BlackBerry CylancePROTECT Mobile for UEM Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2023-06-22
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
CylancePROTECT Mobile malware detection must be configured with the following compliance actions for system apps (Android only): -Prompt for compliance: Immediate enforcement action. -Prevent the user from accessing work resources and apps on the device while it is out of compliance. -Prevent the user from accessing BlackBerry Dynamics apps while the device is out of compliance.
CM-6 - Medium - CCI-000366 - V-257260 - SV-257260r918364_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BBCP-00-012600
Vuln IDs
  • V-257260
Rule IDs
  • SV-257260r918364_rule
When a compliance failure is detected, compliance actions must be implemented immediately to limit exposure of sensitive data and unauthorized access to the mobile device.
Checks: C-60944r918362_chk

Verify the following compliance actions are enabled when malware is detected for system apps (Android only): -Prompt for compliance: Immediate enforcement action. -Prevent the user from accessing work resources and apps on the device while it is out of compliance. -Prevent the user from accessing BlackBerry Dynamics apps while the device is out of compliance. 1. Log on to the BlackBerry UEM console. 2. Select Policies and profiles >> Compliance >> Compliance. 3. Select a compliance profile to review. 4. On the Android tab in the BlackBerry Protect section, verify: a. The "System app malware detected" box is selected. b. In the Prompt for compliance box, verify "Immediate enforcement action" is selected. c. In the "Enforcement action for device" drop-down list, verify "Untrust" is selected. d. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, verify "Do not allow BlackBerry Dynamics apps to run" is selected. If required compliance actions when malware is detected for system apps are not configured, this is a finding.

Fix: F-60886r918363_fix

Enable the following compliance actions when malware is detected for system apps (Android only): -Prompt for compliance: Immediate enforcement action. -Prevent the user from accessing work resources and apps on the device while it is out of compliance. -Prevent the user from accessing BlackBerry Dynamics apps while the device is out of compliance. 1. Log on to the BlackBerry UEM console. 2. Select Policies and profiles >> Compliance >> Compliance. 3. Create a new compliance profile or select and edit an existing compliance profile. 4. On the Android tab in the BlackBerry Protect section, do the following: a. Select the "System app malware detected" check box. b. Configure the behavior prompt settings: Prompt for compliance: "Immediate enforcement action". c. In the "Enforcement action for device" drop-down list, select "Untrust" (work resources and apps cannot be accessed). d. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, select "Do not allow BlackBerry Dynamics apps to run". 5. Click "Save". 6. Assign the profile to users and groups.

b
CylancePROTECT Mobile malware detection must be configured with the following compliance actions for nonsystem apps (Android only): -Prompt for compliance: Immediate enforcement action. -Prevent the user from accessing work resources and apps on the device while it is out of compliance. -Prevent the user from accessing BlackBerry Dynamics apps while the device is out of compliance.
CM-6 - Medium - CCI-000366 - V-257261 - SV-257261r918367_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BBCP-00-012700
Vuln IDs
  • V-257261
Rule IDs
  • SV-257261r918367_rule
When a compliance failure is detected, compliance actions must be implemented immediately to limit exposure of sensitive data and unauthorized access to the mobile device.
Checks: C-60945r918365_chk

Verify the following compliance actions are enabled when malware is detected for nonsystem apps (Android only): -Prompt for compliance: Immediate enforcement action. -Prevent the user from accessing work resources and apps on the device while it is out of compliance. -Prevent the user from accessing BlackBerry Dynamics apps while the device is out of compliance. 1. Log on to the BlackBerry UEM console. 2. Select Policies and profiles >> Compliance >> Compliance. 3. Select a compliance profile to review. 4. On the Android tab in the BlackBerry Protect section, verify: a. The "Malicious app package detected" box is selected. b. In the Prompt for compliance box, verify "Immediate enforcement action" is selected. c. In the "Enforcement action for device" drop-down list, verify "Untrust" is selected. d. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, verify "Do not allow BlackBerry Dynamics apps to run" is selected. If required compliance actions when malware is detected for nonsystem apps are not configured, this is a finding.

Fix: F-60887r918366_fix

Configure the following compliance actions when malware is detected for nonsystem apps (Android only): -Prompt for compliance: Immediate enforcement action. -Prevent the user from accessing work resources and apps on the device while it is out of compliance. -Prevent the user from accessing BlackBerry Dynamics apps while the device is out of compliance. 1. Log on to the BlackBerry UEM console. 2. Select Policies and profiles >> Compliance >> Compliance. 3. Create a new compliance profile or select and edit an existing compliance profile. 4. On the Android tab in the BlackBerry Protect section, do the following: a. Select the "Malicious app package detected" check box. b. Configure the behavior prompt settings: Prompt for compliance: "Immediate enforcement action". c. In the "Enforcement action for device" drop-down list, select "Untrust" (work resources and apps cannot be accessed). d. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, select "Do not allow BlackBerry Dynamics apps to run". 5. Click "Save". 6. Assign the profile to users and groups.

b
CylancePROTECT Mobile must be configured with the following compliance action when a compliance event occurs: -Notify Administrator (send event notification).
CM-6 - Medium - CCI-000366 - V-257262 - SV-257262r918370_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BBCP-00-012800
Vuln IDs
  • V-257262
Rule IDs
  • SV-257262r918370_rule
When a compliance failure is detected, compliance actions must be implemented immediately to limit exposure of sensitive data and unauthorized access to the mobile device.
Checks: C-60946r918368_chk

Verify the following compliance action for CylancePROTECT Mobile has been enabled: -Notify Administrator (send event notification). 1. Log on to the BlackBerry UEM console. 2. On the menu bar, click Settings >> General settings. 3. Click "Event notifications". 4. Verify each of the following BlackBerry Protect notifications are listed: "Safe Browsing", "Malicious app removed from UEM", "Malicious app detected on device", and "Sideloaded app detected on app". If all four of the BlackBerry Protect notifications listed above are not enabled, this is a finding.

Fix: F-60888r918369_fix

Enable the following compliance action for CylancePROTECT Mobile: -Notify Administrator (send event notification). 1. Log on to the BlackBerry UEM console. 2. On the menu bar, click Settings >> General settings. 3. Click "Event notifications". a. On the "Event notifications" tab, click "Add". b. Select event type "BlackBerry Protect". c. Click one of the following selections: "Safe Browsing", "Malicious app removed from UEM", "Malicious app detected on device", or "Sideloaded app detected on app". d. Click "Next". 4. In the Date/time to send email notification drop-down list, select one of the following options: a. Always after an event: Email notifications are sent whenever the event occurs. b. Any preconfigured schedule in the list. c. Add new scheduler: Create a schedule and click "Save". 5. In the Recipients field, select one of the following options: a. Add new distribution list: Create a distribution list and click "Save". b. Any preconfigured distribution list. 6. In the email template drop-down list, select the email template to use for the event notification. 7. In the Status drop-down list, select "On" to enable the event notification. 8. Click "Preview email" to see the event notification email and the list of email addresses for the recipients. 9. Click "Save". 10. Repeat steps 3–9 for each of the possible BlackBerry Protect event notifications ("Safe Browsing", "Malicious app removed from UEM", "Malicious app detected on device", "Sideloaded app detected on app").

b
CylancePROTECT Mobile must be configured with the following compliance actions when sideloaded apps are detected: -Prompt for compliance: Immediate enforcement action. -Prevent the user from accessing work resources and apps on the device while it is out of compliance. -Prevent the user from accessing BlackBerry Dynamics apps while the device is out of compliance.
CM-6 - Medium - CCI-000366 - V-257263 - SV-257263r918373_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BBCP-00-012900
Vuln IDs
  • V-257263
Rule IDs
  • SV-257263r918373_rule
When a compliance failure is detected, compliance actions must be implemented immediately to limit exposure of sensitive data and unauthorized access to the mobile device.
Checks: C-60947r918371_chk

Verify the following compliance actions have been enabled when sideloaded apps are detected: -Prompt for compliance: Immediate enforcement action. -Prevent the user from accessing work resources and apps on the device while it is out of compliance. -Prevent the user from accessing BlackBerry Dynamics apps while the device is out of compliance. 1. Log on to the BlackBerry UEM console. 2. In the management console on the menu bar, click Policies and profiles >> Compliance >> Compliance. 3. Find the CylancePROTECT Mobile sideloaded app compliance profile (have the site system administrator identify the correct profile). 4. Select the iOS tab and verify the following selections: 5. In the "Prompt for compliance" drop-down list verify "Immediate enforcement action" is selected. 6. In the "Enforcement action for device" drop-down list, verify "Untrust" is selected. 7. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, verify "Do not allow BlackBerry Dynamics apps to run" is selected. 8. Repeat steps 4–6 for Android. If required compliance actions for when sideloaded apps are detected for iOS and Android are not configured, this is a finding.

Fix: F-60889r918372_fix

Configure the following compliance actions when sideloaded apps are detected: -Prompt for compliance: Immediate enforcement action. -Prevent the user from accessing work resources and apps on the device while it is out of compliance. -Prevent the user from accessing BlackBerry Dynamics apps while the device is out of compliance. 1. Log on to the BlackBerry UEM console. 2. In the management console on the menu bar, click Policies and profiles >> Compliance >> Compliance. 3. Create a new compliance profile or select and edit an existing compliance profile. 4. Select the iOS tab to configure sideload detection for that platform. 5. In the BlackBerry Protect section, select the "Sideloaded app is installed" check box. 6. Configure the behavior prompt settings: Prompt for compliance: "Immediate enforcement action". 7. In the "Enforcement action for device" drop-down list, select "Untrust". 8. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, select "Do not allow BlackBerry Dynamics apps to run". 9. Repeat steps 3–7 for configure compliance actions for Android. 10. Click "Save". 11. Assign the profile to users and groups.

b
CylancePROTECT Mobile must be configured with the following safe browsing controls for BlackBerry Dynamics apps: -Block all unsafe URLs -Select one of the following for "scanning option": "Cloud scanning" or "On device scanning". -Disable "Allow users to override blocked resources and enable access to the requested domain".
CM-6 - Medium - CCI-000366 - V-257264 - SV-257264r918376_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BBCP-00-013000
Vuln IDs
  • V-257264
Rule IDs
  • SV-257264r918376_rule
The required application configurations will ensure that the minimum security baseline of the system is maintained to limit exposure of sensitive data and unauthorized access to the mobile device.
Checks: C-60948r918374_chk

Verify safe browsing with BlackBerry Dynamics apps has been configured as required: 1. Log on to the BlackBerry UEM console. 2. In the management console on the menu bar, click Policies and profiles >> Protection >> BlackBerry Protect. 3. Open the BlackBerry Protect profile (have the site system administrator identify the profile from the list). 4. Select the platform (iOS or Android) to review. 5. Verify that the "Check for unsafe web resources within the BlackBerry Dynamics apps" check box is selected. 6. Verify "Block" is selected in the Action for unsafe web resources drop-down list. 7. Verify in the Scanning option drop-down list, one of the following has been selected AND "No scanning" is not selected: -"Cloud scanning". -"On device scanning". 8. Verify "Allow users to override blocked resources and enable access to the requested domain" is not selected. 9. Repeat steps 4–8 for the other platform (iOS or Android). If safe browsing for BlackBerry Dynamics apps on iOS and Android devices is not configured as required, this is a finding.

Fix: F-60890r918375_fix

Configure the following safe browsing controls for BlackBerry Dynamics apps: -Block all unsafe URLs. -Select one of the following for "scanning option": Cloud scanning, on device scanning. -Disable "Allow users to override blocked resources and enable access to the requested domain". 1. Log on to the BlackBerry UEM console. 2. In the management console on the menu bar, click Policies and profiles >> Protection >> BlackBerry Protect. 3. Open the BlackBerry Protect profile or create a new profile. 4. Select the platform (iOS or Android) to configure safe browsing. 5. Verify that the "Check for unsafe web resources within the BlackBerry Dynamics apps" check box is selected. 6. In the Action for unsafe web resources drop-down list, select "Block". 7. In the Scanning option drop-down list, choose one of the following only (do not choose "No scanning"): "Cloud scanning" or "On device scanning". 8. Do not select the "Allow users to override blocked resources and enable access to the requested domain" check box. 9. Repeat steps 4–8 for the other platform (iOS or Android). 10. Click "Save". 11. Assign the profile to users and groups.

b
CylancePROTECT Mobile must be configured with the following compliance actions when insecure networks are detected for mobile devices: -Block device from network connection and insecure Wi-Fi access points. -Block access to BlackBerry Dynamics apps.
CM-6 - Medium - CCI-000366 - V-257265 - SV-257265r918379_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BBCP-00-013100
Vuln IDs
  • V-257265
Rule IDs
  • SV-257265r918379_rule
When a compliance failure is detected, compliance actions must be implemented immediately to limit exposure of sensitive data and unauthorized access to the mobile device.
Checks: C-60949r918377_chk

Verify the following compliance actions are enabled when insecure networks are detected: -Block device from network connection and insecure Wi-Fi access points. -Block access to BlackBerry Dynamics apps. 1. Log on to the BlackBerry UEM console. 2. In the management console on the menu bar, click Policies and profiles >> Compliance >> Compliance. 3. Open the appropriate compliance profile (have the site system administrator identify the profile). 4. Verify required compliance actions for insecure network detection are enabled. a. On both the iOS and Android tabs, in the BlackBerry Protect section, verify "Insecure network detected" is selected. b. In the "Prompt for compliance" drop-down list, verify "Immediate enforcement action" is selected. c. In the "Enforcement action for device" drop-down list, verify "Untrust" is selected (Android only). d. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, verify "Do not allow BlackBerry Dynamics apps to run" is selected. 5. Verify compliance actions for insecure Wi-Fi access point detection are enabled (Android only). a. On the Android tab in the BlackBerry Protect section, verify "Insecure Wi-Fi network detected" is selected. b. In the "Prompt for compliance" drop-down list, verify "Immediate enforcement action" is selected. c. In the "Enforcement action for device" drop-down list, verify "Untrust" is selected. d. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, verify "Do not allow BlackBerry Dynamics apps to run" is selected. If any required compliance actions for insecure network detection for mobile devices has not been implemented, this is a finding.

Fix: F-60891r918378_fix

Configure the following compliance actions when insecure networks are detected: -Block device from network connection and insecure Wi-Fi access points. -Block access to BlackBerry Dynamics apps. 1. Log on to the BlackBerry UEM console. 2. In the management console on the menu bar, click Policies and profiles >> Compliance >> Compliance. 3. Create a new compliance profile or select and edit an existing compliance profile. 4. Configure compliance actions for insecure network detection. a. On both the iOS and Android tabs, in the BlackBerry Protect section, select the "Insecure network detected" check box. b. Configure the behavior prompt settings: Prompt for compliance: "Immediate enforcement action". c. In the "Enforcement action for device" drop-down list, select the following: "Untrust" (Android only). d. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, select the following: "Do not allow BlackBerry Dynamics apps to run". 5. Configure compliance actions for insecure Wi-Fi access point detection (Android only). a. On the Android tab in the BlackBerry Protect section, select the "Insecure Wi-Fi network detected" check box. b. Configure the behavior prompt settings: Prompt for compliance: "Immediate enforcement action". c. In the "Enforcement action for device" drop-down list, select the following: "Untrust". d. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, select the following: "Do not allow BlackBerry Dynamics apps to run". 6. Click "Save". 7. Assign the profile to users.

b
CylancePROTECT Mobile must be configured with the following compliance actions for integrity violations with BlackBerry Dynamics apps on iOS devices: -Prompt for compliance: Immediate enforcement action -Prevent the user from accessing BlackBerry Dynamics apps while the device is out of compliance.
CM-6 - Medium - CCI-000366 - V-257266 - SV-257266r918382_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BBCP-00-013200
Vuln IDs
  • V-257266
Rule IDs
  • SV-257266r918382_rule
When a compliance failure is detected, compliance actions must be implemented immediately to limit exposure of sensitive data and unauthorized access to the mobile device.
Checks: C-60950r918380_chk

Verify the following compliance actions for BlackBerry Dynamics apps are configured when there is an iOS device integrity violation: -Prompt for compliance: Immediate enforcement action. -Prevent the user from accessing BlackBerry Dynamics apps while the device is out of compliance. 1. Log on to the BlackBerry UEM console. 2. In the management console on the menu bar, click Policies and profiles >> Compliance >> Compliance. 3. View the appropriate compliance profile (have the site system administrator identify the profile). 4. On the iOS tab in the BlackBerry Protect section, verify the "App integrity failed" check box is selected. 5. In the "Prompt for compliance" drop-down list verify "Immediate enforcement action" is selected 6. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, verify "Do not allow BlackBerry Dynamics apps to run" is selected. If required compliance actions for integrity violations for BlackBerry Dynamics apps on iOS devices are not enabled, this is a finding.

Fix: F-60892r918381_fix

Configure the following compliance actions for iOS device integrity violations for BlackBerry Dynamics apps: -Prompt for compliance: Immediate enforcement action. -Prevent the user from accessing BlackBerry Dynamics apps while the device is out of compliance. 1. Log on to the BlackBerry UEM console. 2. In the management console on the menu bar, click Policies and profiles >> Compliance >> Compliance. 3. Create a new compliance profile or select and edit an existing compliance profile. 4. On the iOS tab in the BlackBerry Protect section, select the "App integrity failed" check box. 5. Configure the behavior prompt settings: Prompt for compliance: "Immediate enforcement action". 6. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, choose the following: "Do not allow BlackBerry Dynamics apps to run". 7. Click "Add" or "Save". 8. Assign the profile to users and groups.

b
CylancePROTECT Mobile must be configured with the following Android security patch compliance and hardware certificate attestation controls: -"Android hardware attestation frequency" = 6 hours -"Device grace period" = 0 hours -"Challenge frequency for noncompliant devices" = 6 hours.
CM-6 - Medium - CCI-000366 - V-257267 - SV-257267r918385_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BBCP-00-013300
Vuln IDs
  • V-257267
Rule IDs
  • SV-257267r918385_rule
The required application configurations will ensure that the minimum security baseline of the system is maintained to limit exposure of sensitive data and unauthorized access to the mobile device.
Checks: C-60951r918383_chk

Verify the following Android security patch compliance and hardware certificate attestation controls are enabled for CylancePROTECT Mobile: -"Android hardware attestation frequency" = 6 hours. -"Device grace period" = 0 hours. -"Challenge frequency for noncompliant devices = 6 hours. 1. Log on to the BlackBerry UEM console. 2. In the management console, click Settings >> General Settings >> Attestation. 3. In the "Android hardware attestation frequency" section, select verify "Enable hardware patch level attestation challenges for Android devices" is selected. 4. In the "Challenge frequency" drop-down list, verify the device attestation response is set to "6 hours". 5. In the "Device grace period drop-down" list, verify the grace period is set to "0 hours" (no grace period). 6. In the "Challenge frequency for noncompliant devices" field, verify the frequency UEM tests the integrity of devices that are not currently in compliance is set to "6 hours". If required Android security patch compliance and hardware certificate attestation controls are not enabled, this is a finding.

Fix: F-60893r918384_fix

Configure the following Android security patch compliance and hardware certificate attestation controls: -"Android hardware attestation frequency" = 6 hours. -"Device grace period" = 0 hours. -"Challenge frequency for noncompliant devices" = 6 hours. 1. Log on to the BlackBerry UEM console. 2. In the management console, click Settings >> General Settings >> Attestation. 3. In the "Android hardware attestation frequency" section, select "Enable hardware patch level attestation challenges for Android devices" checkbox. 4. in the "Challenge frequency" drop-down list, set the device must return an attestation response to "6 hours". 5. In the Device grace period drop-down list, set the grace period to "0 hours" (no grace period). 6. In the Challenge frequency for noncompliant devices field, set how often UEM tests the integrity of devices that are not currently in compliance to "6 hours". 7. Click "Save".

b
CylancePROTECT Mobile must be configured with the following compliance actions when an Android device fails security patch compliance and attestation: -Prompt behavior: Immediate enforcement action. -Enforcement action for device: Select either "Untrust", "Delete only work data" or "Delete all data". -Enforcement action for BlackBerry Dynamics apps: Select either "Do not allow BlackBerry Dynamics apps to run" or "Delete BlackBerry Dynamics apps data".
CM-6 - Medium - CCI-000366 - V-257268 - SV-257268r918388_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BBCP-00-013400
Vuln IDs
  • V-257268
Rule IDs
  • SV-257268r918388_rule
When a compliance failure is detected, compliance actions must be implemented immediately to limit exposure of sensitive data and unauthorized access to the mobile device.
Checks: C-60952r918386_chk

Verify the following compliance actions when an Android device fails security patch compliance and attestation have been configured: -Prompt behavior: Immediate enforcement action. -Enforcement action for device: Select either "Untrust", "Delete only work data", or "Delete all data". -Enforcement action for BlackBerry Dynamics apps: Select either "Do not allow BlackBerry Dynamics apps to run" or "Delete BlackBerry Dynamics apps data". 1. Log on to the BlackBerry UEM console. 2. In the management console on the menu bar, click Policies and profiles >> Compliance >> Compliance. 3. Select the appropriate compliance profile (have the site system administrator identify the profile). 4. On the Android tab, verify "Required security patch level is not installed" check box has been selected. 5. Verify for "Prompt behavior" "Immediate enforcement action" has been selected. 6. Verify for "Enforcement action for device" either "Untrust", "Delete work data only", or "Delete all data" has been selected. 7. Verify for "Enforcement action for BlackBerry Dynamics apps" either "Do not allow BlackBerry Dynamics apps to run" or "Delete BlackBerry Dynamics apps data" has been selected. If required compliance actions when an Android device fails security patch compliance and attestation have not been configured, this is a finding.

Fix: F-60894r918387_fix

Configure the following compliance actions when an Android device fails security patch compliance and attestation: -Prompt behavior: Immediate enforcement action. -Enforcement action for device: Select either "Untrust", "Delete only work data", or "Delete all data". -Enforcement action for BlackBerry Dynamics apps: Select either "Do not allow BlackBerry Dynamics apps to run" or "Delete BlackBerry Dynamics apps data". 1. Log on to the BlackBerry UEM console. 2. In the management console on the menu bar, click Policies and profiles >> Compliance >> Compliance. 3. Create a new compliance profile or select and edit an existing compliance profile. 4. On the Android tab, select the "Required security patch level is not installed" check box. Add the required device models and corresponding security patches. 5. For "Prompt behavior", select "Immediate enforcement action". 6. For "Enforcement action for device" select either "Untrust", "Delete work data only", or "Delete all data". 7. For "Enforcement action for BlackBerry Dynamics apps", select either "Do not allow BlackBerry Dynamics apps to run" or "Delete BlackBerry Dynamics apps data". 8. Click "Add" or "Save". 9. Assign the profile to users and groups.

b
CylancePROTECT Mobile must be configured with the following compliance actions when a hardware attestation failure occurs (Android only): -Prompt for compliance: Immediate enforcement action. -Enforcement action for BlackBerry Dynamics apps: Do not allow BlackBerry Dynamics apps to run.
CM-6 - Medium - CCI-000366 - V-257269 - SV-257269r918391_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BBCP-00-013500
Vuln IDs
  • V-257269
Rule IDs
  • SV-257269r918391_rule
When a compliance failure is detected, compliance actions must be implemented immediately to limit exposure of sensitive data and unauthorized access to the mobile device.
Checks: C-60953r918389_chk

Verify the following compliance actions when a hardware attestation failure occurs have been configured (Android only): -Prompt for compliance: Immediate enforcement action. -Enforcement action for BlackBerry Dynamics apps: Do not allow BlackBerry Dynamics apps to run. 1. Log on to the BlackBerry UEM console. 2. In the management console on the menu bar, click Policies and profiles >> Compliance >> Compliance. 3. Select the appropriate compliance profile (have the site system administrator identify the profile). 4. On the Android tab in the BlackBerry Protect section, verify the "Hardware attestation failed" box is checked. 5. In the "Prompt for compliance" drop-down list, verify "Immediate enforcement action" is selected. 6. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, verify "Do not allow BlackBerry Dynamics apps to run" is selected. If required compliance actions when a hardware attestation failure occurs have not been configured, this is a finding.

Fix: F-60895r918390_fix

Configure the following compliance actions when a hardware attestation failure occurs (Android only): -Prompt for compliance: Immediate enforcement action. -Enforcement action for BlackBerry Dynamics apps: Do not allow BlackBerry Dynamics apps to run. 1. Log on to the BlackBerry UEM console. 2. In the management console on the menu bar, click Policies and profiles >> Compliance >> Compliance. 3. Create a new compliance profile or select and edit an existing compliance profile. 4. On the Android tab in the BlackBerry Protect section, select the "Hardware attestation failed" check box. 5. Configure the behavior prompt settings: Prompt for compliance: "Immediate enforcement action". 6. Configure other prompt settings (method, count, and interval) as desired (no required selections). 7. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, select "Do not allow BlackBerry Dynamics apps to run". 8. Click "Add" or "Save". 9. Assign the profile to users and groups.

b
CylancePROTECT Mobile must be configured with the following compliance actions when a hardware attestation certificate failure occurs (Android only): -Minimum security level required: "Trusted Environment" or "StrongBox" -Prompt behavior: "Immediate enforcement action". -Enforcement action for BlackBerry Dynamics apps: "Do not allow BlackBerry Dynamics apps to run".
CM-6 - Medium - CCI-000366 - V-257270 - SV-257270r918394_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BBCP-00-013600
Vuln IDs
  • V-257270
Rule IDs
  • SV-257270r918394_rule
When a compliance failure is detected, compliance actions must be implemented immediately to limit exposure of sensitive data and unauthorized access to the mobile device.
Checks: C-60954r918392_chk

Verify the following compliance actions are enabled when a hardware attestation certificate failure occurs (Android only): -Minimum security level required: "Trusted Environment" or "StrongBox". -Prompt behavior: "Immediate enforcement action". -Enforcement action for BlackBerry Dynamics apps: "Do not allow BlackBerry Dynamics apps to run". 1. Log on to the BlackBerry UEM console. 2. In the management console on the menu bar, click Policies and profiles >> Compliance >> Compliance. 3. Select the appropriate compliance profile (have the site system admin identify the profile). 4. On the Android tab in the BlackBerry Protect section, verify "Hardware attestation security level" has been selected. 5. In the "Minimum security level required" drop-down list, verify either "Trusted Environment" or "StrongBox" is selected. 6. In the "Prompt behavior" drop-down list, verify "Immediate enforcement action" is selected. 7. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, verify "Do not allow BlackBerry Dynamics apps to run" is selected. If required compliance actions are not enabled when a hardware attestation certificate failure occurs, this is a finding.

Fix: F-60896r918393_fix

Configure the following compliance actions when a hardware attestation certificate failure occurs (Android only): -Minimum security level required: "Trusted Environment" or "StrongBox". -Prompt behavior: "Immediate enforcement action". -Enforcement action for BlackBerry Dynamics apps: "Do not allow BlackBerry Dynamics apps to run". 1. Log on to the BlackBerry UEM console. 2. In the management console on the menu bar, click Policies and profiles >> Compliance >> Compliance. 3. Create a new compliance profile or select and edit an existing compliance profile. 4. On the Android tab in the BlackBerry Protect section, select the "Hardware attestation security level" check box. 5. In the "Minimum security level required" drop-down list, select either "Trusted Environment" or "StrongBox". 6. In the "Prompt behavior" drop-down list, select "Immediate enforcement action". 7. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, select "Do not allow BlackBerry Dynamics apps to run". 8. Click "Add" or "Save". 9. Assign the profile to users and groups.

b
CylancePROTECT Mobile must be configured with the following compliance actions when a hardware attestation boot state failure occurs (Android only): -Prompt behavior: "Immediate enforcement action". -Enforcement action for BlackBerry Dynamics apps: "Do not allow BlackBerry Dynamics apps to run".
CM-6 - Medium - CCI-000366 - V-257271 - SV-257271r918397_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BBCP-00-013700
Vuln IDs
  • V-257271
Rule IDs
  • SV-257271r918397_rule
When a compliance failure is detected, compliance actions must be implemented immediately to limit exposure of sensitive data and unauthorized access to the mobile device.
Checks: C-60955r918395_chk

Verify the following compliance actions when a hardware attestation boot state failure occurs are configured (Android only): -Prompt behavior: "Immediate enforcement action". -Enforcement action for BlackBerry Dynamics apps: "Do not allow BlackBerry Dynamics apps to run". 1. Log on to the BlackBerry UEM console. 2. In the management console on the menu bar, click Policies and profiles >> Compliance >> Compliance. 3. Select the appropriate compliance profile (have the site system administrator identify the profile). 4. On the Android tab in the BlackBerry Protect section, verify the "Hardware attestation boot state is unverified" is selected. 5. In the "Prompt behavior" drop-down list, verify "Immediate enforcement action" is selected. 6. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, verify "Do not allow BlackBerry Dynamics apps to run" is selected. If required compliance actions when a hardware attestation boot state failure occurs are not configured, this is a finding.

Fix: F-60897r918396_fix

Configure the following compliance actions when a hardware attestation boot state failure occurs (Android only): -Prompt behavior:" Immediate enforcement action". -Enforcement action for BlackBerry Dynamics apps: "Do not allow BlackBerry Dynamics apps to run". 1. Log on to the BlackBerry UEM console. 2. In the management console on the menu bar, click Policies and profiles >> Compliance >> Compliance. 3. Create a new compliance profile or select and edit an existing compliance profile. 4. On the Android tab in the BlackBerry Protect section, select the "Hardware attestation boot state is unverified" check box. 5. In the "Prompt behavior" drop-down list, select "Immediate enforcement action". 6. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, select "Do not allow BlackBerry Dynamics apps to run". 7. Click "Add" or "Save". 8. Assign the profile to users and groups.

b
CylancePROTECT Mobile must be configured to disable anonymous data collection by BlackBerry for both iOS and Android devices.
CM-6 - Medium - CCI-000366 - V-257272 - SV-257272r918400_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BBCP-00-013800
Vuln IDs
  • V-257272
Rule IDs
  • SV-257272r918400_rule
The required application configurations will ensure that the minimum security baseline of the system is maintained to limit exposure of sensitive data and unauthorized access to the mobile device.
Checks: C-60956r918398_chk

Verify anonymous data collection by BlackBerry for both iOS and Android devices has been disabled by CylancePROTECT Mobile: 1. Log on to the BlackBerry UEM console. 2. In Policies and profiles >> Protection >> BlackBerry Protect, select a BlackBerry Protect profile. 3. On the iOS tab, in the "Statistics collection" section, verify "Allow collection of anonymized statistics from devices to improve the performance of BlackBerry Protect" check box has not been selected. 4. On the Android tab, in the "Statistics collection" section, verify the "Allow collection of anonymized statistics from devices to improve the performance of BlackBerry Protect" check box has not been selected. If CylancePROTECT Mobile has not disabled anonymous data collection by BlackBerry for both iOS and Android devices, this is a finding.

Fix: F-60898r918399_fix

Disable CylancePROTECT Mobile anonymous data collection by BlackBerry for both iOS and Android devices: 1. Log on to the BlackBerry UEM console. 2. In Policies and profiles >> Protection >> BlackBerry Protect, select and edit a BlackBerry Protect profile. 3. On the iOS tab, in the "Statistics collection" section, clear the "Allow collection of anonymized statistics from devices to improve the performance of BlackBerry Protect" check box. 4. On the Android tab, in the "Statistics collection" section, clear the "Allow collection of anonymized statistics from devices to improve the performance of BlackBerry Protect" check box. 5. Click "Save".

b
CylancePROTECT Mobile must be configured to enable SMS text message scanning (iOS only).
CM-6 - Medium - CCI-000366 - V-257273 - SV-257273r918403_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BBCP-00-013900
Vuln IDs
  • V-257273
Rule IDs
  • SV-257273r918403_rule
The required application configurations will ensure that the minimum security baseline of the system is maintained to limit exposure of sensitive data and unauthorized access to the mobile device.
Checks: C-60957r918401_chk

Verify SMS text message scanning has been configured as required (iOS only): 1. Log on to the BlackBerry UEM console. 2. In the management console on the menu bar, click Policies and profiles >> Protection >> BlackBerry Protect. 3. Open the BlackBerry Protect profile (have the site system administrator identify the profile from the list). 4. Select the iOS platform. 5. Verify that the "Enable message scanning" check box is selected. 6. Verify in the Scanning option drop-down list, one of the following has been selected AND "No scanning" is not selected: -"Cloud scanning". -"On device scanning". If SMS text message scanning for iOS devices is not configured as required, this is a finding.

Fix: F-60899r918402_fix

Configure SMS text message scanning (iOS only). 1. Log on to the BlackBerry UEM console. 2. In the management console on the menu bar, click Policies and profiles >> Protection >> BlackBerry Protect. 3. Open the BlackBerry Protect profile or create a new profile. 4. Select the iOS platform. 5. Verify that the "Enable message scanning" check box is selected. 6. In the Scanning option drop-down list, choose one of the following only (do not choose "No scanning"): "Cloud scanning" or "On device scanning". 7. Click "Save". 8. Assign the profile to users and groups.