Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the BlackBerry UEM 12.8 server documentation and configuration settings to determine if the warning banner is using the appropriate designated wording. On the BlackBerry UEM 12.8, do the following: 1. Log in to the BlackBerry UEM 12.8 console and select the "Settings” tab on the left pane. 2. Expand the "General" settings tab on the left pane. 3. Select "Login notices" from the menu in the left pane. 4. Verify the check box next to "Enable a login notice for the management console" is checked. 5. Verify the console login notice text exactly matches the VulDiscussion text. 6. Verify the check box next to "Enable a login notice for the self-service console" is checked if the self-service portal is used at the site. 7. Verify the self-service console login notice text exactly matches the VulDiscussion text. Alternately, have the administrator log in to the UEM console to view the warning banner. If the console notice wording does not exactly match the VulDiscussion text, this is a finding.
On the BlackBerry UEM 12.8, do the following: 1. Log in to the BlackBerry UEM 12.8 console and select the "Settings” tab on the left pane. 2. Expand the "General" settings tab on the left pane. 3. Select "Login notices" from the menu in the left pane. 4. Click the "pencil icon" (upper right corner) to edit the "Login notice". 5. Select the check box next to "Enable a login notice for the management console". 6. In the "Enable a login notice for the management console" field, type the DoD banner found in the VulDiscussion. 7. Click "Save". If the self-service portal is used in the organization, complete steps 8-10. 8. Select the check box next to "Enable a login notice for the self-service console". 9. In the "Enable a login notice for the self-service console" field, type the DoD banner found in the VulDiscussion. 10. Click "Save".
Review the BlackBerry UEM 12.8 server configuration settings, and verify the server is configured with the Administrator roles: a. UEM Security Administrator b. Auditor c. One or more Site Custom Administrator or UEM predefined enterprise/help desk roles Note: The exact name of the role is not important. Each role should include functions close to the role descriptions listed in the VulDiscussion. Note: The intent of the requirement is that there be separate people performing each administrator role; few users are assigned to the UEM Security Administrator role; the auditor role is limited to only authorized permissions; and day-to-day management of user accounts, group accounts, and profiles are performed from site specific custom administrator roles or UEM predefined enterprise/help desk roles instead of the UEM Security Administrator. On the BlackBerry UEM 12.8, do the following: 1. Log in to the BlackBerry UEM 12.8 console and select the "Settings” tab at the top of the screen. 2. Expand the "General" settings tab on the left pane. 3. Expand the "Administrators" tab on the left pane. 4. Select the "Roles" tab on the left pane. 5. Verify there is at least one user assigned to each of the following roles: a. UEM Security Administrator b. Auditor c. One or more Site Custom Administrator or UEM predefined enterprise/help desk roles Verify the auditor role function is limited to only reviewing and maintaining server and mobile device audit logs as follows: 1. Log in to the BlackBerry UEM 12.8 console and select the "Settings” tab at the top of the screen. 2. Expand the "Administrators" tab on the left pane. 3. Select the "Roles" tab on the left pane. 4. Click the "Auditor" role. 5. Verify the role only has the following permissions assigned: - View audit information - Delete BlackBerry Dynamics audit log files - View and export BlackBerry Dynamics audit log files - View audit settings - Edit audit settings and purge data - Edit logging settings Talk to the UEM Security Administrator and verify custom administrator roles/UEM predefined enterprise/help desk roles are used for day-to-day management of user accounts, group accounts, and profiles. If at least one user is not associated with the UEM Security Administrator, Auditor, and one or more site custom administrator roles/UEM predefined enterprise/help desk roles, this is a finding. If the auditor role has more permissions than authorized, this is a finding. If day-to-day management of user accounts, group accounts, and profiles is primarily performed by UEM Security Administrators instead of one or more site custom administrator roles/UEM predefined enterprise/help desk roles, this is a finding.
On the BlackBerry UEM 12.8, do the following: Using the procedures below: - Assign at least one user to the UEM Security Administrator role. Few administrators should be assigned to this role. Note: UEM automatically restricts the following functions to only the Security Administrator: Full permissions to manage the BlackBerry Enterprise Solution. Capability to create and edit roles. - Define an "Auditor" role (see the VulDiscussion for role functions). Assign at least one user (UEM administrator) to the role. The role should include only the following UEM permissions: ** View audit information **Delete BlackBerry Dynamics audit log files **View and export BlackBerry Dynamics audit log files **View audit settings **Edit audit settings and purge data** Edit logging settings - Define a site custom administrator roles or UEM predefined enterprise/help desk roles as needed to administer device policies and user accounts (for example, see the Security Configuration Administrator and Device User Group Administrator in the VulDiscussion). Assign users to the roles, as required. These roles should be used for day-to-day management of user accounts, group accounts, and profiles. To set up specific roles, do the following: 1. Select "roles" in the left pane. 2. Select "add a role" on the top right. 3. Assign appropriate name and functions to the role. 4. Click "Save". To assign users or groups to a role, do the following: 1. Log in to the BlackBerry UEM 12.8 console and select the "Settings” tab at the top of the screen. 2. Expand the "General" settings tab on the left pane. 3. Expand the "Administrators" tab on the left pane. To assign a role to a user: 1. Click "Users". 2. Click the "Add an administrator" icon (upper right corner). 3. If necessary, search for a user account. 4. Click the name of the user account. 5. In the Role drop-down list, click the role that you want to add. 6. Click "Save". To assign a role to a group: 1. Click "Groups". 2. Click the "Add an administrator icon" (upper right corner). 3. If necessary, search for a user group. 4. Click the name of the user group. 5. In the Role drop-down list, click the role that you want to add. 6. Click "Save". Note: The intent of the requirement is that there be separate people performing each administrator role. The exact name of the role is not important.
Review the BlackBerry UEM 12.8 server configuration settings, and verify the server is configured to leverage the MDM Platform user accounts and groups for BlackBerry UEM 12.8 server user identification and authentication. On the BlackBerry UEM 12.8, do the following: 1. Navigate to the BlackBerry UEM 12.8 console. 2. Verify the BlackBerry UEM 12.8 does not prompt for additional authentication before opening the UEM console. If the BlackBerry UEM 12.8 server prompts for additional authentication before opening the UEM console, this is a finding.
On the BlackBerry UEM 12.8, do the following: Configure constrained delegation for the Microsoft Active Directory account to support single sign-on: 1. Log in to the BlackBerry UEM 12.8 host server and use the Windows Server ADSI Edit tool to add the following SPNs for BES12 to the Microsoft Active Directory account: - HTTP/<host_FQDN_or_pool_name> (for example, HTTP/domain123.example.com) - BASPLUGIN111/<host_FQDN_or_pool_name> (for example, BASPLUGIN111/domain123.example.com) Note: - If you configured high availability for the management consoles in a UEM domain, specify the pool name. Otherwise, specify the FQDN of the computer that hosts the management console. - Verify that no other accounts in the Microsoft Active Directory forest have the same SPNs. 2. Open Microsoft Active Directory Users and Computers. 3. In the Microsoft Active Directory account properties, on the "Delegation" tab, select the following options: - Trust this user for delegation to specified services only - Use Kerberos only 4. Add the SPNs from step 1 to the list of services. Configure single sign-on for UEM: Note: - When you configure single sign-on for UEM, you configure it for the management console and UEM Self-Service. - If you enable single sign-on for multiple Microsoft Active Directory connections, verify that there are no trust relationships between the Microsoft Active Directory forests. 1. Log in to the BlackBerry UEM 12.8 console and select the "Settings” tab at the left pane. 2. Click the "External integration" tab on the left pane. 3. Click "Company directory". 4. In the Configured directory connections section, click the name of a Microsoft Active Directory connection. 5. On the "Authentication" tab, select the check box next to "Enable Windows single sign-on". 6. Click "Save". 7. Click "Save" on popup window. Note: UEM validates the information for Microsoft Active Directory authentication. If the information is invalid, UEM prompts you to specify the correct information. 8. Click "Close". 9. Restart the UEM services on each server that hosts a UEM instance.
Review the BlackBerry UEM 12.8 server documentation and configuration settings to determine if the warning banner is using the appropriate designated wording. On the BlackBerry UEM 12.8, do the following: 1. Log in to the BlackBerry UEM 12.8 console and select the "Policies and profiles” tab on the left pane. 2. Expand the Activation profiles from the menu in the left pane. 3. Select the Activation Profile to be reviewed. 4. Select the "Settings" tab. 5. Select each supported operating system tab and perform the following: 6. Confirm that "Allow selected device models" is selected in the "Device model restrictions" field. 7. Verify that the devices listed in the "Allowed device models" field match the list provided by the administrator. If the "Allow selected device models" is not displayed in the "Device model restrictions" field or the devices listed in the "Allowed device models" field do not match the list provided by the administrator, this is a finding.
On the BlackBerry UEM 12.8, do the following: 1. Log in to the BlackBerry UEM 12.8 console and select the "Policies and profiles” tab on the left pane. 2. Expand the Activation profiles from the menu in the left pane. 3. Select the Activation profile to be modified. 4. Select the "pencil" icon to edit the profile. 5. Select the "Settings" tab. 6. Select each supported operating system tab. 7. Select "Allow selected device models" in the "Device model restrictions" field, using the drop-down menu. 8. Select the edit button in the "Allowed device models" field. 9. Using the popup menu, select the required model and press the "->"arrow icon to add the selection to the "selected" window. 10. Once all models are selected, click "Save". 11. Click "Save".
Review the BlackBerry UEM server configuration to determine whether the system is locked after "15" minutes. On the BlackBerry UEM, do the following: 1. Log in to the BlackBerry UEM host server and navigate to “C:\BlackBerry\BlackBerry Configuration Tool 1.4.0\BESConfigTool.exe" and launch the BlackBerry UEM Configuration Tool. Note: If the BlackBerry UEM Configuration Tool was not installed in the default directory, locate the directory with the executable file to launch the application. 2. Select the "BlackBerry UEM console timeout interval" radio button. 3. Click "Next". 4. Click "Validate" to verify the Database information. 5. Verify the "Session timeout (seconds)" field is populated with "900" or less. 6. Click "Quit" to exit the application. Alternately, clock the time on a server to validate that it is correctly enforcing the time period. If the "Session timeout (seconds)" field is not populated with "900" or less, this is a finding.
On the BlackBerry UEM, do the following: 1. Log in to the BlackBerry UEM host server and navigate to “C:\BlackBerry\BlackBerry Configuration Tool 1.4.0\BlackBerry UEMConfigTool.exe" to launch the BlackBerry UEM Configuration Tool. Note: If the BlackBerry UEM Configuration Tool was not installed in the default directory, locate the directory with the executable file to launch the application. 2. Select the "BlackBerry UEM console timeout interval" radio button. 3. Click "Next". 4. Click "Validate" to verify the Database information. 5. In the "Session timeout (seconds)" field enter "900" or less. 6. Select the check box next to "Automatically Restart Services". 7. Click "Update". 8. Verify that the message "BlackBerry UEM services successfully restarted" is displayed when the process is completed. Note: If the services do not restart automatically, restart the services manually. 9. Click "Quit" to exit the application. Note: If the BlackBerry UEM Configuration Tool is not installed on the host system, download and install the tool on the host server.
Review the BlackBerry UEM server platform configuration to determine whether a DoD-approved firewall is installed or if the platform operating system provides a firewall service that can restrict both inbound and outbound traffic by TCP/UDP port and IP address. If there is not a host-based firewall present on the BlackBerry UEM server platform, this is a finding.
Install a DoD-approved firewall.
Ask the MDM administrator for a list of ports, protocols, and IP address ranges necessary to support BlackBerry UEM server and platform functionality. A list can usually be found in the STIG Supplemental document or MDM product documentation. Compare the list against the configuration of the firewall and identify discrepancies. If the host-based firewall is not configured to support only those ports, protocols, and IP address ranges necessary for operation, this is a finding.
Configure the firewall on the BlackBerry UEM server to only permit ports, protocols, and IP address ranges necessary for operation.
Ask the MDM administrator for a list of ports, protocols, and services that have been configured on the host-based firewall of the BlackBerry UEM server or generate the list by inspecting the firewall. Verify all allowed ports, protocols, and services are included on the DoD PPSM CAL list. If any allowed ports, protocols, and services on the MDM host-based firewall are not included on the DoD PPSM CAL list, this is a finding.
Turn off any ports, protocols, and services on the BlackBerry UEM host-based firewall that are not on the DoD PPSM CAL list.
This requirement is not applicable if the AO has not designated any required applications be installed on site managed mobile devices. Verify a compliance email alert has been set up on the UEM server to alert if required apps are not installed on managed mobile devices. - Have the UEM administrator determine the polling interval set up on the console (how often UEM checks compliance for managed mobile devices). (Note: For this review, have the administrator temporarily change the polling interval to 30 minutes or less.) - Have the site UEM administrator identify one app required on site managed mobile devices. - Using a site managed mobile device, remove the required app from the mobile device. - After the polling interval time has occurred, review the BlackBerry UEM server configuration to determine whether an alert was generated for non-compliance of the test mobile device. ***On the UEM console, click on the Managed Devices tab ***Verify a warning message and link is displayed ***Clink on the link and verify the test managed device and removed app are listed as out of compliance If a compliance email alert has not been set up on the UEM server to alert if required apps are not installed on managed mobile devices, this is a finding.
This requirement is not applicable if the AO has not designated any required applications be installed on site managed mobile devices. On the UEM console, do the following: - Create a compliance email alert to alert if required apps are not installed on managed mobile devices. - Set up an event/email notification. - Set of a list of apps required to be installed on managed mobile devices. - Create an event notification template. Procedure details: - For UEM Hosted Apps we deliver configuration to the device regarding the required applications. - The device calls back to UEM to get the application (APP_SEND security audit). - The device acknowledges getting the application either successfully or not (APP_DELIVERED security audit). **Procedure for "Create a compliance email alert to alert if required apps are not installed on managed mobile devices" The Administrator can create a compliance profile to Alert the user. Additionally, this compliance profile is monitored and an email is sent to the administrator if the device becomes non-compliant. 1. The administrator accesses UEM >> menu bar, click Policies and Profiles >> Compliance >> Compliance. 2. Click the "Add" icon and type a name and description for the compliance profile. (You can at this stage send a notification message to users when their devices become non-compliant if required.) 3. In the Email sent when violation is detected drop-down list, select an email template. To see the default compliance email, click Settings >> General settings >> Email templates. 4. In the Enforcement interval drop-down list, select how often BlackBerry UEM checks for compliance. 5. Expand Device notification sent out when violation is detected. Edit the message if necessary. Note: If you want to use variables (supports default and custom variables) to populate notifications with user, device, and compliance information, you can also define and use your own custom variables using the management console. 6. Click the tab for each device type in your organization and configure the appropriate values for each profile setting. 7. Click "Add". **Procedure for "Set up an event/email notification" 1. Log in to UEM >> menu bar >> Settings >> General settings >> Event notifications. 2. On "Event notifications" tab, click "Add" icon. 3. Select event type, click "Next". 4. Date/time to send email notification drop-down list, select option > Always after an event: Email notifications are when the event occurs > click "Save". 5. In Recipients field, select "Add new distribution list", click "Save". 6. In the Email template drop-down list, select the email template for event notification. 7. In the Status drop-down list, select "On" to enable event notification. 8. Click "Preview email", check the email address, and click "Save". **Procedure for "Set of a list of apps required to be installed on managed mobile devices" Note: If you are defining rules to restrict or allow specific apps, add those apps to the restricted apps list. 1. On the menu bar, click "Apps". 2. Click "Restricted apps". 3. Click the "Add" icon and perform the task associated to IOS, Android, and Windows app restricted lists. **Procedure for "Create an event notification template" To restrict built-in apps you must create a compliance profile and add the apps to the restricted app list in the profile. On the menu bar, click Settings >> General settings. 1. Click "Email templates". 2. Click the "Add" icon and select "Event notification". 3. In the "Name" field, type a name to identify this template. 4. In the "Subject" field, complete one of the following tasks: 5. Clear the "Append event type to the email subject" check box and type a subject. 6. Leave the "Append event type to the email subject" check box selected, and type additional text in the subject field. 7. Leave the "Append event type to the email subject" check box selected. 8. In the Message field, type the body text of the event notification email. 9. Use the HTML editor to select the font format and to insert images (for example, your organization's logo). 10. To see sample text, click "Suggested text". 11. Click "Save".
Interview ISSO and BlackBerry UEM MDM system administrator. Verify the site is not using the BlackBerry UEM 12.8 MDM. If the site is using the BlackBerry UEM 12.8 MDM, this is a finding.
Remove all versions of BlackBerry UEM 12.8 MDM.