configured to use Microsoft Active Directory authentication during the installation of the BlackBerry Device Server. Configure permissions for the service account: The service account is a Windows account that runs the services for the BlackBerry Device Service. On the computer that you want to install the BlackBerry Device Service on, you must configure permissions for the service account. Without the correct permissions, the BlackBerry Device Service cannot run. If your organization's environment includes the BlackBerry Enterprise Server, you can use the BlackBerry Enterprise Server service account to install the BlackBerry Device Service. If you do not have a BlackBerry Enterprise Server service account, in Microsoft Active Directory, create a service account that you name BDSAdmin. During the installation of the BlackBerry Device Service, steps 16 and 17 describe the setup of the Active Directory login, as follows: 16. In the Microsoft Active Directory settings dialog box, specify information for the reader account that the BlackBerry Administration Service uses to authenticate with Microsoft Active Directory. By default, the setup application uses the service account that you used in step 1. If you want to use a different account as the reader account, you must specify the username, password, and Windows domain for a Microsoft Active Directory account. The account must have permission to read the user information that is stored in the global catalog servers that the BlackBerry Administration Service can access. 17. In the Create an administrator account dialog box, perform one of the following actions: * If you select Use Microsoft Active Directory authentication, you can choose to use the Microsoft Active Directory account that you used in step 16, or you can specify the username and Windows domain for a different Microsoft Active Directory account. * If you select Use BlackBerry Administration Service authentication, type and confirm a password for the BlackBerry Administration Service administrator account. You use the account information that you specify to log in to the BlackBerry Administration Service for the first time. Log in to the BlackBerry Administration Service: When you install the BlackBerry Administration Service, you specify the credentials that you use to log in to the BlackBerry Administration Service for the first time. 1. In the browser, type "https://<server_name>/webconsole/login", where <server_name> is the name of the computer that hosts the BlackBerry Administration Service. 2. In the "User name" field, type your username. 3. In the "Password" field, type your password. 4. Perform one of the following actions: * In the "Log in using" drop-down list, click "BlackBerry Administration Service". * In the "Log in using" drop-down list, click "Active Directory" and type the Microsoft Active Directory domain in the "Domain" field. 5. Click "Log in". 6. Install the RIMWebComponents.cab add-on if you are prompted to do so. For further details regarding the BlackBerry Device Service Installation and configuration, see the accompanying Overview Document, and the "Install the BlackBerry Device Service software" section of the BlackBerry Enterprise Service 10.2 BlackBerry Device Service Installation and Configuration Guide.

b
The key store password for the certificate that the BlackBerry Administration Service (BAS) and BlackBerry Web Desktop Manager (BWDM) use must be changed from the default.
IA-5 - Medium - CCI-000186 - V-48587 - SV-61463r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000186
Version
BBDS-00-000310
Vuln IDs
  • V-48587
Rule IDs
  • SV-61463r1_rule
The key store password protects the server digital authentication certificates from unauthorized use.
Checks: C-50913r1_chk

When the BlackBerry Administration Service is installed the setup application generates a password for the web.keystore file. The web.keystore file stores the SSL certificate that the BlackBerry Administration Service uses to authenticate with browsers. You can change the web.keystore password after the installation process completes. All BlackBerry Administration Service instances in a BlackBerry Device Service domain must use the same web.keystore password. Consult the system administrator to determine if the default password was changed. If the default password has not been changed, this is a finding.

Fix: F-52193r1_fix

The key store password for the certificate that the BlackBerry Administration Service (BAS) and BlackBerry Web Desktop Manager (BWDM) use must be changed from the default. To change the web.keystore password, use the following procedure: Before you begin: To verify the current password for the web.keystore file, log in to the BlackBerry Administration Service using an administrator account with the Security Administrator role. Under "Servers and components" on the left side, navigate to "BlackBerry Solution topology > BlackBerry Domain> Component view > BlackBerry Administration Service", and check the "Security settings" section. 1. From the Windows machine with BlackBerry Enterprise Service 10, navigate to "Start > All Programs > BlackBerry Enterprise Service 10" and open "Configuration Tool for BlackBerry Enterprise Service 10". 2. On the "Administration Service - Web.Keystore" tab, type the current password. 3. Type a new password and confirm the new password. 4. Click "OK". 5. In the Windows Services, restart the BlackBerry Administration Service services. 6. Repeat steps 1 to 5 on each computer that hosts a BlackBerry Administration Service instance.

c
The BlackBerry Device Service server must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
IA-7 - High - CCI-000803 - V-48589 - SV-61465r1_rule
RMF Control
IA-7
Severity
High
CCI
CCI-000803
Version
BBDS-00-000315
Vuln IDs
  • V-48589
Rule IDs
  • SV-61465r1_rule
MDM applications utilizing encryption are required to use approved encryption modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised due to weak algorithms.
Checks: C-50915r1_chk

Review the BlackBerry Device Service server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism that utilizes a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. To ensure correct configuration have the BlackBerry Device Service (BDS) Administrator log on to the BDS Server, and ensure authentication was performed via Active Directory. If access to the server is not being authenticated via this method, this is a finding.

Fix: F-52195r1_fix

Configure the BlackBerry Device Service server to authenticate through the Enterprise Authentication Mechanism utilizing a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. To configure the BDS server to authenticate via Active Directory the following process can be used: Local authentication rules are handled by the host Operating system. Remote connection via web browser can be configured to use Microsoft Active Directory authentication during the installation of the BlackBerry Device Server. Configure permissions for the service account: The service account is a Windows account that runs the services for the BlackBerry Device Service. On the computer that you want to install the BlackBerry Device Service on, you must configure permissions for the service account. Without the correct permissions, the BlackBerry Device Service cannot run. If your organization's environment includes the BlackBerry Enterprise Server, you can use the BlackBerry Enterprise Server service account to install the BlackBerry Device Service. If you do not have a BlackBerry Enterprise Server service account, in Microsoft Active Directory, create a service account that you name BDSAdmin. During the installation of the BlackBerry Device Service, steps 16 and 17 describe the setup of the Active Directory login, as follows: 16. In the Microsoft Active Directory settings dialog box, specify information for the reader account that the BlackBerry Administration Service uses to authenticate with Microsoft Active Directory. By default, the setup application uses the service account that you used in step 1. If you want to use a different account as the reader account, you must specify the username, password, and Windows domain for a Microsoft Active Directory account. The account must have permission to read the user information that is stored in the global catalog servers that the BlackBerry Administration Service can access. 17. In the Create an administrator account dialog box, perform one of the following actions: * If you select Use Microsoft Active Directory authentication, you can choose to use the Microsoft Active Directory account that you used in step 16, or you can specify the username and Windows domain for a different Microsoft Active Directory account. * If you select Use BlackBerry Administration Service authentication, type and confirm a password for the BlackBerry Administration Service administrator account. You use the account information that you specify to log in to the BlackBerry Administration Service for the first time. Log in to the BlackBerry Administration Service: When you install the BlackBerry Administration Service, you specify the credentials that you use to log in to the BlackBerry Administration Service for the first time. 1. In the browser, type "https://<server_name>/webconsole/login", where <server_name> is the name of the computer that hosts the BlackBerry Administration Service. 2. In the "User name" field, type your username. 3. In the "Password" field, type your password. 4. Perform one of the following actions: * In the "Log in using" drop-down list, click "BlackBerry Administration Service". * In the "Log in using" drop-down list, click "Active Directory" and type the Microsoft Active Directory domain in the "Domain" field. 5. Click "Log in". 6. Install the RIMWebComponents.cab add-on if you are prompted to do so. For further details regarding the BlackBerry Device Service Installation and configuration, see the accompanying Overview Document, and the "Install the BlackBerry Device Service software" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Installation and Configuration Guide.

c
The BlackBerry Device Service server must employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions.
MA-4 - High - CCI-000877 - V-48591 - SV-61467r1_rule
RMF Control
MA-4
Severity
High
CCI
CCI-000877
Version
BBDS-00-000320
Vuln IDs
  • V-48591
Rule IDs
  • SV-61467r1_rule
Lack of authentication enables anyone to gain access to the MDM. Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Authorization for access to the MDM to perform maintenance and diagnostics requires an individual account identifier that has been approved, assigned, and configured. Authentication of non-local maintenance and diagnostics sessions must be accomplished through two-factor authentication via the combination of passwords, tokens, and biometrics.
Checks: C-50917r1_chk

Review the BlackBerry Device Service server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism that employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions. To ensure correct configuration have the BlackBerry Device Service (BDS) Administrator log on to the BDS Server, and ensure authentication was performed via Active Directory. If access to the server is not being authenticated via this method, this is a finding.

Fix: F-52197r1_fix

Configure the BlackBerry Device Service server to authenticate through an Enterprise Authentication Mechanism that employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions. To configure the BDS server to authenticate via Active Directory the following process can be used: Local authentication rules are handled by the host Operating system. Remote connection via web browser can be configured to use Microsoft Active Directory authentication during the installation of the BlackBerry Device Server. Configure permissions for the service account: The service account is a Windows account that runs the services for the BlackBerry Device Service. On the computer that you want to install the BlackBerry Device Service on, you must configure permissions for the service account. Without the correct permissions, the BlackBerry Device Service cannot run. If your organization's environment includes the BlackBerry Enterprise Server, you can use the BlackBerry Enterprise Server service account to install the BlackBerry Device Service. If you do not have a BlackBerry Enterprise Server service account, in Microsoft Active Directory, create a service account that you name BDSAdmin. During the installation of the BlackBerry Device Service, steps 16 and 17 describe the setup of the Active Directory login, as follows: 16. In the Microsoft Active Directory settings dialog box, specify information for the reader account that the BlackBerry Administration Service uses to authenticate with Microsoft Active Directory. By default, the setup application uses the service account that you used in step 1. If you want to use a different account as the reader account, you must specify the username, password, and Windows domain for a Microsoft Active Directory account. The account must have permission to read the user information that is stored in the global catalog servers that the BlackBerry Administration Service can access. 17. In the Create an administrator account dialog box, perform one of the following actions: * If you select Use Microsoft Active Directory authentication, you can choose to use the Microsoft Active Directory account that you used in step 16, or you can specify the username and Windows domain for a different Microsoft Active Directory account. * If you select Use BlackBerry Administration Service authentication, type and confirm a password for the BlackBerry Administration Service administrator account. You use the account information that you specify to log in to the BlackBerry Administration Service for the first time. Log in to the BlackBerry Administration Service: When you install the BlackBerry Administration Service, you specify the credentials that you use to log in to the BlackBerry Administration Service for the first time. 1. In the browser, type "https://<server_name>/webconsole/login", where <server_name> is the name of the computer that hosts the BlackBerry Administration Service. 2. In the "User name" field, type your username. 3. In the "Password" field, type your password. 4. Perform one of the following actions: * In the "Log in using" drop-down list, click "BlackBerry Administration Service". * In the "Log in using" drop-down list, click "Active Directory" and type the Microsoft Active Directory domain in the "Domain" field. 5. Click "Log in". 6. Install the RIMWebComponents.cab add-on if you are prompted to do so. For further details regarding the BlackBerry Device Service Installation and configuration, see the accompanying Overview Document, and the "Install the BlackBerry Device Service software" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Installation and Configuration Guide.

a
The server PKI digital certificate installed on the BlackBerry Device Service (BDS) Server to support BlackBerry Administration Service and BlackBerry Web Desktop Manager (BWDM) authentication must be a DoD PKI issued certificate.
SC-17 - Low - CCI-001159 - V-48593 - SV-61469r1_rule
RMF Control
SC-17
Severity
Low
CCI
CCI-001159
Version
BBDS-00-000325
Vuln IDs
  • V-48593
Rule IDs
  • SV-61469r1_rule
When a self signed PKI certificate is used, a rogue BDS server can impersonate the DoD BDS server during SA connections to the BAS or when a BlackBerry user uses BWDM to connect to the BAS. In addition, DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.
Checks: C-50919r1_chk

Examine the server configuration to determine if a DoD PKI issued certificate has been installed. Otherwise, this is a finding.

Fix: F-52199r1_fix

Configure the Blackberry Device Service server to use a DoD issued digital certificate on the BES to support BAS and BlackBerry Web Desktop Manager authentication. Open Internet Explorer, and navigate to BlackBerry Administration Service. Click on the Lock icon located to the right of the Address bar (or click "Certificate error", if the certificate is untrusted) and select "View certificates" Ensure the certificate is issued by a valid DoD CA. Steps to replace self-signed, or non-DoD certificate: Log into the server as the BlackBerry Enterprise Server (BES) service account and complete the following tasks to replace the self-signed Secure Socket Layer (SSL) certificate used by the BAS and the BWDM with a custom certificate (such as, one from VeriSign or from a Windows certificate authority). Task 1 - Retrieve your web.keystore password: 1. Login to the BAS as an administrator with Security Administrator role. 2. Under "BlackBerry Solution topology" on the left side, navigate to "BlackBerry Domain > Component view > BlackBerry Administration Service". 3. In the "Security settings", check the value for "Default password to encrypt the web.keystore file" and note it. Task 2 - Back up the web.keystore file: 1. Open a Windows Command prompt as an Administrator. 2. Type copy "c:\Program Files (x86)\Research In Motion\BlackBerry Device Service\BAS\bin\web.keystore" "c:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore.OLD" Note: Do not remove or rename the existing web.keystore file. Task 3 - Delete the self-signed SSL certificate from inside the web.keystore file: 1. Open a Command prompt as an Administrator. 2. Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool.exe" -delete -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -storepass "<password>" Note: The -storepass parameter must be the password you retrieved from step 1. The quotes are required due to special characters. Task 4 - Generate the BlackBerry Administration Service certificate key pair: * Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool.exe" -genkey -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -storepass "<password>" -dname "CN=<BAS Server or BAS Pool full name>, OU=BAS, O=Company, L=City, ST=ST, C=US" Note: Some Certificate Authority (CA) servers require RSA encryption of the certificate request. If this is the case, add -keyalg RSA to this keytool command. Also, the -keyalg RSA switch defaults to 1024 as a keysize. For environments that require 2048 as a keysize, use the -keysize 2048 command switch, e.g., -keyalg RSA -keysize 2048 STOP: After following this step, the web.keystore file now contains a private key entry. This exact private key MUST be matched with the reply generated from your Certificate Authority below in order for this process to succeed. It is highly recommended that the web.keystore file be backed up after this step has been performed, so that this private key is retained. If this is not done, and any of the following steps are not successful, then it will be necessary to clear out the key store and start again from Task 1. This is especially important to note for environments with manual certificate request processes. Task 5 - Generate a certificate request to the certification authority: * Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -certreq -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certreq.csr" -storepass "<password>" Note: If the -keyalg switch was used in Task 3 for a CA that requires RSA encryption, it is recommended to also use it here. Also, the -keyalg RSA switch defaults to 1024 as a keysize. For environments that require 2048 as a keysize, use the -keysize 2048 command switch. e.g. -keyalg RSA -keysize 2048 * Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -certreq -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certreq.csr" -storepass "<passwprd>" -keyalg RSA -keysize 2048. Task 6 - Request the certificate from the certificate authority (CA): Note: The steps in this task are based on the steps required to request a certificate from a Windows certificate authority. If requesting a certificate from a third-party certificate authority, see the information in the Additional Information section. Domain administrator permission is required to complete this task. 1. Log off the server as the BlackBerry Enterprise Server service account. 2. Log into the server with a domain account with domain administrator permissions or permissions to submit a webserver template request. 3. Browse to the organization's certificate server using Windows Internet Explorer. (For example: http://<certificate_server_name>/certsrv) 4. Click "Request a certificate". 5. Click "Advanced certificate request". 6. Click "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file", or "submit a renewal request by using a base-64-encoded PKCS#7 file". 7. Paste the full contents of the certreq.csr file into the "Saved Request" field. 8. Choose "Web Server" from the "Certificate Template" drop-down list. 9. Click "Submit". 10. Click "Download certificate". 11. Save the file to c:\bascert.cer when prompted. Note: If the error "The certificate is not valid for the requested usage" appears, choose Subordinates Certification Authority from the Certificate Template drop-down list instead of Web Server. Task 7 - Download the CA certificate from the certificate authority: 1. Browse to the organization's certificate server using Windows Internet Explorer. (For example: http://<certificate_server_name>/certsrv) 2. Click "Download a CA certificate, certificate chain, or CRL". 3. Click "Download CA certificate". Save it as c:\certnewCA.cer. Task 8 - Import the CA certificate into the BlackBerry Administration Service key store: 1. Log off the server as the domain account used in Tasks 6 and 7 above to request the certificate from the certificate authority (CA). 2. Log onto the server as BES service account. 3. Open a command prompt window as Administrator in the same manner as used in Task 2. 4. Type: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias cacert -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certnewCA.cer" -storepass "<password>" If the BlackBerry Administration Service certificate is issued by an Intermediate CA, perform step 4 to import certificates of every Intermediate CA in the certificate chain. Use a unique alias name for every imported certificate. If the error "keytool error: java.lang.Exception: Failed to establish chain from reply" is displayed when performing Task 9 below, this step needs to be completed. To import an Intermediate Certificate Authority certificate: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias cacert2 -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certnewCA2.cer" -storepass "<password>" Task 9 - Import the BlackBerry Administration Service certificate to the BlackBerry Administration Service key store: * In the command prompt window used in Task 8, type: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\bascert.cer" -storepass "<password>" Task 10 - Restart the BlackBerry Administration Service.

a
The BlackBerry Device Service server must allow only Work Space contacts to be read from a native Personal Space application via centrally managed policy.
CM-6 - Low - CCI-000370 - V-48599 - SV-61475r1_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000370
Version
BBDS-00-002542
Vuln IDs
  • V-48599
Rule IDs
  • SV-61475r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. If this control is not available, sensitive DoD data stored inside the security container could be exposed if it is copied to a non-secure area on the device.
Checks: C-50925r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether only work persona contacts to be read from a native personal persona application. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52205r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to allow only work persona contacts to be read from a native personal space application. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Security" and verify "Personal Apps Access to Work Contacts" is set to "Only BlackBerry Apps". Note: Check text is applicable for EMM-Corporate (BlackBerry Balance) devices only. This requirement is N/A for EMM-Regulated (Work Space only) devices.

a
The BlackBerry Device Service server must enforce the minimum password length for the Personal Space password to 4 digits via centrally managed policy.
CM-6 - Low - CCI-000370 - V-48601 - SV-61477r1_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000370
Version
BBDS-00-003120
Vuln IDs
  • V-48601
Rule IDs
  • SV-61477r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50927r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether a device unlock password with a minimum length of 4 characters has been enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52209r1_fix

Configure the BlackBerry Device Service server to enable a device unlock password with a minimum length of 4 characters. This requirement can be met via one of two methods: Method #1: Train users to set the following device unlock/personal area password feature on a PlayBook 2.0 or BlackBerry 10 device: Navigate to "Options/Settings -> Security ->Password" and set "Enable Password" to "ON". Create a 4 digit passcode for the device lock. **************************************************************************************** Method #2: The BDS IT policy rule "Apply Work Space Password to Full Device" can be applied to force the Work Space password to be used for both Work and Personal Spaces. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. Log into BlackBerry Administration Service and under "BlackBerry solution management" on the left side, expand "Group". 2. Click "Manage groups". 3. Click the name of the group. 4. Click "Edit group". 5. Click the "Policies" tab. 6. In the "IT policy list", select the IT policy. 7. Click "Save all". To add an IT policy to a user account: 1. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side expand "User". 2. Click "Manage users". 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the "Add to user configuration" list, click "Set IT policy". 6. In the "IT policy" drop-down list, select the IT policy. 7. Click "Save". For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Administration Guide.

b
The BlackBerry Device Service server must disable the mobile device users access to BlackBerry World for Work Space and only allow access to apps published from BlackBerry Device Service.
CM-6 - Medium - CCI-000370 - V-48603 - SV-61479r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
BBDS-00-003160
Vuln IDs
  • V-48603
Rule IDs
  • SV-61479r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50929r1_chk

Review the BlackBerry Device Service server configuration to determine if the commercial application store contains no applications. Otherwise, this is a finding.

Fix: F-52211r1_fix

Configure the BlackBerry Device Service server application store to contain no commercial applications. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Software > Applications > Manage Applications" and verify that there are no applications listed under "BlackBerry World Applications".

b
The BlackBerry Device Service server must force the display of a warning banner on the lock screen of the mobile device via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-48605 - SV-61481r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
BBDS-00-003170
Vuln IDs
  • V-48605
Rule IDs
  • SV-61481r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. The warning banner must be displayed before or immediately after the user successfully unlocks the mobile device or unlocks a secure application where sensitive DoD data is stored: "I've read & consent to terms in IS user agreem't." (Wording must be exactly as specified.)
Checks: C-50931r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether the Owner Information has been set. Otherwise, this is a finding.

Fix: F-52213r1_fix

Configure the Blackberry Device Service server to force the display of a warning banner on the mobile device. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Security" and verify "Owner Information" is set to "I've read & consent to terms in IS user agreem't".

c
The BlackBerry Device Service server must disable any mobile OS service that connects to a cloud storage server via centrally managed policy.
CM-6 - High - CCI-000370 - V-48607 - SV-61483r1_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000370
Version
BBDS-00-003176
Vuln IDs
  • V-48607
Rule IDs
  • SV-61483r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50933r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether any mobile OS service that connects to a cloud storage server has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52215r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable any mobile OS service that connects to a cloud storage server. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Software" and verify "Cloud Storage Access from Work Space" is set to "Disallow". Note: The above is only for devices with EMM-Corporate (BlackBerry Balance). Devices with EMM-Corporate (Work Space only) inherently meet this requirement.

c
The BlackBerry Device Service server must direct all Work Space application traffic through the BlackBerry Device Service server via centrally managed policy.
CM-6 - High - CCI-000370 - V-48609 - SV-61485r1_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000370
Version
BBDS-00-003177
Vuln IDs
  • V-48609
Rule IDs
  • SV-61485r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50935r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether all Work Space application traffic is routed through the BlackBerry Device Service server. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52217r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to direct all Work Space application traffic through the BlackBerry Device Service server. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Security" and verify "Network Access Control for Work Apps" is set to "Yes".

b
The BlackBerry Device Service server must disallow Personal Space applications access to the Work Space network connection via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-48611 - SV-61487r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
BBDS-00-003178
Vuln IDs
  • V-48611
Rule IDs
  • SV-61487r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50937r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether Personal Space applications access to the Work Space network connection has been disallowed. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52219r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to disallow Personal Space applications access to the Work Space network connection. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Security" and verify "Work Network Usage for Personal Apps" is set to "Disallow". Note: Check text is applicable for EMM-Corporate (BlackBerry Balance) devices only. This requirement is N/A for EMM-Regulated (Work Space only) devices.

b
The BlackBerry Device Service server must have the administrative functionality disallow hyperlinks within Work Space applications from opening within the Personal Space browser application via centrally managed policy.
CM-6 - Medium - CCI-000370 - V-48613 - SV-61489r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000370
Version
BBDS-00-003179
Vuln IDs
  • V-48613
Rule IDs
  • SV-61489r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50939r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether hyperlinks within Work Space applications cannot open within the Personal Space browser application. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52221r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to disallow hyperlinks within Work Space applications from opening within the Personal Space browser application. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Software" and verify "Open Links in Work Email Messages in the Personal Browser" is set to "Disallow".

c
The BlackBerry Device Service server must disable any mobile OS service that connects to a cloud-based service via centrally managed policy.
CM-6 - High - CCI-000370 - V-48617 - SV-61493r1_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000370
Version
BBDS-00-003181
Vuln IDs
  • V-48617
Rule IDs
  • SV-61493r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Checks: C-50941r1_chk

Review the BlackBerry Device Service server policy configuration to determine whether any mobile OS service that connects to a cloud-based service server has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix: F-52223r1_fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable any mobile OS service that connects to a cloud-based service. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Software" and verify "Find More Contact Details" is set to "Disallow".