VMware Workspace ONE UEM Security Technical Implementation Guide

  • Version/Release: V2R2
  • Published: 2024-06-06
  • Released: 2024-07-24
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
The Workspace ONE UEM server or platform must be configured to initiate a session lock after a 15-minute period of inactivity.
AC-11 - Medium - CCI-000057 - V-221637 - SV-221637r960741_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
VMW1-00-000460
Vuln IDs
  • V-221637
  • V-102317
Rule IDs
  • SV-221637r960741_rule
  • SV-111273
A session time-out lock is a temporary action taken when a user (MDM system administrator) stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system level and results in a system lock, but may be at the application level where the application interface window is secured instead. SFR ID: FMT_SMF.1.1(2) c.8
Checks: C-23352r416749_chk

Review the Workspace ONE UEM server or platform configuration and verify the server is configured to lock after 15 minutes of inactivity. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings >> Admin >> Console Security >> Session Management. 3. Examine value present in "Idle Session Timeout" (value is number of minutes). If the MDM console [configuration setting] is not set to 15 minutes or less, this is a finding.

Fix: F-23341r416750_fix

Configure the Workspace ONE UEM server or platform to lock the server after 15 minutes of inactivity. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings >> Admin >> Console Security >> Session Management. 3. Specify the value for "Idle Session Timeout" as 15 and click "Save".

b
The Workspace ONE UEM server must be configured with an enterprise certificate for signing policies (if function is not automatically implemented during Workspace ONE UEM server install).
CM-6 - Medium - CCI-000366 - V-221638 - SV-221638r971322_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VMW1-00-000470
Vuln IDs
  • V-221638
  • V-102319
Rule IDs
  • SV-221638r971322_rule
  • SV-111275
It is critical that only authorized certificates are used for key activities such as code signing for system software updates, code signing for integrity verification, and policy signing. Otherwise, there is no assurance that a malicious actor has not inserted itself in the process of packaging the code or policy. For example, messages signed with an invalid certificate may contain links to malware, which could lead to the installation or distribution of that malware on DoD information systems, leading to compromise of DoD sensitive information and other attacks. Therefore, the Workspace ONE UEM server must have the capability to configure the enterprise certificate. SFR ID: FMT_SMF.1.1(2) c.8, FMT_POL_EXT.1.1
Checks: C-23353r416752_chk

Review the Workspace ONE UEM server configuration settings and verify the server is configured with an enterprise certificate for signing policies. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings >> System >> Advanced >> Policy Signing Certificate. If the "Policy Signing Certificate" choice is not present under "Advanced", this is a finding. If the "Policy Signing Certificate" choice is present, but the Workspace ONE UEM server is not configured with an enterprise certificate for signing policies, this is a finding. For Android: No additional checks are required. For iOS: 3. Navigate to Groups & Settings >> All Settings >> Devices & Users >> Apple >> Profiles. If "Sign Profiles" (Requires Server SSL Certificate)" is set to "DISABLED" or is set to "ENABLED" and no signing certificate is listed, this is a finding.

Fix: F-23342r416753_fix

Configure the Workspace ONE UEM server with an enterprise certificate for signing policies. To enable the presence of the "Policy Signing Certificate" choice on the Workspace ONE UEM (MDM) console, execute the following database query on the Server after logging in with database administrative privilege: UPDATE dbo.SystemCodeCategory SET ResourceID = 7192 WHERE SystemCodeCategoryID = 370 On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings >> System >> Advanced >> Policy Signing Certificate. 3. Upload the valid Policy Signing Certificate to the Workspace ONE UEM server to configure the Workspace ONE UEM Agents. For Android: Once a Policy Signing Certificate is uploaded, no additional configuration is necessary. To configure the Apple iOS MDM Agent: a. Navigate to Groups & Settings >> All Settings >> Devices & Users >> Apple >> Profiles. b. Ensure "ENABLED" is selected for "Sign Profiles (Requires Server SSL Certificate). c. Click "UPLOAD" to upload a Signing Certificate and then click "SAVE". To update or replace a Policy Signing Certificate: a. Navigate to Groups & Settings >> All Settings >> System >> Advanced >> Policy Signing Certificate. b. Click "Replace", "Choose File", and "Upload" to upload the new certificate, then click "Save" to configure the enterprise certificate for signing policies. c. Verify that the Policy Signing Certificate properties have been updated. For Android: Once a new Policy Signing Certificate is uploaded, no additional configuration is necessary. To update the Apple iOS MDM Agent: a. Navigate to Groups & Settings >> All Settings >> Devices & Users >> Apple >> Profiles. b. Click "Override" for Current Setting". c. Click "REPLACE" to upload a new Signing Certificate, upload the certificate, and then click "SAVE". d. Verify that the Policy Signing Certificate properties have been updated.

b
The Workspace ONE UEM server must be configured to transfer Workspace ONE UEM server logs to another server for storage, analysis, and reporting. Note: Workspace ONE UEM server logs include logs of MDM events and logs transferred to the Workspace ONE UEM server by MDM agents of managed devices.
AU-4 - Medium - CCI-001851 - V-221640 - SV-221640r961395_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
VMW1-00-000500
Vuln IDs
  • V-221640
  • V-102323
Rule IDs
  • SV-221640r961395_rule
  • SV-111279
Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. Since the Workspace ONE UEM server has limited capability to store mobile device log files and perform analysis and reporting of mobile device log files, the Workspace ONE UEM server must have the capability to transfer log files to an audit log management server. SFR ID: FMT_SMF.1.1(2) c.8, FAU_STG_EXT.1.1(1)
Checks: C-23355r416758_chk

Review the Workspace ONE UEM server configuration settings and verify the server is configured to transfer Workspace ONE UEM server logs to another server for storage, analysis, and reporting. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings >> System >> Enterprise Integration >> Syslog. 3. If "Syslog Integration" is set to "DISABLED", this is a finding. 4. Examine the syslog configuration (server hostname, protocol, port, syslog facility, message tag, message content) for conformance with operational standards. If any are not set according to the standards, this is a finding. Note: Workspace ONE UEM server logs include logs of MDM events and logs transferred to the Workspace ONE UEM server by MDM agents of managed devices.

Fix: F-23344r416759_fix

Configure the Workspace ONE UEM server to transfer Workspace ONE UEM server logs to another server for storage, analysis, and reporting. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings >> System >> Enterprise Integration >> Syslog. 3. Set "Syslog Integration" to "ENABLED". 4. Configure syslog server hostname, protocol, port, syslog facility, message tag, message content according to organizational standards. 5. Click "SAVE". 6. Verify changes save successfully and Workspace ONE UEM server can transfer audit logs to the new syslog server.

b
The Workspace ONE UEM server must be configured to display the required DoD warning banner upon administrator logon. Note: This requirement is not applicable if the TOE platform is selected in FTA_TAB.1.1 in the Security Target (ST).
AC-8 - Medium - CCI-000048 - V-221641 - SV-221641r960843_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
VMW1-00-000520
Vuln IDs
  • V-221641
  • V-102325
Rule IDs
  • SV-221641r960843_rule
  • SV-111281
Note: The advisory notice and consent warning message is not required if the general purpose OS or network device displays an advisory notice and consent warning message when the administrator logs on to the general purpose OS or network device prior to accessing the Workspace ONE UEM server or Workspace ONE UEM server platform. Before granting access to the system, the Workspace ONE UEM server/server platform is required to display the DoD-approved system use notification message or banner that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. This ensures the legal requirements for auditing and monitoring are met. The approved DoD text must be used as specified in the KS referenced in DoDI 8500.01. The non-bracketed text below must be used without any changes as the warning banner. [A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating “OK.”] You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. SFR ID: FMT_SMF.1.1(2) c.2
Checks: C-23356r416761_chk

Review Workspace ONE UEM server documentation and configuration settings to determine if the Workspace ONE UEM server is using the warning banner and the wording of the banner is the required text. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Verify that the notice and consent warning message is displayed. 3. Authenticate to the Workspace ONE UEM Self-Service Portal. 4. Verify that the notice and consent warning message is displayed. If the warning banner is not set up on the Workspace ONE UEM server or wording does not exactly match the requirement text, this is a finding.

Fix: F-23345r416762_fix

Configure the Workspace ONE UEM server to display the appropriate warning banner text. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings. 3. Under the "System" heading choose "Branding". 4. Select the "Override" value for the "Current Setting". 5. Upload the organizationally defined logo, Login Page Background, Self-Service Portal Login Page Background containing the warning message, along with the website URL, if appropriate. 6. Set items under Colors category according to organizational standards. 7. Click "Save".

b
The Workspace ONE UEM server must be configured with a periodicity for reachable events of six hours or less for the following commands to the agent: - query connectivity status; - query the current version of the MD firmware/software; - query the current version of installed mobile applications; - read audit logs kept by the MD.
SI-6 - Medium - CCI-002696 - V-221642 - SV-221642r961731_rule
RMF Control
SI-6
Severity
Medium
CCI
CCI-002696
Version
VMW1-00-000540
Vuln IDs
  • V-221642
  • V-102327
Rule IDs
  • SV-221642r961731_rule
  • SV-111283
Key security-related status attributes must be queried frequently so the Workspace ONE UEM server can report status of devices under management to the administrator and management. The periodicity of these queries must be configured to an acceptable timeframe. Six hours or less is considered acceptable for normal operations. SFR ID: FMT_SMF.1.1(2) c.3
Checks: C-23357r416764_chk

Review the Workspace ONE UEM server for a periodicity for reachable events of six hours or less for the following commands to the agent: - query connectivity status; - query the current version of the MD firmware/software; - query the current version of installed mobile applications. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings. 3. Under the "Devices & Users" heading: For Android, choose Android >> Intelligent Hub Settings. a. Under the General heading, if "Heartbeat Interval" is set to more than six hours, this is a finding. This setting handles querying of connectivity status and current version of MD firmware/software. b. Under the Application List heading, if the "Application List Interval" is set to more than 360 minutes, this is a finding. This setting handles querying for current version of installed mobile applications. For iOS, Apple >> MDM Sample Schedule. a. If "Device Information Sample" is set to more than six hours, this is a finding. This setting handles querying of connectivity status and current version of MD firmware/software. b. If "Application List Sample" and "Managed App List Sample" are set to more than 6 hours, this is a finding. This setting handles querying for current version of installed mobile applications.

Fix: F-23346r416765_fix

Configure the Workspace ONE UEM server with a periodicity for reachable events of six hours or less for the following commands to the agent: - query connectivity status; - query the current version of the MD firmware/software; - query the current version of installed mobile applications. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings. 3. Under the "Devices & Users" heading: For Android, choose Android >> Intelligent Hub Settings. To modify any settings, click "Override". a. Under the General heading, set "Heartbeat Interval" using the drop-down if necessary. This setting handles querying of connectivity status and current version of MD firmware/software. b. Under the Application List heading, set the "Application List Interval" as necessary to the appropriate number of minutes. c. There is no control for periodicity of reading audit logs. They are sent to the server automatically. For iOS, choose Apple >> MDM Sample Schedule. To modify any settings, click "Override". a. Set "Device Information Sample" as necessary to the appropriate number of hours. This will control periodicity of both querying connectivity and querying the current version of MD firmware/software. b. Querying of installed mobile applications is controlled by both "Application List Sample" and "Managed App List Sample" fields. Application List Sample requests all the apps on the device (managed and unmanaged), whereas Managed App List Sample only returns MDM installed apps. Both samples return app versions. c. There is no control for periodicity of reading audit logs. They are sent to the server automatically.

b
The Workspace ONE UEM server must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, or auditor.
CM-6 - Medium - CCI-000366 - V-221643 - SV-221643r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VMW1-00-000560
Vuln IDs
  • V-221643
  • V-102329
Rule IDs
  • SV-221643r961863_rule
  • SV-111381
Having several administrative roles for the Workspace ONE UEM server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configuration, which they may not understand or approve of, that can weaken overall security and increase the risk of compromise. - Server primary administrator: Responsible for server installation, initial configuration, and maintenance functions. Responsible for the setup and maintenance of security configuration administrator and auditor accounts. Responsible for the maintenance of applications in the MAS. - Security configuration administrator: Responsible for security configuration of the server, defining device user groups, setup and maintenance of device user group administrator accounts, and defining privileges of device user group administrators. - Device user group administrator: Responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. Responsible for defining to which apps user groups or individual users have access in the MAS. Can only perform administrative functions assigned by the security configuration administrator. - Auditor: Responsible for reviewing and maintaining server and mobile device audit logs. SFR ID: FMT_SMR.1.1(1)
Checks: C-23358r416767_chk

Review the Workspace ONE UEM server configuration settings and verify the server is configured with the Administrator roles: - Server primary administrator - Security configuration administrator - Device user group administrator - Auditor On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console. 2. Navigate to Accounts >> Administrators >> Roles. 3. From the Roles page, examine the currently defined roles under the "General Info" heading. Each role can be selected for examination by clicking on the name link. Each role will have a set of attributes for which that role has been granted: "Read", "Edit", or no access. If the MDM console administrative role is not present or the role attributes are not set to organizational standards, this is a finding.

Fix: F-23347r416768_fix

Configure the Workspace ONE UEM server with the Administrator roles: - Server primary administrator - Security configuration administrator - Device user group administrator - Auditor On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console. 2. Navigate to Accounts >> Administrators >> Roles. 3. From the Roles page, click "Add Role". 4. Name the role according to the organization standard for the function and provide a role description. 5. Add role attributes by selecting each of the role categories ensuring "Read" and/or "Edit" are selected appropriately for each function for the role. A default set will be checked but should be reviewed and overridden as appropriate to the role. 6. After reviewing the choices in each category and verifying correctness, click "Save" to save the new role.

b
The Workspace ONE UEM server must be configured to leverage the MDM platform user and administrator accounts and groups for Workspace ONE UEM server user identification and authentication.
AC-2 - Medium - CCI-000015 - V-221644 - SV-221644r960768_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000015
Version
VMW1-00-000620
Vuln IDs
  • V-221644
  • V-102331
Rule IDs
  • SV-221644r960768_rule
  • SV-111287
A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire Workspace ONE UEM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the Workspace ONE UEM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos). SFR ID: FIA
Checks: C-23359r805063_chk

Review the configuration steps necessary to leverage MDM platform user and administrator accounts and groups for Workspace ONE UEM server user identification and authentication: On the Workspace ONE UEM console, complete the following procedure to ensure the Workspace ONE UEM (MDM) Server is configured to leverage an enterprise authentication mechanism, and that Workspace ONE UEM users and administrators can only use directory accounts to enroll into the Workspace ONE UEM (MDM) Server: 1. For Workspace ONE UEM server Platform configuration, refer to "https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1907/Directory_Service_Integration/GUID-AWT-DIRECTORYSERVICESOVERVIEW.html". 2. Log in to the Workspace ONE UEM Administration console. 3. Choose "Groups and Settings". 4. Choose "All Settings". 5. Under the "System" heading, choose "Enterprise Integration". 6. Choose "Directory Services". 7. Under the "Server" tab, verify directory service connection information. 8. Under the "User" tab, verify User Group connection information. 9. Under the "Group" tab, verify Group connection information. 10. Choose "X" to close screen. 11. Choose "Groups and Settings". 12. Choose "All Settings". 13. Under "Devices and Users", choose "General". 14. Choose "Enrollment". 15. On the "Authentication Modes" setting, verify only the box titled "Directory" is selected. If on the Workspace ONE UEM server console "Directory" is not selected as the authentication mode, this is a finding. If the MDM platform user authentication is not implemented via an enterprise directory service, this is a finding. To verify administrators can only use directory services accounts: 16. Choose Accounts >> Administrators >> List View. 17. Review user types under the Admin Type heading. If any users have an Admin Type of "Basic", this is a finding. To verify users can only use directory services accounts: 18. Choose Accounts >> Users >> List View. If only a small number of user accounts are listed, it is recommended to use the following steps: a. Under the "General Info" tab, click each username link to view the user's summary data. b. Under "Type" in the "User Info" column, if "Basic" is listed, this is a finding. c. Choose "List View" again to be presented with the list of user accounts and repeat steps a and b until the full set of user accounts has been examined. If a large number of user accounts are listed, it is recommended to use the following steps instead: a. Choose the "Export" drop-down and select the format to be used for the export list. b. An "Export List" pop-up window will appear with instructions on where to locate and examine the exported list of user accounts. c. Examine the exported list. If any user accounts are denoted as "Basic" in the "Security Type" column, this is a finding. Exception: One local "Emergency" account may remain.

Fix: F-23348r807530_fix

Configure the Workspace ONE UEM server to leverage the MDM platform user and administrator accounts and groups for Workspace ONE UEM server user identification and authentication. On the Workspace ONE UEM console, complete the following procedure to ensure that the Workspace ONE UEM (MDM) Server is configured to leverage an enterprise authentication mechanism, and that Workspace ONE UEM users can only use directory accounts to enroll into the Workspace ONE UEM (MDM) Server: 1. For Workspace ONE UEM server Platform configuration, refer to "https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1907/Directory_Service_Integration/GUID-AWT-DIRECTORYSERVICESOVERVIEW.html". 2. Log in to the Workspace ONE UEM Administration console. 3. Choose "Groups and Settings". 4. Choose "All Settings". 5. Under the "System" heading, choose "Enterprise Integration". 6. Choose "Directory Services". 7. Under the "Server" tab, verify directory service connection information. If not set according to organizational rules, modify the directory service connection to the correct setting. 8. Under "User" tab, verify User Group connection information. If not set according to organizational rules, modify the User Group connection to the correct setting. 9. Under the "Group" tab, verify Group connection information. If not set according to organizational rules, modify the Group connection to the correct setting. 10. If any changes were made to Server, User, or Group settings, click "Save". 11. Choose "X" to close screen. 12. Choose "Groups and Settings". 13. Choose "All Settings". 14. Under "Devices and Users", choose "General". 15. Choose "Enrollment". 16. On the "Authentication Modes" setting, verify only the box titled "Directory" is selected. If "Directory" is unchecked, select it. If any other boxes are checked, uncheck them. 17. If any changes were made to "Authentication Modes" settings, click "Save". 18. Choose "X" to close the window. To verify and remove any administrator accounts that are not Directory Service accounts: 19. Choose Account >> Administrators >> List View. 20. Review user types under the "Admin Type" heading, and select all users, and only users with an Admin Type of "Basic". Do NOT select users with an Admin Type of "Directory". Selecting one or more users with the Basic Admin Type will cause the "More Actions" drop-down to appear. 21. From the More Actions drop-down select "Delete". This will result in an "Are you sure you want to delete this record?" pop-up box asking to confirm deletion of the selected account(s). 22. Click "OK" to delete the selected accounts. To verify and remove user accounts that are not Directory Service accounts: 23. Choose Accounts >> Users >> List View. If only a small number of user accounts are listed, it is recommended to use the following steps: a. Under the "General Info" tab, click each username link to view the user's summary data. b. Under "Type" in the "User Info" column, if "Basic" is listed, the user account must be removed. Choose the "More" drop-down and select "Delete". A pop-up window will appear stating whether the user was successfully deleted. Click "OK" to close the window. c. Choose "List View" again to be presented with the list of user accounts and repeat steps a and b until the full set of user accounts has been examined. If a large number of user accounts are listed, it is recommended to use the following steps instead: a. Choose the "Export" drop-down and select the format to be used for the export list. b. An "Export List" pop-up window will appear with instructions on where the exported list of user accounts is located. c. Examine the exported list. If any user accounts are denoted as Basic in the "Security Type" column, the account must be deleted. d: To delete a user account, click on the username link of the user account under "List View". Choose the "More" drop-down and select "Delete". A pop-up window will appear stating whether the user was successfully deleted. Click "OK" to close the window. e. Choose "List View" again to be presented with the list of remaining user accounts and repeat step d until all user accounts with a Security Type of "Basic" have been deleted. Exception: One local "Emergency" account may remain.

b
Authentication of MDM platform accounts must be configured so they are implemented via an enterprise directory service.
AC-2 - Medium - CCI-000015 - V-221645 - SV-221645r960768_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000015
Version
VMW1-00-000630
Vuln IDs
  • V-221645
  • V-102333
Rule IDs
  • SV-221645r960768_rule
  • SV-111289
A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire Workspace ONE UEM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the Workspace ONE UEM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos). SFR ID: FIA
Checks: C-23360r805066_chk

Review the MDM platform to verify user and administrator authentication is implemented via an enterprise directory service. On the Workspace ONE UEM console complete the following procedure to ensure that the Workspace ONE UEM (MDM) Server is configured to leverage an enterprise authentication mechanism, and that Workspace ONE UEM users and administrators can only use directory accounts to enroll into the Workspace ONE UEM (MDM) Server: 1. For Workspace ONE UEM server Platform configuration, refer to "https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1907/Directory_Service_Integration/GUID-AWT-DIRECTORYSERVICESOVERVIEW.html". 2. Log in to the Workspace ONE UEM Administration console. 3. Choose "Groups and Settings". 4. Choose "All Settings". 5. Under "System" heading, choose "Enterprise Integration". 6. Choose "Directory Services". 7. Under "Server" tab, verify directory service connection information. 8. Under "User" tab, verify User Group connection information. 9. Under "Group" tab, verify Group connection information. 10. Choose "X" to close screen. 11. Choose "Groups and Settings". 12. Choose "All Settings". 13. Under "Devices and Users", choose "General". 14. Choose "Enrollment". 15. On "Authentication Modes" setting, verify only the box titled "Directory" is selected. If on the Workspace ONE UEM server console "Directory" is not selected as the authentication mode, this is a finding. If the MDM platform user authentication is not implemented via an enterprise directory service, this is a finding. To verify administrators can only use directory services accounts: 16. Choose Accounts >> Administrators >> List View. 17. Review user types under the Admin Type heading. If any users have an Admin Type of "Basic", this is a finding. Exception: One local "Emergency" account may remain that uses WS1 authentication services. To verify users can only use directory services accounts: 18. Choose Accounts >> Users >> List View. If only a small number of user accounts are listed, it is recommended to use the following steps: a. Under the "General Info" tab, click on each username link to view the user's summary data. b. Under "Type" in the "User Info" column, if "Basic" is listed, this is a finding. c. Choose "List View" again to be presented with the list of user accounts and repeat steps a and b until the full set of user accounts has been examined. If a large number of user accounts are listed, it is recommended to use the following steps instead: a. Choose the "Export" drop-down and select the format to be used for the export list. b. An "Export List" pop-up window will appear with instructions on where to locate and examine the exported list of user accounts. c. Examine the exported list. If any user accounts are denoted as Basic in the Security Type column, this is a finding.

Fix: F-23349r807528_fix

Configure the MDM platform so that user and administrator authentication is implemented via an enterprise directory service. On the Workspace ONE UEM console complete the following procedure to ensure that the Workspace ONE UEM (MDM) Server is configured to leverage an enterprise authentication mechanism, and that Workspace ONE UEM users can only use directory accounts to enroll into the Workspace ONE UEM (MDM) Server: Exception: One local "Emergency" account may remain that uses WS1 authentication services. 1. For Workspace ONE UEM server Platform configuration, refer to "https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1907/Directory_Service_Integration/GUID-AWT-DIRECTORYSERVICESOVERVIEW.html". 2. Log in to the Workspace ONE UEM Administration console. 3. Choose "Groups and Settings". 4. Choose "All Settings". 5. Under "System" heading, choose "Enterprise Integration". 6. Choose "Directory Services". 7. Under "Server" tab, verify directory service connection information. If not set according to organizational rules, modify the directory service connection to the correct setting. 8. Under "User" tab, verify User Group connection information. If not set according to organizational rules, modify the User Group connection to the correct setting. 9. Under "Group" tab, verify Group connection information. If not set according to organizational rules, modify the Group connection to the correct setting. 10. If any changes made to Server, User, or Group settings, click "Save". 11. Choose "X" to close screen. 12. Choose "Groups and Settings". 13. Choose "All Settings". 14. Under "Devices and Users", choose "General". 15. Choose "Enrollment". 16. On the "Authentication Modes" setting, verify only the box titled "Directory" is selected. If "Directory" is unchecked, select it. If any other boxes are checked, uncheck them. 17. If any changes were made to "Authentication Modes" settings, click "Save". 18. Choose "X" to close the window. To verify and remove any administrator accounts that are not Directory Service accounts: 19. Choose Accounts >> Administrators >> List View. 20. Review user types under the "Admin Type" heading, and select all users, and only users, with an Admin Type of "Basic". Do NOT select users with an Admin Type of "Directory". Selecting one or more users with the Basic Admin Type will cause the "More Actions" drop-down to appear. 21. From the More Actions drop down, select "Delete". This will result in an "Are you sure you want to delete this record?" pop-up box asking to confirm deletion of the selected account(s). 22. Click "OK" to delete the selected accounts. To verify and remove any user accounts that are not Directory Service accounts: 23. Choose Accounts >> Users >> List View. If only a small number of user accounts are listed, it is recommended to use the following steps: a. Under the "General Info" tab, click each username link to view the user's summary data. b. Under "Type" in the "User Info" column, if "Basic" is listed, the user account must be removed. Choose the "More" drop-down and select "Delete". A pop-up window will appear stating whether the user was successfully deleted. Click "OK" to close the window. c. Choose "List View" again to be presented with the list of user accounts and repeat steps a and b until the full set of user accounts has been examined. If a large number of user accounts are listed, it is recommended to use the following steps instead: a. Choose the "Export" drop-down and select the format to be used for the export list. b. An "Export List" pop-up window will appear with instructions on where the exported list of user accounts is located. c. Examine the exported list. If any user accounts are denoted as "Basic" in the "Security Type" column, the account must be deleted. d. To delete a user account, click the username link of the user account under "List View". Choose the "More" drop-down and select "Delete". A pop-up window will appear stating whether the user was successfully deleted. Click "OK" to close the window. e. Choose "List View" again to be presented with the list of remaining user accounts and repeat step d until all user accounts with a Security Type of "Basic" have been deleted.

c
The Workspace ONE UEM server must be maintained at a supported version.
CM-6 - High - CCI-000366 - V-221646 - SV-221646r986316_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
VMW1-00-000650
Vuln IDs
  • V-221646
  • V-102335
Rule IDs
  • SV-221646r986316_rule
  • SV-111291
The MDM/EMM vendor maintains specific product versions for a specific period of time. MDM/EMM server versions no longer supported by the vendor will not receive security updates for new vulnerabilities which leaves them subject to exploitation. SFR ID: FPT_TUD_EXT.1.1, FPT_TUD_EXT.1.2
Checks: C-23361r986314_chk

Verify the installed version of Workspace ONE UEM server is currently supported. On the Workspace ONE UEM server console, do the following to determine the version number of the server: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Click "About" on the bottom of the left hand menu. The version and build of the installed software will be displayed. List of current supported versions: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/support/product-lifecycle-matrix.pdf, scroll to Workspace ONE UEM Console. If the displayed Workspace ONE server version is not currently supported, this is a finding.

Fix: F-23350r986315_fix

Update the Workspace ONE UEM server to a supported version. See (https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/support/product-lifecycle-matrix.pdf) for the list of current Workspace ONE UEM supported versions.

b
The Workspace ONE UEM server must be protected by a DoD-approved firewall.
CM-7 - Medium - CCI-000382 - V-221647 - SV-221647r960966_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VMW1-00-200010
Vuln IDs
  • V-221647
  • V-102337
Rule IDs
  • SV-221647r960966_rule
  • SV-111293
Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Unneeded services and processes provide additional threat vectors and avenues of attack to the information system. The MDM server is a critical component of the mobility architecture and must be configured to enable only those ports, protocols, and services (PPS) necessary to support functionality. All others must be expressly disabled or removed. A DoD-approved firewall implements the required network restrictions. A host-based firewall is appropriate where the MDM server runs on a standalone platform. Network firewalls or other architectures may be preferred where the MDM server runs in a cloud or virtualized solution. Satisfies: SRG-APP-000142 SFR ID: FMT_SMF.1.1(2) b
Checks: C-23362r416779_chk

Review the MDM server platform configuration to determine whether a DoD-approved firewall is installed or if the platform operating system provides a firewall service that can restrict both inbound and outbound traffic by TCP/UDP port and IP address. If there is not a host-based firewall present on the MDM server platform, or if it is not configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, this is a finding.

Fix: F-23351r416780_fix

Install and configure a DoD-approved firewall to protect the network segment on which the Workspace ONE UEM server is installed.

b
The firewall protecting the Workspace ONE UEM server must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support MDM server and platform functions.
CM-7 - Medium - CCI-000382 - V-221648 - SV-221648r960966_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VMW1-00-200020
Vuln IDs
  • V-221648
  • V-102339
Rule IDs
  • SV-221648r960966_rule
  • SV-111295
Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations. Since MDM server is a critical component of the mobility architecture and must be configured to enable only those ports, protocols, and services (PPS) necessary to support functionality, all others must be expressly disabled or removed. A firewall installed on the MDM server provides a protection mechanism to ensure unwanted service requests do not reach the MDM server and outbound traffic is limited to only MDM server functionality. Satisfies: SRG-APP-000142 SFR ID: FMT_SMF.1.1(2) b
Checks: C-23363r416782_chk

Ask the MDM administrator for a list of ports, protocols, and IP address ranges necessary to support MDM server and platform functionality. A list can usually be found in the STIG Supplemental document or MDM product documentation. Compare the list against the configuration of the firewall and identify discrepancies. If the host-based firewall is not configured to support only those ports, protocols, and IP address ranges necessary for operation, this is a finding.

Fix: F-23352r416783_fix

Configure the firewall on the MDM server to only permit ports, protocols, and IP address ranges necessary for operation.

b
The firewall protecting the Workspace ONE UEM server must be configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).
CM-7 - Medium - CCI-000382 - V-221649 - SV-221649r960966_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VMW1-00-200030
Vuln IDs
  • V-221649
  • V-102341
Rule IDs
  • SV-221649r960966_rule
  • SV-111297
All ports, protocols, and services used on DoD networks must be approved and registered via the DoD PPSM process. This is to ensure that a risk assessment has been completed before a new port, protocol, or service is configured on a DoD network and has been approved by proper DoD authorities. Otherwise, the new port, protocol, or service could cause a vulnerability to the DoD network, which could be exploited by an adversary. Satisfies: SRG-APP-000142 SFR ID: FMT_SMF.1.1(2) b
Checks: C-23364r416785_chk

Ask the MDM administrator for a list of ports, protocols, and services that have been configured on the host-based firewall of the MDM server or generate the list by inspecting the firewall. Verify all allowed ports, protocols, and services are included on the DoD PPSM CAL list. If any allowed ports, protocols, and services on the MDM host-based firewall are not included on the DoD PPSM CAL list, this is a finding.

Fix: F-23353r416786_fix

Turn off any ports, protocols, and services on the MDM host-based firewall that are not on the DoD PPSM CAL list.

b
All Workspace ONE UEM server local accounts created during application installation and configuration must be disabled or removed.
IA-2 - Medium - CCI-000764 - V-221650 - SV-221650r960969_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
VMW1-00-200040
Vuln IDs
  • V-221650
  • V-102343
Rule IDs
  • SV-221650r960969_rule
  • SV-111299
A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MDM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the MDM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos). Satisfies: SRG-APP-000148 SFR ID: FMT_SMF.1.1(2) b / IA-5(1)(a)
Checks: C-23365r805069_chk

Review the configuration for Workspace ONE UEM server administrative accounts for any local accounts: 1. Log in to the Workspace ONE UEM Administration console. 2. Choose Accounts >> Administrators >> List View. 3. Review user types under the Admin Type heading. If any users have an Admin Type of "Basic", this is a finding. Exception: One local "Emergency" account may remain.

Fix: F-23354r805070_fix

Configure the Workspace ONE UEM server to remove any local accounts created during installation and configuration. Exception: One local "Emergency" account may remain. 1. Log in to the Workspace ONE UEM Administration console. 2. Choose Accounts >> Administrators >> List View. 3. Review user types under the Admin Type heading, and select all users, and only users with an Admin Type of "Basic". Do NOT select users with an Admin Type of "Directory". Selecting one or more users with the "Basic" Admin Type will cause the "More Actions" drop-down to appear. 4. From the More Actions drop down select "Delete". This will result in an "Are you sure you want to delete this record?" pop-up box asking to confirm deletion of the selected account(s). 5. Click "OK" to delete the selected accounts.

b
The MDM Agent must be configured to enable the following function: [selection: read audit logs of the MD]. This requirement is inherently met if the function is automatically implemented during MDM Agent install/device enrollment.
AU-6 - Medium - CCI-000154 - V-221651 - SV-221651r960918_rule
RMF Control
AU-6
Severity
Medium
CCI
CCI-000154
Version
VMW1-00-400040
Vuln IDs
  • V-221651
  • V-102345
Rule IDs
  • SV-221651r960918_rule
  • SV-111301
Audit logs and alerts enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify when the security posture of the device is not as expected. This enables the MDM administrator to take an appropriate remedial action. SFR ID: FMT_SMF_EXT.4.1
Checks: C-23366r416791_chk

Review the MDM Agent documentation and configuration settings to determine if the following function is enabled: read audit logs of the MD. This validation procedure is performed on the MDM Administration Console. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings >> Devices & Users >> General >> Privacy and enable Request Device Log in the privacy settings. If "Request Device Log" is present, then no device log is being requested from the MD and this is a finding.

Fix: F-23355r416792_fix

Configure the MDM Agent to enable the following function: read audit logs of the MD. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings >> Devices & Users >> General >> Privacy and enable Request Device Log in the privacy settings. 3. Select "SAVE".

c
The Workspace ONE UEM local accounts password must be configured with length of 15 characters.
IA-5 - High - CCI-000205 - V-251259 - SV-251259r971326_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000205
Version
VMW1-00-200070
Vuln IDs
  • V-251259
Rule IDs
  • SV-251259r971326_rule
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. SFRID: FMT_SMF.1(2)b. / IA-5 (1) (a)
Checks: C-54694r805078_chk

Verify WS1 UEM is configured to enforce a local account password length of at least 15 characters for the emergency local account. 1. Log in to the WS1UEM console. 2. Go to Settings >> Admin >> Console Security >> Passwords. 3. Verify "Minimum Password Length" is set to 15. If the minimum password length is not set to 15, this is a finding.

Fix: F-54648r805079_fix

Configure WS1 UEM to enforce a local account password length of at least 15 characters for the emergency local account. 1. Log in to the WS1UEM console. 2. Go to Settings >> Admin >> Console Security >> Passwords. 3. Configure "Minimum Password Length" to 15.

c
The Workspace ONE UEM local accounts must be configured with at least one lowercase character, one uppercase character, one number, and one special character.
IA-5 - High - CCI-000193 - V-251260 - SV-251260r971326_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000193
Version
VMW1-00-200080
Vuln IDs
  • V-251260
Rule IDs
  • SV-251260r971326_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. SFR ID: FMT_SMF.1(2)b. / IA-5 (1) (a)
Checks: C-54695r807608_chk

Verify WS1 UEM is configured to enforce a local account password with at least one lower case letter, one uppercase character, one number, and one special character for the emergency local account. 1. Log in to the WS1UEM console. 2. Go to Settings >> Admin >> Console Security >> Passwords. 3. Verify "Password complexity level" to "Mixed case, alphabetic, numeric and special characters". If password complexity is not set as listed above, this is a finding.

Fix: F-54649r805082_fix

Configure WS1 UEM to enforce a local account password with at least one lower case letter, one uppercase character, one number, and one special character for the emergency local account. 1. Log in to the WS1UEM console. 2. Go to Settings >> Admin >> Console Security >> Passwords. 3. Configure "Password complexity level" to "Mixed case, alphabetic, numeric and special characters".

c
The Workspace ONE UEM local accounts must be configured with password maximum lifetime of 60 days.
AU-12 - High - CCI-000174 - V-251261 - SV-251261r971326_rule
RMF Control
AU-12
Severity
High
CCI
CCI-000174
Version
VMW1-00-200130
Vuln IDs
  • V-251261
Rule IDs
  • SV-251261r971326_rule
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. One method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised. This requirement does not include emergency administration accounts which are meant for access to the application in case of failure. These accounts are not required to have maximum password lifetime restrictions. SFR ID: FMT_SMF.1(2)b. / IA-5 (1) (d)
Checks: C-54696r805084_chk

Verify WS1 UEM is configured to have a local account password lifetime of 60 days for the emergency local account. 1. Log in to the WS1UEM console. 2. Go to Settings >> Admin >> Console Security >> Passwords. 3. Verify "Password Expiration Period (days)" is set to 60. If WS1 UEM is not configured to have a local account password lifetime of 60 days, this is a finding.

Fix: F-54650r805085_fix

Configure WS1 UEM to have a local account password lifetime of 60 days for the emergency local account. 1. Log in to the WS1UEM console. 2. Go to Settings >> Admin >> Console Security >> Passwords. 3. Configure "Password Expiration Period (days)" to 60.

c
The Workspace ONE UEM local accounts must prohibit password reuse for a minimum of five generations.
IA-5 - High - CCI-000200 - V-251262 - SV-251262r971326_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000200
Version
VMW1-00-200150
Vuln IDs
  • V-251262
Rule IDs
  • SV-251262r971326_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements. SFR ID: FMT_SMF.1(2)b. / IA-5 (1) (e)
Checks: C-54697r805087_chk

Verify WS1 UEM is configured to prohibit password reuse for a minimum of five generations for local account passwords for the emergency local account. 1. Log in to the WS1UEM console. 2. Go to Settings >> Admin >> Console Security >> Passwords. 3. Verify "Enforced password history" to "5 passwords remembered". If WS1 UEM is not configured to prohibit password reuse for a minimum of five generations for local account passwords, this is a finding.

Fix: F-54651r805088_fix

Configure WS1 UEM to prohibit password reuse for a minimum of five generations for local account passwords for the emergency local account. 1. Log in to the WS1UEM console. 2. Go to Settings >> Admin >> Console Security >> Passwords. 3. Configure "Enforced password history" to "5 passwords remembered".

c
The Workspace ONE UEM must enforce the limit of three consecutive invalid logon attempts by a user.
AC-7 - High - CCI-000044 - V-251263 - SV-251263r971326_rule
RMF Control
AC-7
Severity
High
CCI
CCI-000044
Version
VMW1-00-200180
Vuln IDs
  • V-251263
Rule IDs
  • SV-251263r971326_rule
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. SFR ID: FMT_SMF.1(2)b. / IA-7-a
Checks: C-54698r806439_chk

Verify WS1 UEM is configured to enforce a limit of three invalid logon attempts for a local account. 1. Log in to the WS1UEM console. 2. Go to Settings >> Admin >> Console Security >> Passwords. 3. Verify "Maximum invalid login attempts" is set to 3. If WS1 UEM is not configured to enforce a limit of three invalid logon attempts for a local account, this is a finding.

Fix: F-54652r806440_fix

Configure WS1 UEM to enforce a limit of three invalid logon attempts for a local account. 1. Log in to the WS1UEM console. 2. Go to Settings >> Admin >> Console Security >> Passwords. 3. Configure "Maximum invalid login attempts" to 3.

c
The Workspace ONE UEM must use multifactor authentication for local access to privileged accounts.
IA-2 - High - CCI-000767 - V-251264 - SV-251264r971326_rule
RMF Control
IA-2
Severity
High
CCI
CCI-000767
Version
VMW1-00-200190
Vuln IDs
  • V-251264
Rule IDs
  • SV-251264r971326_rule
To ensure accountability and prevent unauthenticated access, privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication is defined as using two or more factors to achieve authentication. Factors include: (i) Something a user knows (e.g., password/PIN); (ii) Something a user has (e.g., cryptographic identification device, token); or (iii) Something a user is (e.g., biometric). A privileged account is defined as an information system account with authorizations of a privileged user. Local access is defined as access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network. Applications integrating with the DoD Active Directory and utilize the DoD Common Access Card (CAC) are examples of compliant multifactor authentication solutions. SFR ID: FMT_SMF.1(2)b. / IA-2(3)
Checks: C-54699r805094_chk

Verify WS1 UEM is using multifactor authentication for the local emergency account. Use one of the following two methods to confirm compliance: Method 1 Have the emergency account admin user log into the emergency account and verify the server requires 2FA before console access is granted. Method 2 1. Log in to the WS1UEM console. 2. Go to Accounts >> Administrators >> List View. 3. Select the Emergency account user and double-click on the account. 4. In the Add/Edit Admin screen, verify "Two-Factor Authentication" has been selected with either Email of SMS. Verify Notification has been selected and the token expiration time is 10 minutes or less. If WS1 UEM is not using multifactor authentication for the local emergency account, this is a finding.

Fix: F-54653r805095_fix

Configure WS1 UEM to use multifactor authentication for the local emergency account. 1. Log in to the WS1UEM console. 2. Go to Accounts >> Administrators >> List View. 3. Select Add, then Add Admin. 4. Select "Basic" for the User Type and fill in user name, password, etc. 5. Select "Two-Factor Authentication and then select email or SMS as the delivery method and 10 minutes or less token expiration time. 6. Select either email or SMS Notification. 7. Complete all other required fields in the enrollment form, including either the telephone number or email address of the emergency account user. 8. Select Save.