View STIG - BlackBerry UEM 12.11 Security Technical Implementation Guide V1R1

b

The BlackBerry UEM 12.11 server or platform must be configured to initiate a session lock after a 15-minute period of inactivity.

AC-11 - Medium - CCI-000057 - V-99021 - SV-108125r1_rule

RMF Control

AC-11

Severity

Medium

CCI

CCI-000057

Version

BUEM-12-110030

Vuln IDs

V-99021

Rule IDs

SV-108125r1_rule

A session time-out lock is a temporary action taken when a user (UEM system administrator) stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system level and results in a system lock but may be at the application level where the application interface window is secured instead. SFR ID: FMT_SMF.1.1(2) c.8

Checks: C-97861r1_chk

Review the BlackBerry UEM server configuration to determine whether the system is locked after 15 minutes. Have the system administrator log into the console. Verify the session locks after 15 minutes of inactivity. If the "Session timeout" is not set correctly, this is a finding.

Fix: F-104697r1_fix

On the BlackBerry UEM, do the following to set the session timeout: 1. Log in to the BlackBerry UEM console. 2. Go to the menu bar on the left. 3. Go to Settings >> General Settings >> Console. 4. Under "Session settings", enter "15". 5. Select "Save".

b

The BlackBerry UEM 12.11 server must be configured to display the required DoD warning banner upon administrator logon. Note: This requirement is not applicable if the TOE platform is selected in FTA_TAB.1.1 in the Security Target (ST).

AC-8 - Medium - CCI-000048 - V-99023 - SV-108127r1_rule

RMF Control

AC-8

Severity

Medium

CCI

CCI-000048

Version

BUEM-12-110080

Vuln IDs

V-99023

Rule IDs

SV-108127r1_rule

Note: The advisory notice and consent warning message is not required if the general purpose OS or network device displays an advisory notice and consent warning message when the administrator logs on to the general purpose OS or network device prior to accessing the BlackBerry UEM 12.11 server or BlackBerry UEM 12.11 server platform. Before granting access to the system, the BlackBerry UEM 12.11 server/server platform is required to display the DoD-approved system use notification message or banner that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. This ensures the legal requirements for auditing and monitoring are met. The approved DoD text must be used as specified in the KS referenced in DoDI 8500.01. The non-bracketed text below must be used without any changes as the warning banner. [A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner must be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK."] You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. SFR ID: FMT_SMF.1.1(2) c.2

Checks: C-97863r1_chk

Review the BlackBerry UEM 12.11 server documentation and configuration settings to determine if the warning banner is using the appropriate designated wording. On the BlackBerry UEM 12.11, do the following: 1. Log in to the BlackBerry UEM 12.11 console. 2. Select the "Settings" tab on the left pane. 3. Expand the "General" settings tab on the left pane. 4. Select "Login notices" from the menu in the left pane. 5. Verify the checkbox next to "Enable a login notice for the management console" is checked. 6. Verify the console logon notice text exactly matches the VulDiscussion text. 7. Verify the checkbox next to "Enable a login notice for the self-service console" is checked if the self-service portal is used at the site. 8. Verify the self-service console logon notice text exactly matches the VulDiscussion text. Alternately, have the administrator log in to the UEM console to view the warning banner. If the console notice wording does not exactly match the VulDiscussion text, this is a finding.

Fix: F-104699r1_fix

On the BlackBerry UEM 12.11, do the following: 1. Log in to the BlackBerry UEM 12.11 console. 2. Select the "Settings" tab on the left pane. 3. Expand the "General" settings tab on the left pane. 4. Select "Login notices" from the menu in the left pane. 5. Click the "pencil" icon (upper right corner) to edit the "Login notice". 6. Select the checkbox next to "Enable a login notice for the management console". 7. In the "Enable a login notice for the management console" field, type the DoD banner found in the VulDiscussion. 8. Click "Save". If the self-service portal is used in the organization, complete steps 7-11. 9. Select the checkbox next to "Enable a login notice for the self-service console". 10. In the "Enable a login notice for the self-service console" field, type the DoD banner found in the VulDiscussion. 11. Click "Save".

b

The BlackBerry UEM 12.11 server must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, auditor.

CM-6 - Medium - CCI-000366 - V-99025 - SV-108129r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

BUEM-12-110100

Vuln IDs

V-99025

Rule IDs

SV-108129r1_rule

Having several administrative roles for the BlackBerry UEM 12.11 server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations they may not understand or approve of, which can weaken overall security and increase the risk of compromise. - Server primary administrator: Responsible for server installation, initial configuration, and maintenance functions. Responsible for the setup and maintenance of security configuration administrator and auditor accounts. Responsible for the maintenance of applications in the MAS. - Security configuration administrator: Responsible for security configuration of the server, defining device user groups, setup and maintenance of device user group administrator accounts, and defining privileges of device user group administrators. - Device user group administrator: Responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. Responsible for defining which apps user groups or individual users have access to in the MAS. Can only perform administrative functions assigned by the security configuration administrator. - Auditor: Responsible for reviewing and maintaining server and mobile device audit logs. SFR ID: FMT_SMR.1.1(1)

Checks: C-97865r1_chk

Review the BlackBerry UEM 12.11 server configuration settings. Verify the server is configured with the "Administrator" roles: a. UEM Security Administrator; b. Auditor; c. One or more Site Custom Administrator or UEM predefined enterprise/help desk roles. Note: The exact name of the role is not important. Each role should include functions close to the role descriptions listed in the VulDiscussion. Note: The intent of the requirement is that separate people perform each administrator role; few users are assigned to the "UEM Security Administrator" role; the "auditor" role is limited to only authorized permissions; and day-to-day management of user accounts, group accounts, and profiles are performed from site-specific custom administrator roles or UEM predefined enterprise/help desk roles instead of the "UEM Security Administrator". On the BlackBerry UEM 12.11, do the following: 1. Log in to the BlackBerry UEM 12.11 console. 2. Select the "Settings" tab at the top of the screen. 3. Expand the "General" settings tab on the left pane. 4. Expand the "Administrators" tab on the left pane. 5. Select the "Roles" tab on the left pane. 6. Verify at least one user is assigned to each of the following roles: a. UEM Security Administrator; b. Auditor; c. One or more Site Custom Administrator or UEM predefined enterprise/help desk roles. Verify the auditor role function is limited to only reviewing and maintaining server and mobile device audit logs as follows: 1. Log in to the BlackBerry UEM 12.11 console. Select the "Settings" tab at the top of the screen. 2. Expand the "Administrators" tab on the left pane. 3. Select the "Roles" tab on the left pane. 4. Click the "Auditor" role. 5. Verify the role only has the following permissions assigned: - View audit information; - View audit settings; - Edit audit settings and purge data; and - Edit logging settings. Talk to the "UEM Security Administrator". Verify custom administrator roles/UEM predefined enterprise/help desk roles are used for day-to-day management of user accounts, group accounts, and profiles. If at least one user is not associated with the "UEM Security Administrator", "Auditor", and one or more site custom administrator roles/UEM predefined enterprise/help desk roles, this is a finding. If the "auditor" role has more permissions than authorized, this is a finding. If day-to-day management of user accounts, group accounts, and profiles is primarily performed by "UEM Security Administrators" instead of one or more site custom administrator roles/UEM predefined enterprise/help desk roles, this is a finding.

Fix: F-104701r1_fix

On the BlackBerry UEM 12.11, do the following: Using the procedures below: - Assign at least one user to the UEM Security Administrator role. Few administrators should be assigned to this role. Note: UEM automatically restricts the following functions to only the Security Administrator: Full permissions to manage the BlackBerry Enterprise Solution. Create and edit roles. - Define an "Auditor" role (see the VulDiscussion for role functions). Assign at least one user (UEM administrator) to the role. The role should include only the following UEM permissions: ** View audit information; ** Delete BlackBerry Dynamics audit log files; ** View and export BlackBerry Dynamics audit log files; ** View audit settings; ** Edit audit settings and purge data; ** Edit logging settings. - Define site custom administrator roles or UEM predefined enterprise/help desk roles as needed to administer device policies and user accounts (for example, see the Security Configuration Administrator and Device User Group Administrator in the VulDiscussion). Assign users to the roles as required. These roles should be used for day-to-day management of user accounts, group accounts, and profiles. To set up specific roles, do the following: 1. Go to Settings >> Administrators >> Roles. 2. Select "roles" in the left pane. 3. Select "add a role" on the top right. 4. Assign appropriate name and functions to the role. 5. Click "Save". To assign users or groups to a role, do the following: 1. Log in to the BlackBerry UEM 12.11 console and select the "Settings" tab at the top of the screen. 2. Expand the "General" settings tab on the left pane. 3. Expand the "Administrators" tab on the left pane. To assign a role to a user: 1. Click "Users". 2. Click the "Add an administrator icon" (upper right corner). 3. If necessary, search for a user account. 4. Click the name of the user account. 5. In the Role drop-down list, click the role to be added. 6. Click "Save". To assign a role to a group: 1. Click "Groups". 2. Click the Add an administrator icon (upper right corner). 3. If necessary, search for a user group. 4. Click the name of the user group. 5. In the Role drop-down list, click the role that you want to add. 6. Click "Save". Note: The intent of the requirement is that separate people perform each administrator role. The exact name of the role is not important.

b

The BlackBerry UEM 12.11 server must be capable of performing the following management function: configure the [selection: devices specified by [selection: specific device models]].

CM-6 - Medium - CCI-000366 - V-99027 - SV-108131r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

BUEM-12-110520

Vuln IDs

V-99027

Rule IDs

SV-108131r1_rule

Access control of mobile devices to DoD sensitive information or access to DoD networks must be controlled so that DoD data will not be compromised. The primary method of access control of mobile devices is via enrollment of authorized mobile devices on the BlackBerry UEM 12.11 server. Therefore, the BlackBerry UEM 12.11 server must have the capability to enforce a policy for this control. SFR ID: FMT_SMF.1.1(2) b, FIA_ENR_EXT.1.2

Checks: C-97867r1_chk

Review the BlackBerry UEM 12.11 server documentation and configuration settings to determine if the warning banner is using the appropriate designated wording. On the BlackBerry UEM 12.11, do the following: 1. Log in to the BlackBerry UEM 12.11 console. 2. Select the "Policies and profiles" tab on the left pane. 3. Expand the Activation profiles from the menu in the left pane. 4. Select the Activation Profile to be reviewed. 5. Select the "Settings" tab. Select each supported operating system tab and perform the following: - Confirm that "Allow selected device models" is selected in the "Device model restrictions" field. - Verify that the devices listed in the "Allowed device models" field match the list provided by the administrator. If the "Allow selected device models" is not displayed in the "Device model restrictions" field or the devices listed in the "Allowed device models" field do not match the list provided by the administrator, this is a finding.

Fix: F-104703r1_fix

On the BlackBerry UEM 12.11, do the following: 1. Log in to the BlackBerry UEM 12.11 console. 2. Select the "Policies and profiles" tab on the left pane. 3. Under the "Policy" dropdown, select "Activation". 4. Select the Activation profile to be modified. 5. Select the pencil icon to edit the profile. 6. Select the "Settings" tab. 7. Select each supported operating system tab. 8. In the "Device model restrictions" field, use the drop-down menu to elect "Allow selected device models". 9. Select the "edit" button in the "Allowed device models" field. 10. Using the pop-up menu, select the allowed model(s) and press the "->" arrow icon to add the selection to the "selected" window. 11. Once all models are selected, click "Save". 12. Repeat as applicable for other operating systems. 13. Click "Save".

b

The BlackBerry UEM 12.11 server must be configured to leverage the BlackBerry UEM 12.11 platform user accounts and groups for BlackBerry UEM 12.11 server user identification and authentication.

AC-2 - Medium - CCI-000015 - V-99029 - SV-108133r1_rule

RMF Control

AC-2

Severity

Medium

CCI

CCI-000015

Version

BUEM-12-110650

Vuln IDs

V-99029

Rule IDs

SV-108133r1_rule

A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire BlackBerry UEM 12.11 server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the BlackBerry UEM 12.11 server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos). SFR ID: FIA

Checks: C-97869r1_chk

Review the BlackBerry UEM 12.11 server configuration settings. Verify the server is configured to leverage the MDM Platform user accounts and groups for BlackBerry UEM 12.11 server user identification and authentication. On the BlackBerry UEM 12.11, do the following: 1. Navigate to the BlackBerry UEM 12.11 console. 2. Verify the BlackBerry UEM 12.11 does not prompt for additional authentication before opening the UEM console. If the BlackBerry UEM 12.11 server prompts for additional authentication before opening the UEM console, this is a finding.

Fix: F-104705r1_fix

On the BlackBerry UEM 12.11, do the following: Configure constrained delegation for the Microsoft Active Directory account to support single sign-on: 1. Log in to the BlackBerry UEM 12.11 host server and use the Windows Server ADSI Edit tool to add the following SPNs for BES12 to the Microsoft Active Directory account: - HTTP/<host_FQDN_or_pool_name> (for example, HTTP/domain123.example.com) - BASPLUGIN111/<host_FQDN_or_pool_name> (for example, BASPLUGIN111/domain123.example.com) Note: - If high availability is configured for the management consoles in a UEM domain, specify the pool name. Otherwise, specify the FQDN of the computer that hosts the management console. - Verify that no other accounts in the Microsoft Active Directory forest have the same SPNs. 2. Open "Microsoft Active Directory Users and Computers". 3. In the Microsoft Active Directory account properties, on the "Delegation" tab, select the following options: - Trust this user for delegation to specified services only. - Use Kerberos only. 4. Add the SPNs from Step 1 to the list of services. Configure single sign-on for UEM: Note: - When configuring single sign-on for UEM, it is configured for the management console and UEM Self-Service. - If enabling single sign-on for multiple Microsoft Active Directory connections, verify there are no trust relationships between the Microsoft Active Directory forests. 1. Log in to the BlackBerry UEM 12.11 console. 2. Select the "Settings" tab on the left pane. 3. Click the "External integration" tab on the left pane. 4. Click "Company directory". 5. In the "Configured directory connections" section, click the name of a Microsoft Active Directory connection. 6. On the "Authentication" tab, select the checkbox next to "Enable Windows single sign-on". 7. Click "Save". 8. Click "Save" on the pop-up window. Note: UEM validates the information for Microsoft Active Directory authentication. If the information is invalid, UEM prompts to specify the correct information. 9. Click "Close". 10. Restart the UEM services on each server that hosts a UEM instance.

b

The MDM server platform must be protected by a DoD-approved firewall.

CM-7 - Medium - CCI-000382 - V-99031 - SV-108135r1_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000382

Version

BUEM-12-112010

Vuln IDs

V-99031

Rule IDs

SV-108135r1_rule

Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Unneeded services and processes provide additional threat vectors and avenues of attack to the information system. The MDM server is a critical component of the mobility architecture and must be configured to enable only those ports, protocols, and services (PPS) necessary to support functionality. All others must be expressly disabled or removed. A DoD-approved firewall implements the required network restrictions. A host-based firewall is appropriate where the MDM server runs on a standalone platform. Network firewalls or other architectures may be preferred where the MDM server runs in a cloud or virtualized solution. SFR ID: FMT_SMF.1.1(2) b / CM-7b Satisfies: SRG-APP-000142

Checks: C-97871r1_chk

Review the MDM server platform configuration to determine whether a DoD-approved firewall is installed or if the platform operating system provides a firewall service that can restrict both inbound and outbound traffic by TCP/UDP port and IP address. If there is not a host-based firewall present on the MDM server platform, this is a finding.

Fix: F-104707r1_fix

Install a DoD-approved firewall.

b

The firewall protecting the MDM server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support MDM server and platform functions.

CM-7 - Medium - CCI-000382 - V-99033 - SV-108137r1_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000382

Version

BUEM-12-112020

Vuln IDs

V-99033

Rule IDs

SV-108137r1_rule

Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations. Since MDM server is a critical component of the mobility architecture and must be configured to enable only those ports, protocols, and services (PPS) necessary to support functionality, all others must be expressly disabled or removed. A firewall installed on the MDM server provides a protection mechanism to ensure unwanted service requests do not reach the MDM server and outbound traffic is limited to only MDM server functionality. SFR ID: FMT_SMF.1.1(2) b / CM-7b Satisfies: SRG-APP-000142

Checks: C-97873r1_chk

Ask the MDM administrator for a list of ports, protocols, and IP address ranges necessary to support MDM server and platform functionality. A list can usually be found in the STIG Supplemental document or MDM product documentation. Compare the list against the configuration of the firewall and identify discrepancies. If the host-based firewall is not configured to support only those ports, protocols, and IP address ranges necessary for operation, this is a finding.

Fix: F-104709r1_fix

Configure the firewall on the MDM server to only permit ports, protocols, and IP address ranges necessary for operation.

b

The firewall protecting the MDM server platform must be configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).

CM-7 - Medium - CCI-000382 - V-99035 - SV-108139r1_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000382

Version

BUEM-12-112030

Vuln IDs

V-99035

Rule IDs

SV-108139r1_rule

All ports, protocols, and services used on DoD networks must be approved and registered via the DoD PPSM process. This is to ensure that a risk assessment has been completed before a new port, protocol, or service is configured on a DoD network and has been approved by proper DoD authorities. Otherwise, the new port, protocol, or service could cause a vulnerability to the DoD network, which could be exploited by an adversary. SFR ID: FMT_SMF.1.1(2) b / CM-7b Satisfies: SRG-APP-000142

Checks: C-97875r1_chk

Ask the MDM administrator for a list of ports, protocols, and services that have been configured on the host-based firewall of the MDM server or generate the list by inspecting the firewall. Verify all allowed ports, protocols, and services are included on the DoD PPSM CAL list. If any allowed ports, protocols, and services on the MDM host-based firewall are not included on the DoD PPSM CAL list, this is a finding.

Fix: F-104711r1_fix

Turn off any ports, protocols, and services on the MDM host-based firewall that are not on the DoD PPSM CAL list.

b

All BlackBerry server local accounts created during application installation and configuration must be disabled or removed.

IA-2 - Medium - CCI-000764 - V-99037 - SV-108141r1_rule

RMF Control

IA-2

Severity

Medium

CCI

CCI-000764

Version

BUEM-12-112040

Vuln IDs

V-99037

Rule IDs

SV-108141r1_rule

A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MDM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the MDM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos). SFR ID: FMT_SMF.1.1(2) b / IA-5(1)(a) Satisfies: SRG-APP-000148

Checks: C-97877r1_chk

Review the creation and deletion of the local administrator or other local accounts to determine whether all local accounts are removed from UEM and cannot be used to access UEM. For UEM, the "default user" is the local account. On the BlackBerry UEM UI, verify the following: 1. Log in to the UEM console. 2. From the menu bar on the left, go to Settings >> Administrators >> Users. A list of authorized users will be shown. All users must be assigned to a user and a role. Although roles can be defined in UEM, the default list of users is: Enterprise Administrator, security administrator, senior help desk, and junior helpdesk. If a default user is listed that is not assigned to a specific user, the control is out of compliance. Advise the administrator to log out and log in as the security administrator and follow the steps to delete the default user. Log back in as a defined administrator to confirm the default user is not listed in the list of users. Log out and then log in to the UEM UI credentials login screen using the default user name and password, which will return a "bad username or password response". If the local account (default user) is not removed from the UEM server, this is a finding.

Fix: F-104713r1_fix

Log in to UEM 12.11 and create a local or directory user that has an email address associated with it. 1. On the menu bar, click "Settings". 2. In the left pane, click "Administrators". 3. Click "Users" and click on the "Add an administrator" icon. 4. Search for/select a user. 5. In the "Role" drop-down list, click the Security Administrator role and save. 6. Log out and log in as the new security admin user. A prompt may appear to update the password. 7. The new security admin user can then delete the default user. The default user is the local admin account. See full details at https://docs.blackberry.com/en/endpoint-management/blackberry-uem/12_11/administration/management-console/adr1370874367290.

b

The BlackBerry EMM server must connect to [application: SQL Server] with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.

SC-8 - Medium - CCI-002418 - V-99039 - SV-108143r1_rule

RMF Control

SC-8

Severity

Medium

CCI

CCI-002418

Version

BUEM-12-112060

Vuln IDs

V-99039

Rule IDs

SV-108143r1_rule

Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. This requirement applies only to those applications that are either distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, TLS VPNs, or IPsec. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. SFR ID: FMT_SMF.1.1(2) b / SC-8, SC-8 (1), SC-8 (2) Satisfies: SRG-APP-000439, SRG-APP-000440

Checks: C-97879r1_chk

Talk to the site UEM Administrator to confirm the SQL server has been configured to connect to UEM using the TLS connection or confirm during a review of the SQL server. If the SQL server has not been configured to connect to UEM using the TLS connection, this is a finding.

Fix: F-104715r1_fix

Confirm the Administrator has configured the SQL server to connect to UEM using the TLS connection.

b

The UEM Agent must provide an alert via the trusted channel to the BlackBerry UEM 12.11 server for the following event: change in enrollment state.

SI-6 - Medium - CCI-002699 - V-99041 - SV-108145r1_rule

RMF Control

SI-6

Severity

Medium

CCI

CCI-002699

Version

BUEM-12-113010

Vuln IDs

V-99041

Rule IDs

SV-108145r1_rule

Alerts providing notification of a change in enrollment state facilitate verification of the correct operation of security functions. When a BlackBerry UEM 12.11 server receives such an alert from a UEM Agent, it indicates that the security policy may no longer be enforced on the mobile device. This enables the UEM administrator to take an appropriate remedial action. SFR ID: FAU_ALT_EXT.2.1

Checks: C-97881r1_chk

Review the BlackBerry UEM server configuration to determine whether the UEM alerts when required applications are not installed or app updates are not installed. Remove a required application from the device. Verify an email notification has been sent to the administrator. Note: UEM will automatically alert if an app is not updated if the alert for a required app is correctly configured. A required app "update" is considered the same thing as a "required" app. If an email notification is not sent to the administrator when a required application is removed from the mobile device, this is a finding.

Fix: F-104717r1_fix

From the server perspective: - For UEM Hosted Apps, deliver the configuration to the device regarding the required applications. - The device calls back to UEM to get the application (APP_SEND security audit). - The device acknowledges getting the application either successfully or not (APP_DELIVERED security audit). The Administrator can create a compliance profile to alert the user. This compliance profile is monitored and an email is sent to the administrator if the device becomes non-compliant. 1. The administrator accesses the "UEM" menu bar. 2. Select >> Policies and Profiles >> Compliance >> Compliance. 3. Click the "Add" icon. 4. Type a name and description for the compliance profile. (At this stage, a notification message can be sent to users when their devices become noncompliant, if required.) 5. In the email sent when a violation is detected, select an email template. To see the default compliance email, click Settings >> General settings >> Email templates. 6. In the "Enforcement interval" drop-down list, select how often BlackBerry UEM checks for compliance. 7. Expand Device notification sent out when violation is detected and edit the message, if necessary. Note: If using variables (supports default and custom variables) to populate notifications with user, device, and compliance information, custom variables can also be defined using the management console. 8. Click the tab for each device type in the organization. 9. Select the "Required app is not installed" checkbox for each profile setting. 10. Click "Add". Set up event notifications to alert administrators by email about a device that becomes noncompliant. 1. Log in to UEM >> menu bar >> Settings >> General settings >> Event notifications. 2. On "Event notifications" tab, click "Add" icon. 3. Select event type (Compliance breached). 4. Click "Next". 5. From Date/time to send email notification drop-down list, select option "Always after an event: Email notifications are when the event occurs" and click "Save". 6. In "Recipients" field, select "Add new distribution list". 7. Click "Save". 8. In the "email template" drop-down list, select the "email template for event notification". 9. In the "Status" drop-down list, select "On" to enable event notification. 10. Click "Preview email". 11. Check the email text to make sure it is correct. 12. Click "Save".