Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
1. Log in to the SMS client. 2. Select >> "Edit" >> "Preferences". Select "Security" under "Session Preferences". 3. Verify the setting for the "limit number of total and user sessions" option is checked. 4. Verify the active sessions allowed for a user option has a numeric value of 1. If the TippingPoint SMS does limit the maximum number of concurrent active sessions to one for the account of last resort, this is a finding.
1. Log in to the SMS client. 2. Select >> "Edit" >> "Preferences". Select "Security" under "Session Preferences". Click the check box for "Limit number of total and user sessions". 3. Type 1 for the number of active sessions allowed for a user. 4. Click OK.
1. Log in to the SMS client. 2. Select >> "Edit" >> "Preferences". Select "Security" under "Session Preferences". 3. Verify the setting for the "limit number of total and user sessions" option is checked. 4. Verify the active sessions allowed on SMS option has a numeric value of 10 or less. If the TippingPoint SMS does not limit total number of user sessions for privileged uses to a maximum of 10, this is a finding.
1. Log in to the SMS client. 2. Select >> "Edit" >> "Preferences". Select "Security" under "Session Preferences". Click the check box for "Limit number of total and user sessions". 3. Type 10 or less for the number of active sessions allowed on SMS. 4. Click OK.
1. Log in to the SMS client. 2. Select >> "Edit" >> "Preferences". Select "Security" Under "Client Preferences". 3. Verify the option for "Auto reconnect client to server after a disconnect occurs" is unchecked. If the TippingPoint SMS does not disable auto reconnect after disconnect, this is a finding.
1. Log in to the SMS client. 2. Select >> "Edit" >> "Preferences". Select "Security" Under "Client Preferences". Uncheck "Auto reconnect client to server after a disconnect occurs". 3. Click OK.
Verify the SMS client requires locking of account after three invalid login attempts. Navigate to Edit >> Preferences. If the checkbox for "Lock user after failed login attempts" is not checked, or if the threshold is not set to 3, this is a finding.
In the Trend Micro TippingPoint system, ensure the SMS client is requiring locking of account after three invalid login attempts: 1. Navigate to Edit >> Preferences. 2. Click the checkbox for "Lock user after failed login attempts". 3. Under threshold enter 3. 4. Click OK to save.
Determine if the network device is configured to present a DoD-approved banner that is formatted in accordance with DTM-08-060. Verify the SMS client has a login banner configured by viewing the SMS client toolbar, client login, web login, console/CLI, or remote/SSH login. Verify the TPS login banner is enabled: 1. Click Devices, All Devices, and the TPS Device hostname. 2. Click Device Configuration. 3. Click Login Banner. If the TippingPoint SMS, TPS, and SMS client does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device, this is a finding.
Configure banner message to display on the SMS client toolbar or when a user attempts to log in to the following interfaces: SMS client, SMS web management console, CLI, or remote SSH client. 1. Select Edit >> Preferences >> Banner Message. 2. Check "Enable Banner Message". 3. Add the exactly worded and formatted DoD-approved banner as presented in accordance with DTM-08-060. 4. Check all the boxes under the banner to display on check display on client toolbar, client login, web login, console/CLI, and remote/SSH login. To enable the TPS login banner: 1. Select Devices >> All Devices >> <TPS Device hostname>. 2. Select Device Configuration >> Login Banner >> Enable Banner Message. 3. Add the exactly worded and formatted DoD-approved banner as presented in accordance with DTM-08-060. 4. Click OK.
In the SMS client, ensure the SMS and TPS have disabled all unnecessary and insecure protocols. 1. For SMS, click Admin and Management. 2. Ensure only Ping is enabled and the SMS is in FIPS Mode. If any other services are enabled or if the SMS is not in FIPS mode, this is a finding. 3. For TPS, click Devices, All Devices, and the subject device hostname. 4. Click Device Configuration and select Services. Ensure only TLS 1.2 is enabled. 5. Under FIPS Settings ensure the FIPS Mode is selected. If any other services are enabled or if the TPS is not in FIPS mode, this is a finding.
In the SMS client, ensure the SMS and TPS have disabled all unnecessary and insecure protocols. 1. For SMS, click Admin and Management. 2. Uncheck SSH, HTTPS, and TAXII. Ensure only Ping is checked. 3. Click edit on FIPS Mode. 4. Under an approved change window only, enable FIPS Crypto Core. This will cause a reboot; only do this when authorized. 5. For TPS, click Devices, All Devices, and the subject device hostname. 6. Click Device Configuration and select Services. 7. Uncheck SSH, TLS 1.0 and TLS 1.1. Only HTTPS should be selected. 8. Under FIPS Settings ensure the FIPS Mode is selected. This should also be done in an approved change window, as a reboot will be triggered.
In the SMS client, ensure the SMS has only a single local account. Select Admin >> Authentication and Authorization >> Users. If more than one user is enabled under user accounts, this is a finding.
In the SMS client, ensure the SMS has only a single local emergency account. 1. Select Admin >> Authentication and Authorization >> Users. 2. Delete all but the user account being used for local emergency user account/account of last resort functions. The local emergency user account must not be disabled after 35 days of inactivity. Log in to the serial console and set the following command: set pwd.emergency-user=<USERNAME>
In the SMS client, ensure the SMS password complexity requirements are met. 1. Under Security, click "Edit" and "Preferences". 2. If the security level is set to anything except "3 - High", this is a finding. This setting ensures a 15-character minimum, uppercase, lowercase, numbers, and symbols are used.
In the SMS client, ensure the SMS password complexity requirements are met. 1. Under Security, click "Edit" and "Preferences". 2. Change security level to "3 - High". This setting ensures a 15-character minimum, uppercase, lowercase, numbers, and symbols are used.
In the SMS client, ensure the SMS password complexity requirements are met. 1. Under Security, click "Edit" and "Preferences". 2. If the security level is set to anything except "3 - High", this is a finding. This setting ensures a 15-character minimum, uppercase, lowercase, numbers, and symbols are used.
In the SMS client, ensure the SMS password complexity requirements are met. 1. Under Security, click "Edit" and "Preferences". 2. Change security level to "3 - High". This setting ensures a 15-character minimum, uppercase, lowercase, numbers, and symbols are used.
In the SMS client, ensure the SMS password complexity requirements are met. 1. Under Security, click "Edit" and "Preferences". 2. If the security level is set to anything except "3 - High", this is a finding. This setting ensures a 15-character minimum, uppercase, lowercase, numbers, and symbols are used.
In the SMS client, ensure the SMS password complexity requirements are met. 1. Under Security, click "Edit" and "Preferences". 2. Change security level to "3 - High". This setting ensures a 15-character minimum, uppercase, lowercase, numbers, and symbols are used.
In the SMS client, ensure the SMS password complexity requirements are met. 1. Under Security, click "Edit" and "Preferences". 2. If the security level is set to anything except "3 - High", this is a finding. This setting ensures a 15-character minimum, uppercase, lowercase, numbers, and symbols are used.
In the SMS client, ensure the SMS password complexity requirements are met. 1. Under Security, click "Edit" and "Preferences". 2. Change security level to "3 - High". This setting ensures a 15-character minimum, uppercase, lowercase, numbers, and symbols are used.
In the SMS client, ensure the SMS password complexity requirements are met. 1. Under Security, click "Edit" and "Preferences". 2. If the security level is set to anything except "3 - High", this is a finding. This setting ensures a 15-character minimum, uppercase, lowercase, numbers, and symbols are used.
In the SMS client, ensure the SMS password complexity requirements are met. 1. Under Security, click "Edit" and "Preferences". 2. Change security level to "3 - High". This setting ensures a 15-character minimum, uppercase, lowercase, numbers, and symbols are used.
In the SMS client, verify the TPS FIPS Mode is enabled. 1. For TPS, click Devices, All Devices, and the subject device hostname. 2. Click FIPS Settings and ensure the FIPS Mode is selected. If the TPS is not in FIPS mode, this is a finding.
In the SMS client, enable the TPS FIPS Mode. 1. For TPS, click Devices, All Devices, and the subject device hostname. 2. Click FIPS Settings, then check enabled. This must be done in the approved change window, as the TPS will reboot.
In the SMS client, ensure the SMS inactivity timeouts are configured. 1. Under Security, click Edit and Preferences. 2. Under Client Preferences, if "Timeout client session after inactivity" is not checked or the Time is not set to 10 minutes, this is a finding.
In the SMS client, ensure the SMS inactivity timeouts are configured. 1. Under Security, click Edit and Preferences. 2. Under Client Preferences, check the item "Timeout client session after inactivity" and ensure the Time is set to 10 minutes.
In the SMS client, ensure a SNMPv3 trap destination is configured. 1. Navigate to Admin >> Server Properties >> SNMP. 2. View the NMS configuration. If an NMS Trap Destination is not configured, this is a finding.
In the SMS client, configure a SNMPv3 trap destination is configured. Audit failure alerts are generated via SNMPv3 traps. 1. Navigate to Admin >> Server Properties >> SNMP >> Add. 2. Enter the IPv4 or IPv6 address, Version 3, with the username, and authPriv keys configured that match the site's required attributes.
In the SMS client, ensure two NTP sources are configured. 1. Select Admin, Server Properties, and Network. 2. If Enable NTP is not checked or at least two NTP servers are not configured under Date/Time, this is a finding.
In the SMS client, ensure two NTP sources are configured. 1. Select Admin, Server Properties, and Network. 2. Check Enable NTP. 3. Enter a server IPv4 address in NTP Server 1 and NTP Server. 4. Ensure this is done under an approved change window as it will cause a reboot.
In the SMS client, ensure the GMT/UTC time zone is configured. 1. Select Admin, Server Properties, and Network. 2. If a time zone other than UTC is selected, this is a finding.
In the SMS client, ensure the GMT/UTC time zone is configured. 1. Select Admin, Server Properties, and Network. 2. Under time zone, select UTC. 3. Ensure this is done under an approved change window as it will cause a reboot.
In the Trend Micro TippingPoint system, ensure the SMS client is using CAC authentication and LDAPS authorization. 1. Log in to the SMS client. 2. Navigate to Authentication and Authorization >> Authentication. If "Use CAC authentication" is not selected, this is a finding.
Follow these configuration steps to enable CAC/LDAPS authentication and authorization to the Trend Micro TippingPoint SMS client. The Site's LDAPS/AD environment must be configured to audit all account actions. I. Certificate Load Steps: 1. Log in to the SMS client. 2. Select Certificate Management >> CA certificates >> Import. 3. Find the CA signing certificate bundle for the LDAPS servers on your machine. 4. Enter the name, then select browse to find the CA certificate. 5. Click OK. 6. Repeat steps for all other DoD Root and Intermediate CAs being used for the administrator’s admin-token/CACs. II. LDAP Authorization configuration steps: 1. Select Authentication and Authorization >> Groups >> New. 2. Type the name of the LDAP group exactly as it appears as the CN in the active directory domain. 3. Add all site-specific details including which role to map superuser, admin, or operator. 4. Under Active Directory Group Mapping ensure the item "map this group to the same named group in active directory" is selected. 5. Select OK. III. LDAPS Server configuration - ensure a DNS resolver has been configured in accordance with the admin guide, and this DNS resolver knows how to resolve the domain the SMS will log into: 1. Under Admin, navigate to Authentication and CAC >> Edit. 2. Enter the Server address: ensure it is the fully qualified domain name as the LDAPS certificate will likely have it. 3. Enable SSL: must be checked for LDAPS. 4. Current certificate: must be the intermediate root certificate/issuing CA certificate for the domain controllers - this is the CA certificate loaded in the first section. 5. Port: 636 or your DoD LDAPS port, if different. 6. Timeout: 30 seconds is the default. 7. Admin name: the account that has privileges to access the directory schema – format is username@domain.name 8. Admin password: password of previous admin account. 9. User search base: this is the LDAP directory tree for the accounts that will be allowed. Example: ou=Trend Micro,dc=dod,dc=disa,dc=mil 10. User search attribute: normally in DoD this is userPrincipalName. 11. User display attribute: normally in DoD this is sAMAccountName. 12. Group search base: this is the LDAP directory tree for the groups that will be allowed. Example: ou=Trend Micro,dc=dod,dc=disa,dc=mil 13. Group name attribute: normally it is cn. 14. Select the test button to ensure all configurations provided function correctly. 15. Select OK. IV. Enable OCSP revocation checking: 1. Under OCSP Settings, navigate to Certificate Management and Revocation >> New >> Certificate Authority. 2. Type the full OCSP URI (e.g. http://ocsp.disa.mil). 3. Repeat this step for all CA certificates in the CAC trust chain. 4. Optionally, to add a CRL click New under Certificate Revocation Lists. 5. Select the Certificate Authority. 6. Type the full CRL path including to the specific CRL file (e.g. http://crl.disa.mil/certificate.crl). V. Enable CAC authentication/LDAPS authorization: 1. Navigate to Admin >> Authentication and Groups >> Edit. 2. Click Use CAC Authentication (ensure the local emergency user account is checked for local access in case of emergency troubleshooting). 3. Select OK. 4. Close the SMS client. VI. Test CAC authentication: 1. Ensure one other smartcard reader is enabled in the device manager of the computer you are using. 2. Open the SMS client. 3. Type the hostname/IP of the SMS server. 4. Ensuring the CAC/admin token is inserted in the reader, type the PIN of the CAC. 5. Select the certificate to use to login. 6. Select OK. 7. User should be taken to the dashboard and configuration area of the SMS. VII. Troubleshooting: 1. If you receive errors logging in with CAC go to the serial console of the SMS server. 2. Login with the local account of last resort. 3. Type the command "set cac.disable = yes" - this will give your local admin login access to the SMS client to troubleshoot any configuration errors.
In the SMS client, ensure a SNMPv3 trap destination and SNMPv3 Requests are configured. 1. Select Admin and Server Properties. 2. Select SNMP. If an NMS Trap Destination is not configured, or if SNMPv3 requests are not configured, or if the SNMPv3 protocol does not use as least AES-128 for privacy and SHA1 for authentication, then this is a finding.
In the SMS client, ensure a SNMPv3 trap destination is configured. 1. Select Admin and Server Properties. 2. Select SNMP. 3. Click Add. 4. Enter the IPv4 or IPv6 address, Version 3, with the username, and authPriv keys configured that match the site's required attributes. The authentication must at least be SHA1 and the privacy must be at least AES 128. 5. Select edit under the SNMP tab. 6. Check enable SNMP requests. 7. Select only v3. 8. Enter the username and the authentication and privacy keys. The authentication must at least be SHA1 and the privacy must be at least AES 128. 9. Select OK.
In the SMS client, ensure NTP authentication is enabled. 1. Log in to the serial console or ESXi virtual console. 2. Run the command ntp-auth. If NTP auth is not enabled for client and server, this is a finding.
In the SMS client, ensure NTP authentication is enabled. 1. Log in to the serial console or ESXi virtual console. 2. Run the command ntp-auth. 3. Select "Y" to change the NTP Authentication settings. 4. Select “A”, enter a key ID. 5. Select "V" to add the key value. 6. Select "T" and ensure SHA1 is added. 7. Select "K" and enter the key ID number. 8. Select "U" and "E" for enable for client and server authentication.
In the SMS client: 1. Click Admin and Management. 2. Ensure the SMS is in FIPS Mode. If the SMS is not in FIPS mode, this is a finding.
Enable the SMS FIPS Mode: 1. Click Admin and Management. 2. Click Enable FIPS Mode by selecting Edit. This must be done in an approved change window since the SMS will reboot.
In the SMS client, verify the SMS and TPS have DoS protections enabled. 1. Navigate to Devices and select the SMS hostname. 2. Select Device Configuration >> Select Host IP filters. If no filters exist or the default action is set to "allow", this is a finding.
In the SMS client, ensure the SMS and TPS have DoS protections enabled. 1. Navigate to Devices and select the SMS hostname. 2. Select Device Configuration >> Select Host IP filters. 3. Add each allowed management subnet. 4. Select Deny as the default action and click OK. 5. Select OK.
In the SMS client, ensure the remote system is configured to generate all audit records. 1. Navigate to Admin >> Server properties >> Syslog. 2. Verify the configuration enables TCP. 3. Verify Device Audit, Device System, SMS Audit, and SMS System log types are enabled and configured. If syslog is not configured to use TCP or does not include the four log types, this is a finding.
In the SMS client, ensure the remote system is configured to generate all audit records. 1. Navigate to Admin >> Server properties >> Syslog >> New. 2. Click enable. 3. Click TCP (required for DoD). 4. Under Log Type, select "Device Audit". 5. Facility is "Log Audit". 6. Timestamp: SMS Current Time. 7. Check "Include SMS hostname in Header". 8. Click OK. 9. Repeat these steps for the following three other Log Types: Device System, SMS Audit, and SMS System.
Configure the Trend Micro TippingPoint system to ensure the SMS client is using CAC authentication and LDAPS authorization. 1. Log in to the SMS client. 2. Click on Authentication and Authorization. 3. Click authentication. 4. Ensure "Use CAC authentication" is currently selected. If the TippingPoint SMS is not configured to use an authentication server for the purpose of authenticating users prior to granting administrative access, this is a finding.
Follow these configuration steps to enable CAC/LDAPS authentication and authorization to the Trend Micro TippingPoint SMS client. The Site's LDAPS/AD environment must be configured to audit all account actions. I. Certificate Load Steps: 1. Log in to the SMS client. 2. Select certificate management. 3. Click CA certificates. 4. Select import. 5. Find the CA signing certificate bundle for the LDAPS servers on your machine. 6. Enter the name, then select browse to find the CA certificate. 7. Click OK. 8. Repeat steps for all other DOD Root and Intermediate CAs being used for the administrator’s admin-token/CACs. II. LDAP Authorization configuration steps: 1. Click Authentication and Authorization. 2. Select Groups. 3. Click New. 4. Type the name of the LDAP group exactly as it appears as the CN in the active directory domain. 5. Add all site-specific details including which role to map superuser, admin, or operator. 6. Under Active Directory Group Mapping ensure the item "map this group to the same named group in active directory" is selected. 7. Select OK. III. LDAPS Server configuration - ensure a DNS resolver has been configured in accordance with the admin guide, and this DNS resolver knows how to resolve the domain the SMS will log into: 1. Under Admin, click Authentication and CAC. 2. Click edit. 3. Enter the Server address: ensure it is the fully qualified domain name as the LDAPS certificate will likely have it. 4. Enable SSL: must be checked for LDAPS. 5. Current certificate: must be the intermediate root certificate/issuing CA certificate for the domain controllers - this is the CA certificate loaded in the first section. 6. Port: 636 (or if your DOD LDAPS port is different add this). 7. Timeout: 30 seconds is the default. 8. Admin name: this must be the account that has privileges to access the directory schema – format is username@domain.name. 9. Admin password: password of previous admin account. 10. User search base: this is the LDAP directory tree for the accounts that will be allowed. Example: ou=Trend Micro,dc=dod,dc=disa,dc=mil 11. User search attribute: normally in DOD this is userPrincipalName. 12. User display attribute: normally in DOD this is sAMAccountName. 13. Group search base: this is the LDAP directory tree for the groups that will be allowed. Example: ou=Trend Micro,dc=dod,dc=disa,dc=mil 14. Group name attribute: normally it is cn. 15. Select the test button to ensure all configurations provided function correctly. 16. Select OK. IV. Enable OCSP revocation Checking: 1. Select Certificate Management and Revocation. 2. Click New under OCSP Settings. 3. Select the Certificate Authority. Type the full OCSP URI (e.g. http://ocsp.disa.mil). 4. Repeat this step for all CA certificates in the CAC trust chain. 5. Optionally, to add a CRL click New under Certificate Revocation Lists. 6. Select the Certificate Authority. 7. Type the full CRL path including to the specific CRL file (e.g. http://crl.disa.mil/certificate.crl). V. Enable CAC authentication/LDAPS authorization: 1. Click Admin, click Authentication and Groups. 2. Select Edit. 3. Click Use CAC Authentication (ensure the local emergency user account is checked for local access in case of emergency troubleshooting). 4. Select OK. 5. Close the SMS client. VI. Test CAC authentication: 1. Ensure one other smartcard reader is enabled in the device manager of the computer you are using. 2. Open the SMS client. 3. Type the hostname/IP of the SMS server. 4. Ensuring the CAC/admin token is inserted in the reader, type the PIN of the CAC. 5. Select the certificate to use to login. 6. Select OK. 7. User should be taken to the dashboard and configuration area of the SMS. VII. Troubleshooting: 1. If you receive errors logging in with CAC go to the serial console of the SMS server. 2. Login with the local emergency user account. 3. Type the command "set cac.disable = yes" - this will give your local admin login access to the SMS client to troubleshoot any configuration errors. VIII. Ensure the site's LDAP/Active Directory infrastructure is reconfigured to audit account creation, modification, disabling, and removals.
In the SMS client, ensure backups are enabled and scheduled. 1. Select Admin >> Database >> Backup. 2. If no scheduled backup is configured, or if the backup is not configured at least weekly, this is a finding.
In the SMS client, ensure backups are enabled and scheduled. 1. Select Admin >> Database >> Backup. 2. Select New. 3. Enter a name, weekly, the date and time to backup, and no end date. 4. Include the most recent TOS and DV, include the certificate and keys, and then encrypt the backup. Provide a password. 5. Click Next. 6. Select SFTP. 7. Enter the SFTP URL, path, and location, username, and password in the following example format: "192.168.1.1:/home/sms/backup.bak". 8. Select Next >> Finish.
In the SMS client, ensure backups are enabled and scheduled. 1. Select Admin >> Database >> Backup. 2. If no scheduled backup is configured, or if the backup is not configured at least weekly then this is a finding.
In the SMS client, ensure backups are enabled and scheduled. 1. Select Admin >> Database >> Backup. 2. Select New. 3. Enter a name, weekly, the date and time to backup, and no end date. 4. Include the most recent TOS and DV, include the certificate and keys, and then encrypt the backup. Provide a password. 5. Click Next. 6. Select SFTP. 7. Enter the SFTP URL, path, and location, username, and password in the following example format: "192.168.1.1:/home/sms/backup.bak". 8. Select Next >> Finish.
In the SMS client, ensure the certificate is signed by an authorized DoD Certificate Authority. Select Admin >> Certificate Management >> Certificates. If there is no certificate, or the certificate is signed by a CA that is not authorized in the DoD, this is a finding.
In the SMS client, ensure the certificate is signed by an authorized DoD Certificate Authority. 1. Select Admin >> Certificate Management >> Certificates. 2. Select import. 3. The SMS can import a certificate with a private key file separately, or can import a PKCS12/PFX file. The user can use OpenSSL on a separate system to generate the certificate signing request (CSR) or can use the CSR generation tool on the SMS under Admin, Certificate Management, Signing Requests. The CSR must ensure the following attributes are added to the CSR if using the SMS tool: 2048 RSA key size and a DNS Subject Alternative Name (SAN) - if required.
Verify the operating system version under devices and version in the SMS Software under Admin and General is still under security support by Trend Micro on the https://tmc.tippingpoint.com/TMC/ support website. If the operating system version is not under support, this is a finding.
The system owner must ensure that the operating system version under Devices and SMS Software under Admin and General is still under security support by Trend Micro on the https://tmc.tippingpoint.com/TMC/ support website. 1. Select Release >> Software, and select either SMS or TPS. 2. The versions there will be the supported releases. 3. Ensure the site SMS and TPS have one of these supported releases.
In the SMS client, ensure the remote system is configured to generate all audit records. 1. Navigate to Admin >> Server properties >> Syslog. 2. Verify the configuration enables TCP. 3. Verify Device Audit, Device System, SMS Audit, and SMS System log types are enabled and configured. If syslog is not configured to use TCP or does not include the four log types, this is a finding.
In the SMS client, ensure the remote system is configured to generate all audit records. 1. Navigate to Admin >> Server properties >> Syslog >> New. 2. Click enable. 3. Click TCP (required for DOD). 4. Under Log Type, select "Device Audit". 5. Facility is "Log Audit". 6. Timestamp: SMS Current Time. 7. Check "Include SMS hostname in Header". 8. Click OK. 9. Repeat these steps for the following three other Log Types: Device System, SMS Audit, and SMS System. Note: Syslog server used must be configured to alert system administrator and ISSO upon detection of unauthorized access, modification, or deletion of audit information.
Have the local representative show password change logs or documentation to show this is a local process. If the password for the local account of last resort is not changed when members who had access to the password leave the role and are no longer authorized access, this is a finding.
Change the password for the account of last resort. 1. Navigate to Admin >> Authentication and Authorization >> Users. 2. Select the account of last resort. 3. Click Edit and Select Authentication. 4. Enter and confirm the password. To change the password for managed devices, if configured: Navigate to Devices >> All Devices >> Member Summary >> Device Users. The Device User Accounts screen displays a table that lists the user accounts available on managed devices.