BlackBerry Enterprise Service v10.2.x BlackBerry Device Service STIG

V1R5 2015-07-23       U_Blackberry_BES_v10-2-X_BDS_V1R5_Manual-xccdf.xml
V1R2 2014-07-02       U_BlackBerry_BES_V10_2_X_BDS_V1R2_STIG_Manual-xccdf.xml
Developed by BlackBerry Ltd. in coordination with DISA for use in the DoD. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
Comparison
All 44
No Change 42
Updated 0
Added 0
Removed 2
V-48503 No Change
Findings ID: BBDS-00-000100 Rule ID: SV-61375r1_rule Severity: high CCI: CCI-000037

Discussion

Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. Employing a separation of duties model reduces the threat that one individual has the authority to make changes to a system, and the authority to delete any record of those changes.
This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of a role is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.
It is recommended that the following or similar roles be supported:
- MDM administrative account administrator: responsible for server installation, initial configuration, and maintenance functions.
- Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies.
- Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion.
- Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs.

Checks

Review the BlackBerry Device Service server configuration to ensure there are multiple administrator roles configured as assigned by the site. Otherwise, this is a finding.

Fix

Create and configure accounts to be aligned with the following roles as assigned by the site.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Administrator users > Manage users > <User Name> > Roles" and verify the roles required by the site are assigned.

Note: The roles in BlackBerry Device services are as follows:

Security Administrator - This role has permission to perform all tasks in the BlackBerry Device Service.
Enterprise Administrator - This role has permission to perform all tasks in the BlackBerry Device Service except changing role assignments. This role can only view role assignments.
Senior Helpdesk Administrator - This role has permission to perform advanced administrative tasks in the BlackBerry Device Service.
Junior Helpdesk Administrator - This role has permission to perform basic administrative tasks in the BlackBerry Device Service.
Server Only Administrator - This role has permissions to perform system management tasks in the BlackBerry Device Service.
User Only Administrator - This role has permission to perform user management tasks in the BlackBerry Device Service.
V-48509 No Change
Findings ID: BBDS-00-000125 Rule ID: SV-61381r1_rule Severity: medium CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether removable media storage cards are bound to the mobile device. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to bind removable storage media cards to the mobile device.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy >Software" and verify "Media Card Encryption" is set to "Yes".

Note: The above is only required "Work space only" activation types, and remains optional for "Balance-Corporate" or "Balance-Regulated" activation types.
V-48513 No Change
Findings ID: BBDS-00-000132 Rule ID: SV-61385r1_rule Severity: medium CCI: CCI-001144

Discussion

Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case the requirement states that S/MIME must utilize a 3DES or AES encryption algorithm.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether the encryption algorithms used to encrypt S/MIME protected email messages are 3DES or AES256. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to enforce the email client S/MIME encryption algorithm to be 3DES or AES256 via centrally managed policy.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Profiles > Manage email profiles > <Profile Name> > Email profile settings" and verify "Allowed content ciphers" is set to "AES (256-bit), or "Triple DES."
V-48517 No Change
Findings ID: BBDS-00-000146 Rule ID: SV-61389r1_rule Severity: medium CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether the Advanced Audio Distribution Profile (A2DP) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable the Advanced Audio Distribution Profile (A2DP) Bluetooth profile.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Bluetooth A2DP" is set to "Disallow".

Note: The above is only applicable for devices with "Balance-Regulated" and "Work space only" activation types.
V-48519 No Change
Findings ID: BBDS-00-000147 Rule ID: SV-61391r1_rule Severity: medium CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether the Audio/Video Remote Control Profile (AVRCP) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable the Audio/Video Remote Control Profile (AVRCP) Bluetooth profile.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Bluetooth AVRCP" is set to "Disallow".

Note: The above is only applicable for devices with "Balance-Regulated" and "Work space only" activation types.
V-48523 No Change
Findings ID: BBDS-00-000148 Rule ID: SV-61395r1_rule Severity: medium CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether the Phone Book Access Profile (PBAP) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable the Phone Book Access Profile (PBAP) Bluetooth profile.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify both "Transfer Work Contacts Using Bluetooth PBAP or HFP" and "Bluetooth Contacts Transfer Using PBAP" are set to "Disallow".
V-48525 No Change
Findings ID: BBDS-00-000149 Rule ID: SV-61397r1_rule Severity: medium CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether the Hands-Free Profile (HFP) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable the Hands-Free Profile (HFP) Bluetooth profile.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify both "Transfer Work Contacts Using Bluetooth PBAP or HFP" and "Bluetooth HFP" are set to "Disallow".
V-48527 No Change
Findings ID: BBDS-00-000151 Rule ID: SV-61399r1_rule Severity: medium CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether the Message Access Profile (MAP) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable the Message Access Profile (MAP) Bluetooth profile.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify all of "Transfer Work Messages Using Bluetooth MAP", "Transfer Work Messages Using Bluetooth MAP Without Prompt" and "Bluetooth MAP" are set to "Disallow".
V-48529 No Change
Findings ID: BBDS-00-000152 Rule ID: SV-61401r1_rule Severity: medium CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether the Personal Area Networking (PAN) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable the Personal Area Networking Profile (PAN) Bluetooth profile.
V-48537 No Change
Findings ID: BBDS-00-000155 Rule ID: SV-61409r1_rule Severity: medium CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether Bluetooth Discoverable Mode has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable Bluetooth Discoverable Mode.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Bluetooth Discoverable Mode" is set to "Disallow".

Note: The above is only for devices with EMM-Regulated (Work Space only).
V-48543 No Change
Findings ID: BBDS-00-000156 Rule ID: SV-61417r1_rule Severity: high CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether the transfer of any file-based data via Bluetooth has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable the transfer of any file-based data via Bluetooth.

For EMM-Corporate (BlackBerry Balance) devices, log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Transfer Work Files Using Bluetooth OPP" is set to "Disallow."

For EMM-Regulated (Work Space only) and Balance-Regulated devices, log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Bluetooth File Transfer Using OBEX" is set to "Disallow."
V-48545 No Change
Findings ID: BBDS-00-000157 Rule ID: SV-61419r1_rule Severity: high CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether the Message Access Profile (MAP) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable the transfer of any file-based data via Bluetooth (Bluetooth MAP).

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Transfer Work Messages Using Bluetooth MAP" is set to "Disallow".
V-48547 No Change
Findings ID: BBDS-00-000158 Rule ID: SV-61421r1_rule Severity: high CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether the Message Access Profile (MAP) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable the transfer of any file-based data via Bluetooth (Bluetooth MAP without prompt).

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Transfer Work Messages Using Bluetooth MAP Without Prompt" is set to "Disallow".
V-48549 No Change
Findings ID: BBDS-00-000159 Rule ID: SV-61423r1_rule Severity: high CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether the transfer of any file-based data via Bluetooth has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable the transfer of any file-based data via Bluetooth (Transfer Work Contacts Using Bluetooth PBAP or HFP).

For EMM-Corporate (BlackBerry Balance) devices, log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Transfer Work Contacts Using Bluetooth PBAP or HFP" is set to "Disallow".
V-48553 No Change
Findings ID: BBDS-00-000160 Rule ID: SV-61427r1_rule Severity: medium CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether Bluetooth pairing using a randomly generated passkey size of at least 8 digits has been enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to enable Bluetooth pairing using a randomly generated passkey size of at least 8 digits.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Enforce Minimum Bluetooth Passkey Length" is set to "Yes".

Note: The above is only for devices with EMM-Regulated (Work Space only).
V-48555 No Change
Findings ID: BBDS-00-000161 Rule ID: SV-61429r1_rule Severity: high CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether the transfer of any file-based data via NFC has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable the transfer of any file-based data via NFC.

For EMM-Corporate and EMM-Regulated devices, log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Transfer Work Data Using NFC" is set to "Disallow".
V-48557 No Change
Findings ID: BBDS-00-000165 Rule ID: SV-61431r1_rule Severity: medium CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server configuration to determine whether Bluetooth 128 bit encryption is enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to enable Bluetooth 128 bit encryption.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Minimum Bluetooth Encryption Key Length" is set to "16 Bytes".

Note: The above is only for devices with EMM-Regulated (Work Space only).
V-48559 No Change
Findings ID: BBDS-00-000300 Rule ID: SV-61435r1_rule Severity: medium CCI: CCI-000366

Discussion

Only authorized servers should be able to push content to BlackBerry devices.

Checks

Verify the site has configured the BlackBerry Device Service server to require trusted connections to push enclave application or web servers. Otherwise, this is a finding.

Fix

Configure the BlackBerry Device Service server to push content to BlackBerry devices.

Log into BlackBerry Administration Service, and under "Servers and components" on the left side of the screen, navigate to "'BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service > <MDS Connection Service Instance>".
- On the "Instance information" tab, click "Edit instance".
- In the "Access control" section, verify "Push authentication:" is set to "Yes".
V-48561 No Change
Findings ID: BBDS-00-000200 Rule ID: SV-61437r1_rule Severity: medium CCI: CCI-000370

Discussion

The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized devices are provisioned as required. When these configurations are not set as required, users may have the capability to activate unauthorized BlackBerry devices.

Checks

Verify the BlackBerry Administration Service (BAS) has been configured to permit users to activate new BlackBerry devices only. Otherwise, this is a finding.

Fix

BlackBerry Administration Service is configured to permit users to activate new BlackBerry devices only via BlackBerry Web Desktop Manager.

Log into the BAS as an administrator with Security Administrator role.

Under "Organization Administration", expand "Organization".
- Click "My organization".
- Click the "BlackBerry Web Desktop Manager Information" tab.
- On the "Allowed user operations", verify "Allow user wireline activation:" is set to "Activate unused PIN only".
V-48565 No Change
Findings ID: BBDS-00-000230 Rule ID: SV-61441r1_rule Severity: medium CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether the number of incorrect password attempts before a data wipe procedure is initiated is set to 10. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to set the number of incorrect password attempts before a data wipe procedure is initiated to 10.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Password" and verify "Maximum Password Attempts" is set to "10".
V-48567 No Change
Findings ID: BBDS-00-000235 Rule ID: SV-61443r1_rule Severity: medium CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether a Work Space password has been enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to enable a work space password.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Password" and verify "Password Required for Work Space" is set to "Yes".

Note: The above is only for devices with EMM-Corporate (BlackBerry Balance). This check is not applicable to EMM-Regulated (Work Space only) devices.
V-48571 No Change
Findings ID: BBDS-00-000260 Rule ID: SV-61447r1_rule Severity: medium CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether the minimum Work Space password length is at least six characters. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to set the minimum work space password length of six or more characters.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Password" and verify "Minimum Password Length" is set to "6".
V-48573 No Change
Findings ID: BBDS-00-000270 Rule ID: SV-61449r1_rule Severity: medium CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether the Work Space inactivity timeout is set to 15 minutes. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to set the work space inactivity timeout to 15 minutes.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Password" and verify "Security Timeout" is set to "15 minutes".
V-48575 No Change
Findings ID: BBDS-00-000275 Rule ID: SV-61451r1_rule Severity: medium CCI: CCI-000370

Discussion

DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source. To prevent access to unapproved sources, the operating system in most cases can be configured to disable user access to public application stores.

Checks

Review the BlackBerry Device Service server configuration to ensure the BlackBerry Device Service server can configure the mobile device Work Space to prohibit the download of software from a DoD non-approved source (e.g., a non-DoD operated mobile device application store or BlackBerry Device Service server). Otherwise, this is a finding.

Fix

Configure the BlackBerry Device Service server so the Work Space is configured to prohibit the download of software from a DoD non-approved source.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Security" and verify "Development Mode Access to Work Space" is set to "Disallow".
V-48577 No Change
Findings ID: BBDS-00-000285 Rule ID: SV-61453r1_rule Severity: medium CCI: CCI-000386

Discussion

The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized devices are provisioned as required. When these configurations are not set as required, users may have the capability to activate unauthorized BlackBerry devices.

Checks

Review Windows Services configuration to ensure the BlackBerry Device Service server has been disabled to prevent users from performing self-service tasks. Otherwise, this is a finding.

Fix

Configure the BlackBerry Device Service server to prevent users from performing self-service tasks.

Log into the BlackBerry Device Service server as a local administrator.

Open "Services" by navigating to "Start > Run... > services.msc" and ensure the "BES10 - Self-Service" service is stopped and its Startup Type is set to "Disabled".
V-48579 No Change
Findings ID: BBDS-00-000286 Rule ID: SV-61455r1_rule Severity: low CCI: CCI-000386

Discussion

The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized devices are provisioned as required. When these configurations are not set as required, users may have the capability to activate unauthorized BlackBerry devices.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether a user initiated backup or restore of the Work Space of a managed mobile device has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to disallow a user initiated backup or restore of the Work Space of a managed mobile device.

For BlackBerry Balance (Corporate and Regulated) devices, log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Security" and verify "Backup and Restore Work Space" is set to "Disallow".

For Work Space only devices, log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Security" and verify "Backup and Restore Device" is set to "Disallow".
V-48581 No Change
Findings ID: BBDS-00-000290 Rule ID: SV-61457r1_rule Severity: high CCI: CCI-000770

Discussion

To assure individual accountability and prevent unauthorized access, MDM administrators and users (and any processes acting on behalf of users) must be individually identified and authenticated. Without individual accountability, there can be no traceability back to an individual if there were a security incident on the system. In addition, group accounts can be shared with individuals who do not have authorized access.

Checks

Review the BlackBerry Device Service server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism that requires administrators to be authenticated with an individual authenticator prior to using a group authenticator. To ensure correct configuration have the BlackBerry Device Service (BDS) Administrator log on to the BDS Server, and ensure authentication was performed via Active Directory. If access to the server is not being authenticated via this method, this is a finding.

Fix

Configure the BlackBerry Device Service server to authenticate through the Enterprise Authentication Mechanism.

To configure the BDS server to authenticate via Active Directory the following process can be used:

Local authentication rules are handled by the host Operating system. Remote connection via web browser can be configured to use Microsoft Active Directory authentication during the installation of the BlackBerry Device Server.

Configure permissions for the service account:

The service account is a Windows account that runs the services for the BlackBerry Device Service. On the computer that you want to install the BlackBerry Device Service on, you must configure permissions for the service account. Without the correct permissions, the BlackBerry Device Service cannot run. If your organization's environment includes the BlackBerry Enterprise Server, you can use the BlackBerry Enterprise Server service account to install the BlackBerry Device Service. If you do not have a BlackBerry Enterprise Server service account, in Microsoft Active Directory, create a service account that you name BDSAdmin.
During the installation of the BlackBerry Device Service, steps 16 and 17 describe the setup of the Active Directory login, as follows:

16. In the Microsoft Active Directory settings dialog box, specify information for the reader account that the BlackBerry Administration Service uses to authenticate with Microsoft Active Directory. By default, the setup application uses the service account that you used in step 1. If you want to use a different account as the reader account, you must specify the username, password, and Windows domain for a Microsoft Active Directory account. The account must have permission to read the user information that is stored in the global catalog servers that the BlackBerry Administration Service can access.
17. In the Create an administrator account dialog box, perform one of the following actions:
* If you select Use Microsoft Active Directory authentication, you can choose to use the Microsoft Active Directory account that you used in step 16, or you can specify the username and Windows domain for a different Microsoft Active Directory account.
* If you select Use BlackBerry Administration Service authentication, type and confirm a password for the BlackBerry Administration Service administrator account.
You use the account information that you specify to log in to the BlackBerry Administration Service for the first time.

Log in to the BlackBerry Administration Service:

When you install the BlackBerry Administration Service, you specify the credentials that you use to log in to the BlackBerry Administration Service for the first time.
1. In the browser, type "https://<server_name>/webconsole/login", where <server_name> is the name of the computer that hosts the BlackBerry Administration Service.
2. In the "User name" field, type your username.
3. In the "Password" field, type your password.
4. Perform one of the following actions:
* In the "Log in using" drop-down list, click "BlackBerry Administration Service".
* In the "Log in using" drop-down list, click "Active Directory" and type the Microsoft Active Directory domain in the "Domain" field.
5. Click "Log in".
6. Install the RIMWebComponents.cab add-on if you are prompted to do so.

For further details regarding the BlackBerry Device Service Installation and configuration, see the accompanying Overview Document, and the "Install the BlackBerry Device Service software" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Installation and Configuration Guide.
V-48583 No Change
Findings ID: BBDS-00-000295 Rule ID: SV-61459r1_rule Severity: high CCI: CCI-000774

Discussion

An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Replay attacks, if successfully used against a MDM account could result in unfettered access to the MDM settings and data records.

Checks

Review the BlackBerry Device Service server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism that employs replay-resistant features. To ensure correct configuration have the BlackBerry Device Service (BDS) Administrator logon to the BDS Server, and ensure authentication was performed via Active Directory. If access to the server is not being authenticated via this method, this is a finding.

Fix

Configure the BlackBerry Device Service server to authenticate through the Enterprise Authentication Mechanism.

To configure the BDS server to authenticate via Active Directory the following process can be used:

Local authentication rules are handled by the host Operating system. Remote connection via web browser can be configured to use Microsoft Active Directory authentication during the installation of the BlackBerry Device Server.

Configure permissions for the service account:

The service account is a Windows account that runs the services for the BlackBerry Device Service. On the computer that you want to install the BlackBerry Device Service on, you must configure permissions for the service account. Without the correct permissions, the BlackBerry Device Service cannot run. If your organization's environment includes the BlackBerry Enterprise Server, you can use the BlackBerry Enterprise Server service account to install the BlackBerry Device Service. If you do not have a BlackBerry Enterprise Server service account, in Microsoft Active Directory, create a service account that you name BDSAdmin.
During the installation of the BlackBerry Device Service, steps 16 and 17 describe the setup of the Active Directory login, as follows:

16. In the Microsoft Active Directory settings dialog box, specify information for the reader account that the BlackBerry Administration Service uses to authenticate with Microsoft Active Directory. By default, the setup application uses the service account that you used in step 1. If you want to use a different account as the reader account, you must specify the username, password, and Windows domain for a Microsoft Active Directory account. The account must have permission to read the user information that is stored in the global catalog servers that the BlackBerry Administration Service can access.
17. In the Create an administrator account dialog box, perform one of the following actions:
* If you select Use Microsoft Active Directory authentication, you can choose to use the Microsoft Active Directory account that you used in step 16, or you can specify the username and Windows domain for a different Microsoft Active Directory account.
* If you select Use BlackBerry Administration Service authentication, type and confirm a password for the BlackBerry Administration Service administrator account.
You use the account information that you specify to log in to the BlackBerry Administration Service for the first time.

Log in to the BlackBerry Administration Service:

When you install the BlackBerry Administration Service, you specify the credentials that you use to log in to the BlackBerry Administration Service for the first time.
1. In the browser, type "https://<server_name>/webconsole/login", where <server_name> is the name of the computer that hosts the BlackBerry Administration Service.
2. In the "User name" field, type your username.
3. In the "Password" field, type your password.
4. Perform one of the following actions:
* In the "Log in using" drop-down list, click "BlackBerry Administration Service".
* In the "Log in using" drop-down list, click "Active Directory" and type the Microsoft Active Directory domain in the "Domain" field.
5. Click "Log in".
6. Install the RIMWebComponents.cab add-on if you are prompted to do so.

For further details regarding the BlackBerry Device Service Installation and configuration, see the accompanying Overview Document, and the "Install the BlackBerry Device Service software" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Installation and Configuration Guide.
V-48585 No Change
Findings ID: BBDS-00-000305 Rule ID: SV-61461r1_rule Severity: medium CCI: CCI-000192

Discussion

In the DoD, Administrator credential requirements for authentication are defined by CTO 07-115Rev1, which is can be enforced by the Enterprise Authentication Mechanism. Non-complaint credential enforcement mechanisms make the DoD IS vulnerable to attack.

Checks

Review the BlackBerry Device Service server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism. To ensure correct configuration have the BlackBerry Device Service (BDS) Administrator log on to the BDS Server, and ensure authentication was performed via Active Directory. If access to the server is not being authenticated via this method, this is a finding.

Fix

Configure the BlackBerry Device Service server to support administrator authentication to the server via the Enterprise Authentication Mechanism's authentication.

To configure the BDS server to authenticate via Active Directory the following process can be used:

Local authentication rules are handled by the host Operating system. Remote connection via web browser can be configured to use Microsoft Active Directory authentication during the installation of the BlackBerry Device Server.

Configure permissions for the service account:

The service account is a Windows account that runs the services for the BlackBerry Device Service. On the computer that you want to install the BlackBerry Device Service on, you must configure permissions for the service account. Without the correct permissions, the BlackBerry Device Service cannot run. If your organization's environment includes the BlackBerry Enterprise Server, you can use the BlackBerry Enterprise Server service account to install the BlackBerry Device Service. If you do not have a BlackBerry Enterprise Server service account, in Microsoft Active Directory, create a service account that you name BDSAdmin.
During the installation of the BlackBerry Device Service, steps 16 and 17 describe the setup of the Active Directory login, as follows:

16. In the Microsoft Active Directory settings dialog box, specify information for the reader account that the BlackBerry Administration Service uses to authenticate with Microsoft Active Directory. By default, the setup application uses the service account that you used in step 1. If you want to use a different account as the reader account, you must specify the username, password, and Windows domain for a Microsoft Active Directory account. The account must have permission to read the user information that is stored in the global catalog servers that the BlackBerry Administration Service can access.
17. In the Create an administrator account dialog box, perform one of the following actions:
* If you select Use Microsoft Active Directory authentication, you can choose to use the Microsoft Active Directory account that you used in step 16, or you can specify the username and Windows domain for a different Microsoft Active Directory account.
* If you select Use BlackBerry Administration Service authentication, type and confirm a password for the BlackBerry Administration Service administrator account.
You use the account information that you specify to log in to the BlackBerry Administration Service for the first time.

Log in to the BlackBerry Administration Service:

When you install the BlackBerry Administration Service, you specify the credentials that you use to log in to the BlackBerry Administration Service for the first time.
1. In the browser, type "https://<server_name>/webconsole/login", where <server_name> is the name of the computer that hosts the BlackBerry Administration Service.
2. In the "User name" field, type your username.
3. In the "Password" field, type your password.
4. Perform one of the following actions:
* In the "Log in using" drop-down list, click "BlackBerry Administration Service".
* In the "Log in using" drop-down list, click "Active Directory" and type the Microsoft Active Directory domain in the "Domain" field.
5. Click "Log in".
6. Install the RIMWebComponents.cab add-on if you are prompted to do so.

For further details regarding the BlackBerry Device Service Installation and configuration, see the accompanying Overview Document, and the "Install the BlackBerry Device Service software" section of the BlackBerry Enterprise Service 10.2 BlackBerry Device Service Installation and Configuration Guide.
V-48587 No Change
Findings ID: BBDS-00-000310 Rule ID: SV-61463r1_rule Severity: medium CCI: CCI-000186

Discussion

The key store password protects the server digital authentication certificates from unauthorized use.

Checks

When the BlackBerry Administration Service is installed the setup application generates a password for the web.keystore file. The web.keystore file stores the SSL certificate that the BlackBerry Administration Service uses to authenticate with browsers. You can change the web.keystore password after the installation process completes. All BlackBerry Administration Service instances in a BlackBerry Device Service domain must use the same web.keystore password. Consult the system administrator to determine if the default password was changed. If the default password has not been changed, this is a finding.

Fix

The key store password for the certificate that the BlackBerry Administration Service (BAS) and BlackBerry Web Desktop Manager (BWDM) use must be changed from the default.

To change the web.keystore password, use the following procedure:

Before you begin: To verify the current password for the web.keystore file, log in to the BlackBerry Administration Service using an administrator account with the Security Administrator role. Under "Servers and components" on the left side, navigate to "BlackBerry Solution topology > BlackBerry Domain> Component view > BlackBerry Administration Service", and check the "Security settings" section.

1. From the Windows machine with BlackBerry Enterprise Service 10, navigate to "Start > All Programs > BlackBerry Enterprise Service 10" and open "Configuration Tool for BlackBerry Enterprise Service 10".
2. On the "Administration Service - Web.Keystore" tab, type the current password.
3. Type a new password and confirm the new password.
4. Click "OK".
5. In the Windows Services, restart the BlackBerry Administration Service services.
6. Repeat steps 1 to 5 on each computer that hosts a BlackBerry Administration Service instance.
V-48589 No Change
Findings ID: BBDS-00-000315 Rule ID: SV-61465r1_rule Severity: high CCI: CCI-000803

Discussion

MDM applications utilizing encryption are required to use approved encryption modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised due to weak algorithms.

Checks

Review the BlackBerry Device Service server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism that utilizes a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. To ensure correct configuration have the BlackBerry Device Service (BDS) Administrator log on to the BDS Server, and ensure authentication was performed via Active Directory. If access to the server is not being authenticated via this method, this is a finding.

Fix

Configure the BlackBerry Device Service server to authenticate through the Enterprise Authentication Mechanism utilizing a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

To configure the BDS server to authenticate via Active Directory the following process can be used:

Local authentication rules are handled by the host Operating system. Remote connection via web browser can be configured to use Microsoft Active Directory authentication during the installation of the BlackBerry Device Server.

Configure permissions for the service account:

The service account is a Windows account that runs the services for the BlackBerry Device Service. On the computer that you want to install the BlackBerry Device Service on, you must configure permissions for the service account. Without the correct permissions, the BlackBerry Device Service cannot run. If your organization's environment includes the BlackBerry Enterprise Server, you can use the BlackBerry Enterprise Server service account to install the BlackBerry Device Service. If you do not have a BlackBerry Enterprise Server service account, in Microsoft Active Directory, create a service account that you name BDSAdmin.
During the installation of the BlackBerry Device Service, steps 16 and 17 describe the setup of the Active Directory login, as follows:

16. In the Microsoft Active Directory settings dialog box, specify information for the reader account that the BlackBerry Administration Service uses to authenticate with Microsoft Active Directory. By default, the setup application uses the service account that you used in step 1. If you want to use a different account as the reader account, you must specify the username, password, and Windows domain for a Microsoft Active Directory account. The account must have permission to read the user information that is stored in the global catalog servers that the BlackBerry Administration Service can access.
17. In the Create an administrator account dialog box, perform one of the following actions:
* If you select Use Microsoft Active Directory authentication, you can choose to use the Microsoft Active Directory account that you used in step 16, or you can specify the username and Windows domain for a different Microsoft Active Directory account.
* If you select Use BlackBerry Administration Service authentication, type and confirm a password for the BlackBerry Administration Service administrator account.
You use the account information that you specify to log in to the BlackBerry Administration Service for the first time.

Log in to the BlackBerry Administration Service:

When you install the BlackBerry Administration Service, you specify the credentials that you use to log in to the BlackBerry Administration Service for the first time.
1. In the browser, type "https://<server_name>/webconsole/login", where <server_name> is the name of the computer that hosts the BlackBerry Administration Service.
2. In the "User name" field, type your username.
3. In the "Password" field, type your password.
4. Perform one of the following actions:
* In the "Log in using" drop-down list, click "BlackBerry Administration Service".
* In the "Log in using" drop-down list, click "Active Directory" and type the Microsoft Active Directory domain in the "Domain" field.
5. Click "Log in".
6. Install the RIMWebComponents.cab add-on if you are prompted to do so.

For further details regarding the BlackBerry Device Service Installation and configuration, see the accompanying Overview Document, and the "Install the BlackBerry Device Service software" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Installation and Configuration Guide.
V-48591 No Change
Findings ID: BBDS-00-000320 Rule ID: SV-61467r1_rule Severity: high CCI: CCI-000877

Discussion

Lack of authentication enables anyone to gain access to the MDM. Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Authorization for access to the MDM to perform maintenance and diagnostics requires an individual account identifier that has been approved, assigned, and configured. Authentication of non-local maintenance and diagnostics sessions must be accomplished through two-factor authentication via the combination of passwords, tokens, and biometrics.

Checks

Review the BlackBerry Device Service server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism that employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions. To ensure correct configuration have the BlackBerry Device Service (BDS) Administrator log on to the BDS Server, and ensure authentication was performed via Active Directory. If access to the server is not being authenticated via this method, this is a finding.

Fix

Configure the BlackBerry Device Service server to authenticate through an Enterprise Authentication Mechanism that employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions.

To configure the BDS server to authenticate via Active Directory the following process can be used:

Local authentication rules are handled by the host Operating system. Remote connection via web browser can be configured to use Microsoft Active Directory authentication during the installation of the BlackBerry Device Server.

Configure permissions for the service account:

The service account is a Windows account that runs the services for the BlackBerry Device Service. On the computer that you want to install the BlackBerry Device Service on, you must configure permissions for the service account. Without the correct permissions, the BlackBerry Device Service cannot run. If your organization's environment includes the BlackBerry Enterprise Server, you can use the BlackBerry Enterprise Server service account to install the BlackBerry Device Service. If you do not have a BlackBerry Enterprise Server service account, in Microsoft Active Directory, create a service account that you name BDSAdmin.
During the installation of the BlackBerry Device Service, steps 16 and 17 describe the setup of the Active Directory login, as follows:

16. In the Microsoft Active Directory settings dialog box, specify information for the reader account that the BlackBerry Administration Service uses to authenticate with Microsoft Active Directory. By default, the setup application uses the service account that you used in step 1. If you want to use a different account as the reader account, you must specify the username, password, and Windows domain for a Microsoft Active Directory account. The account must have permission to read the user information that is stored in the global catalog servers that the BlackBerry Administration Service can access.
17. In the Create an administrator account dialog box, perform one of the following actions:
* If you select Use Microsoft Active Directory authentication, you can choose to use the Microsoft Active Directory account that you used in step 16, or you can specify the username and Windows domain for a different Microsoft Active Directory account.
* If you select Use BlackBerry Administration Service authentication, type and confirm a password for the BlackBerry Administration Service administrator account.
You use the account information that you specify to log in to the BlackBerry Administration Service for the first time.

Log in to the BlackBerry Administration Service:

When you install the BlackBerry Administration Service, you specify the credentials that you use to log in to the BlackBerry Administration Service for the first time.
1. In the browser, type "https://<server_name>/webconsole/login", where <server_name> is the name of the computer that hosts the BlackBerry Administration Service.
2. In the "User name" field, type your username.
3. In the "Password" field, type your password.
4. Perform one of the following actions:
* In the "Log in using" drop-down list, click "BlackBerry Administration Service".
* In the "Log in using" drop-down list, click "Active Directory" and type the Microsoft Active Directory domain in the "Domain" field.
5. Click "Log in".
6. Install the RIMWebComponents.cab add-on if you are prompted to do so.

For further details regarding the BlackBerry Device Service Installation and configuration, see the accompanying Overview Document, and the "Install the BlackBerry Device Service software" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Installation and Configuration Guide.
V-48593 No Change
Findings ID: BBDS-00-000325 Rule ID: SV-61469r1_rule Severity: low CCI: CCI-001159

Discussion

When a self signed PKI certificate is used, a rogue BDS server can impersonate the DoD BDS server during SA connections to the BAS or when a BlackBerry user uses BWDM to connect to the BAS. In addition, DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.

Checks

Examine the server configuration to determine if a DoD PKI issued certificate has been installed. Otherwise, this is a finding.

Fix

Configure the Blackberry Device Service server to use a DoD issued digital certificate on the BES to support BAS and BlackBerry Web Desktop Manager authentication.

Open Internet Explorer, and navigate to BlackBerry Administration Service. Click on the Lock icon located to the right of the Address bar (or click "Certificate error", if the certificate is untrusted) and select "View certificates" Ensure the certificate is issued by a valid DoD CA.

Steps to replace self-signed, or non-DoD certificate:
Log into the server as the BlackBerry Enterprise Server (BES) service account and complete the following tasks to replace the self-signed Secure Socket Layer (SSL) certificate used by the BAS and the BWDM with a custom certificate (such as, one from VeriSign or from a Windows certificate authority).

Task 1 - Retrieve your web.keystore password:
1. Login to the BAS as an administrator with Security Administrator role.
2. Under "BlackBerry Solution topology" on the left side, navigate to "BlackBerry Domain > Component view > BlackBerry Administration Service".
3. In the "Security settings", check the value for "Default password to encrypt the web.keystore file" and note it.

Task 2 - Back up the web.keystore file:
1. Open a Windows Command prompt as an Administrator.
2. Type copy "c:\Program Files (x86)\Research In Motion\BlackBerry Device Service\BAS\bin\web.keystore" "c:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore.OLD"
Note: Do not remove or rename the existing web.keystore file.

Task 3 - Delete the self-signed SSL certificate from inside the web.keystore file:
1. Open a Command prompt as an Administrator.
2. Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool.exe" -delete -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -storepass "<password>"
Note: The -storepass parameter must be the password you retrieved from step 1. The quotes are required due to special characters.

Task 4 - Generate the BlackBerry Administration Service certificate key pair:
* Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool.exe" -genkey -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -storepass "<password>" -dname "CN=<BAS Server or BAS Pool full name>, OU=BAS, O=Company, L=City, ST=ST, C=US"

Note: Some Certificate Authority (CA) servers require RSA encryption of the certificate request. If this is the case, add -keyalg RSA to this keytool command. Also, the -keyalg RSA switch defaults to 1024 as a keysize. For environments that require 2048 as a keysize, use the -keysize 2048 command switch, e.g., -keyalg RSA -keysize 2048
STOP: After following this step, the web.keystore file now contains a private key entry. This exact private key MUST be matched with the reply generated from your Certificate Authority below in order for this process to succeed. It is highly recommended that the web.keystore file be backed up after this step has been performed, so that this private key is retained. If this is not done, and any of the following steps are not successful, then it will be necessary to clear out the key store and start again from Task 1. This is especially important to note for environments with manual certificate request processes.


Task 5 - Generate a certificate request to the certification authority:
* Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -certreq -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certreq.csr" -storepass "<password>"
Note: If the -keyalg switch was used in Task 3 for a CA that requires RSA encryption, it is recommended to also use it here. Also, the -keyalg RSA switch defaults to 1024 as a keysize. For environments that require 2048 as a keysize, use the -keysize 2048 command switch. e.g. -keyalg RSA -keysize 2048
* Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -certreq -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certreq.csr" -storepass "<passwprd>" -keyalg RSA -keysize 2048.

Task 6 - Request the certificate from the certificate authority (CA):
Note: The steps in this task are based on the steps required to request a certificate from a Windows certificate authority. If requesting a certificate from a third-party certificate authority, see the information in the Additional Information section. Domain administrator permission is required to complete this task.
1. Log off the server as the BlackBerry Enterprise Server service account.
2. Log into the server with a domain account with domain administrator permissions or permissions to submit a webserver template request.
3. Browse to the organization's certificate server using Windows Internet Explorer. (For example: http://<certificate_server_name>/certsrv)
4. Click "Request a certificate".
5. Click "Advanced certificate request".
6. Click "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file", or "submit a renewal request by using a base-64-encoded PKCS#7 file".
7. Paste the full contents of the certreq.csr file into the "Saved Request" field.
8. Choose "Web Server" from the "Certificate Template" drop-down list.
9. Click "Submit".
10. Click "Download certificate".
11. Save the file to c:\bascert.cer when prompted.
Note: If the error "The certificate is not valid for the requested usage" appears, choose Subordinates Certification Authority from the Certificate Template drop-down list instead of Web Server.

Task 7 - Download the CA certificate from the certificate authority:
1. Browse to the organization's certificate server using Windows Internet Explorer. (For example: http://<certificate_server_name>/certsrv)
2. Click "Download a CA certificate, certificate chain, or CRL".
3. Click "Download CA certificate". Save it as c:\certnewCA.cer.

Task 8 - Import the CA certificate into the BlackBerry Administration Service key store:
1. Log off the server as the domain account used in Tasks 6 and 7 above to request the certificate from the certificate authority (CA).
2. Log onto the server as BES service account.
3. Open a command prompt window as Administrator in the same manner as used in Task 2.
4. Type: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias cacert -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certnewCA.cer" -storepass "<password>"
If the BlackBerry Administration Service certificate is issued by an Intermediate CA, perform step 4 to import certificates of every Intermediate CA in the certificate chain. Use a unique alias name for every imported certificate. If the error "keytool error: java.lang.Exception: Failed to establish chain from reply" is displayed when performing Task 9 below, this step needs to be completed.

To import an Intermediate Certificate Authority certificate: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias cacert2 -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certnewCA2.cer" -storepass "<password>"

Task 9 - Import the BlackBerry Administration Service certificate to the BlackBerry Administration Service key store:
* In the command prompt window used in Task 8, type: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\bascert.cer" -storepass "<password>"

Task 10 - Restart the BlackBerry Administration Service.
V-48599 No Change
Findings ID: BBDS-00-002542 Rule ID: SV-61475r1_rule Severity: low CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. If this control is not available, sensitive DoD data stored inside the security container could be exposed if it is copied to a non-secure area on the device.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether only work persona contacts to be read from a native personal persona application. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to allow only work persona contacts to be read from a native personal space application.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Security" and verify "Personal Apps Access to Work Contacts" is set to "Only BlackBerry Apps".

Note: Check text is applicable for EMM-Corporate (BlackBerry Balance) devices only. This requirement is N/A for EMM-Regulated (Work Space only) devices.
V-48601 No Change
Findings ID: BBDS-00-003120 Rule ID: SV-61477r1_rule Severity: low CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether a device unlock password with a minimum length of 4 characters has been enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the BlackBerry Device Service server to enable a device unlock password with a minimum length of 4 characters.

This requirement can be met via one of two methods:

Method #1:
Train users to set the following device unlock/personal area password feature on a PlayBook 2.0 or BlackBerry 10 device:

Navigate to "Options/Settings -> Security ->Password" and set "Enable Password" to "ON". Create a 4 digit passcode for the device lock.

****************************************************************************************

Method #2:
The BDS IT policy rule "Apply Work Space Password to Full Device" can be applied to force the Work Space password to be used for both Work and Personal Spaces.

IT policy rules can be specified per group or per user.

To add an IT policy to a group:
1. Log into BlackBerry Administration Service and under "BlackBerry solution management" on the left side, expand "Group".
2. Click "Manage groups".
3. Click the name of the group.
4. Click "Edit group".
5. Click the "Policies" tab.
6. In the "IT policy list", select the IT policy.
7. Click "Save all".

To add an IT policy to a user account:
1. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side expand "User".
2. Click "Manage users".
3. Search for a user account.
4. In the search results, select the check box for the user account.
5. In the "Add to user configuration" list, click "Set IT policy".
6. In the "IT policy" drop-down list, select the IT policy.
7. Click "Save".

For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Administration Guide.
V-48603 No Change
Findings ID: BBDS-00-003160 Rule ID: SV-61479r1_rule Severity: medium CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server configuration to determine if the commercial application store contains no applications. Otherwise, this is a finding.

Fix

Configure the BlackBerry Device Service server application store to contain no commercial applications.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Software > Applications > Manage Applications" and verify that there are no applications listed under "BlackBerry World Applications".
V-48605 No Change
Findings ID: BBDS-00-003170 Rule ID: SV-61481r1_rule Severity: medium CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
The warning banner must be displayed before or immediately after the user successfully unlocks the mobile device or unlocks a secure application where sensitive DoD data is stored: "I've read & consent to terms in IS user agreem't." (Wording must be exactly as specified.)

Checks

Review the BlackBerry Device Service server policy configuration to determine whether the Owner Information has been set. Otherwise, this is a finding.

Fix

Configure the Blackberry Device Service server to force the display of a warning banner on the mobile device.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Security" and verify "Owner Information" is set to "I've read & consent to terms in IS user agreem't".
V-48607 No Change
Findings ID: BBDS-00-003176 Rule ID: SV-61483r1_rule Severity: high CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether any mobile OS service that connects to a cloud storage server has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable any mobile OS service that connects to a cloud storage server.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Software" and verify "Cloud Storage Access from Work Space" is set to "Disallow".

Note: The above is only for devices with EMM-Corporate (BlackBerry Balance). Devices with EMM-Corporate (Work Space only) inherently meet this requirement.
V-48609 No Change
Findings ID: BBDS-00-003177 Rule ID: SV-61485r1_rule Severity: high CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether all Work Space application traffic is routed through the BlackBerry Device Service server. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to direct all Work Space application traffic through the BlackBerry Device Service server.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Security" and verify "Network Access Control for Work Apps" is set to "Yes".
V-48611 No Change
Findings ID: BBDS-00-003178 Rule ID: SV-61487r1_rule Severity: medium CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether Personal Space applications access to the Work Space network connection has been disallowed. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to disallow Personal Space applications access to the Work Space network connection.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Security" and verify "Work Network Usage for Personal Apps" is set to "Disallow".

Note: Check text is applicable for EMM-Corporate (BlackBerry Balance) devices only. This requirement is N/A for EMM-Regulated (Work Space only) devices.
V-48613 No Change
Findings ID: BBDS-00-003179 Rule ID: SV-61489r1_rule Severity: medium CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether hyperlinks within Work Space applications cannot open within the Personal Space browser application. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to disallow hyperlinks within Work Space applications from opening within the Personal Space browser application.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Software" and verify "Open Links in Work Email Messages in the Personal Browser" is set to "Disallow".
V-48617 No Change
Findings ID: BBDS-00-003181 Rule ID: SV-61493r1_rule Severity: high CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether any mobile OS service that connects to a cloud-based service server has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable any mobile OS service that connects to a cloud-based service.

Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Software" and verify "Find More Contact Details" is set to "Disallow".
V-48531 Removed
Findings ID: BBDS-00-000153 Rule ID: SV-61403r1_rule Severity: medium CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.

Checks

Review the BlackBerry Device Service server policy configuration to determine whether the Hands-Free Profile (SPP) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > > View complete IT Policy > Hardware" and verify "Bluetooth SPP" is set to "Disallow". Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable the Hands-Free Profile (SPP) Bluetooth profile. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > > View complete IT Policy > Hardware" and verify "Bluetooth PAN" is set to "Disallow". Note: The above is only applicable for devices with "Balance-Regulated" and "Work space only" activation types.
V-48595 Removed
Findings ID: BBDS-00-002541 Rule ID: SV-61471r2_rule Severity: medium CCI: CCI-000370

Discussion

Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. If this control is not available, sensitive DoD data stored inside the security container could be exposed if it is copied to a non-secure area on the device.

Checks

Review the BlackBerry Device Service server policy configuration to determine copying data from inside a non-secure data area on a mobile device into the security container has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed BlackBerry Device Service server policy rule to disable copying data from inside a non-secure data area on a mobile device into the security container. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > > View complete IT Policy > Security" and verify "Work App Access to Shared Files in the Personal Space" is set to "Disallow". Note: Check text is applicable for EMM-Corporate, and EMM-Regulated devices only. This requirement is N/A for EMM-Regulated (Work Space only) devices.