BlackBerry BES 12.3.x MDM Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V1R1

Published: 2016-04-25

Updated At: 2018-09-23 02:03:35

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-83175r1_rule BS12-3X-000100 CCI-000048 LOW Before establishing a user session, the BES12 server must display an administrator-specified advisory notice and consent warning message regarding use of the BES12 server. Note: The advisory notice and consent warning message is not required if the General Purpose OS or Network Device displays an advisory notice and consent warning message when the administrator logs on to the General Purpose OS or Network Device prior to a
    SV-83177r1_rule BS12-3X-000700 CCI-000366 MEDIUM The BES12 server must be configured with the Administrator roles: a. MD user b. Server primary administrator c. Security configuration administrator d. Device user group administrator e. Auditor. Having several roles for the MDM server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This
    SV-83179r1_rule BS12-3X-003900 CCI-000129 MEDIUM The BES12 server must be configured to enable all required audit events: a. Failure to push a new application on a managed mobile device; b. Failure to update an existing application on a managed mobile device. Failure to generate these audit records makes it more difficult to identify or investigate attempted or successful compromises, potentially causing incidents to last longer than necessary. SFR ID: FAU_GEN.1.1(2) Refinement
    SV-83181r1_rule BS12-3X-005400 CCI-000015 MEDIUM The BES12 server must leverage the BES12 Platform user accounts and groups for BES12 server user identification and authentication. A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MDM server infrastructure is at r
    SV-83183r1_rule BS12-3X-100100 CCI-000057 MEDIUM The BES12 server must initiate a session lock after a 15-minute period of inactivity. A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user t
    SV-83185r1_rule BS12-3X-100400 CCI-000382 MEDIUM The BES12 server platform must be protected by a DoD-approved firewall. Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Unneeded services and processes provide
    SV-83187r1_rule BS12-3X-100500 CCI-000382 MEDIUM The firewall protecting the BES12 server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support BES12 server and platform functions. Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations. Since MDM server is a critical compon
    SV-83193r1_rule BS12-3X-100800 CCI-000366 MEDIUM The BES12 server must be configured to disable a users capability to perform self-service tasks. The security posture of a BlackBerry device or the DoD BlackBerry service could be compromised if users are able to perform self-service tasks, including activating unauthorized devices. In the DoD environment, strict configuration management of the secur
    SV-83195r1_rule BS12-3X-101100 CCI-000366 MEDIUM The server PKI digital certificate installed on the BES12 Server to support Consoles and BlackBerry Web Services authentication must be a DoD PKI issued certificate. A self-signed certificate will not be used. When a self-signed PKI certificate is used, a rogue BDS server can impersonate the DoD BDS server during SA connections to the BAS or when a BlackBerry user uses BWDM to connect to the BAS. In addition, DoDI 8520-02 requires that PKI certificates come fro