Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the Workspace ONE UEM server or platform configuration and verify the server is configured to lock after 15 minutes of inactivity. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings >> Admin >> Console Security >> Session Management. 3. Examine value present in "Idle Session Timeout" (value is number of minutes). If the MDM console [configuration setting] is not set to 15 minutes or less, this is a finding.
Configure the Workspace ONE UEM server or platform to lock the server after 15 minutes of inactivity. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings >> Admin >> Console Security >> Session Management. 3. Specify the value for "Idle Session Timeout" as 15 and click "Save".
Review the Workspace ONE UEM server configuration settings and verify the server is configured with an enterprise certificate for signing policies. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings >> System >> Advanced >> Policy Signing Certificate. If the "Policy Signing Certificate" choice is not present under "Advanced", this is a finding. If the "Policy Signing Certificate" choice is present, but the Workspace ONE UEM server is not configured with an enterprise certificate for signing policies, this is a finding. For Android: No additional checks are required. For iOS: 3. Navigate to Groups & Settings >> All Settings >> Devices & Users >> Apple >> Profiles. If "Sign Profiles" (Requires Server SSL Certificate)" is set to "DISABLED" or is set to "ENABLED" and no signing certificate is listed, this is a finding.
Configure the Workspace ONE UEM server with an enterprise certificate for signing policies. To enable the presence of the "Policy Signing Certificate" choice on the Workspace ONE UEM (MDM) console, execute the following database query on the Server after logging in with database administrative privilege: UPDATE dbo.SystemCodeCategory SET ResourceID = 7192 WHERE SystemCodeCategoryID = 370 On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings >> System >> Advanced >> Policy Signing Certificate. 3. Upload the valid Policy Signing Certificate to the Workspace ONE UEM server to configure the Workspace ONE UEM Agents. For Android: Once a Policy Signing Certificate is uploaded, no additional configuration is necessary. To configure the Apple iOS MDM Agent: a. Navigate to Groups & Settings >> All Settings >> Devices & Users >> Apple >> Profiles. b. Ensure "ENABLED" is selected for "Sign Profiles (Requires Server SSL Certificate). c. Click "UPLOAD" to upload a Signing Certificate and then click "SAVE". To update or replace a Policy Signing Certificate: a. Navigate to Groups & Settings >> All Settings >> System >> Advanced >> Policy Signing Certificate. b. Click "Replace", "Choose File", and "Upload" to upload the new certificate, then click "Save" to configure the enterprise certificate for signing policies. c. Verify that the Policy Signing Certificate properties have been updated. For Android: Once a new Policy Signing Certificate is uploaded, no additional configuration is necessary. To update the Apple iOS MDM Agent: a. Navigate to Groups & Settings >> All Settings >> Devices & Users >> Apple >> Profiles. b. Click "Override" for Current Setting". c. Click "REPLACE" to upload a new Signing Certificate, upload the certificate, and then click "SAVE". d. Verify that the Policy Signing Certificate properties have been updated.
Review the Workspace ONE UEM server configuration settings and verify the server is configured to transfer Workspace ONE UEM server logs to another server for storage, analysis, and reporting. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings >> System >> Enterprise Integration >> Syslog. 3. If "Syslog Integration" is set to "DISABLED", this is a finding. 4. Examine the syslog configuration (server hostname, protocol, port, syslog facility, message tag, message content) for conformance with operational standards. If any are not set according to the standards, this is a finding. Note: Workspace ONE UEM server logs include logs of MDM events and logs transferred to the Workspace ONE UEM server by MDM agents of managed devices.
Configure the Workspace ONE UEM server to transfer Workspace ONE UEM server logs to another server for storage, analysis, and reporting. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings >> System >> Enterprise Integration >> Syslog. 3. Set "Syslog Integration" to "ENABLED". 4. Configure syslog server hostname, protocol, port, syslog facility, message tag, message content according to organizational standards. 5. Click "SAVE". 6. Verify changes save successfully and Workspace ONE UEM server can transfer audit logs to the new syslog server.
Review Workspace ONE UEM server documentation and configuration settings to determine if the Workspace ONE UEM server is using the warning banner and the wording of the banner is the required text. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Verify that the notice and consent warning message is displayed. 3. Authenticate to the Workspace ONE UEM Self-Service Portal. 4. Verify that the notice and consent warning message is displayed. If the warning banner is not set up on the Workspace ONE UEM server or wording does not exactly match the requirement text, this is a finding.
Configure the Workspace ONE UEM server to display the appropriate warning banner text. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings. 3. Under the "System" heading choose "Branding". 4. Select the "Override" value for the "Current Setting". 5. Upload the organizationally defined logo, Login Page Background, Self-Service Portal Login Page Background containing the warning message, along with the website URL, if appropriate. 6. Set items under Colors category according to organizational standards. 7. Click "Save".
Review the Workspace ONE UEM server for a periodicity for reachable events of six hours or less for the following commands to the agent: - query connectivity status; - query the current version of the MD firmware/software; - query the current version of installed mobile applications. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings. 3. Under the "Devices & Users" heading: For Android, choose Android >> Intelligent Hub Settings. a. Under the General heading, if "Heartbeat Interval" is set to more than six hours, this is a finding. This setting handles querying of connectivity status and current version of MD firmware/software. b. Under the Application List heading, if the "Application List Interval" is set to more than 360 minutes, this is a finding. This setting handles querying for current version of installed mobile applications. For iOS, Apple >> MDM Sample Schedule. a. If "Device Information Sample" is set to more than six hours, this is a finding. This setting handles querying of connectivity status and current version of MD firmware/software. b. If "Application List Sample" and "Managed App List Sample" are set to more than 6 hours, this is a finding. This setting handles querying for current version of installed mobile applications.
Configure the Workspace ONE UEM server with a periodicity for reachable events of six hours or less for the following commands to the agent: - query connectivity status; - query the current version of the MD firmware/software; - query the current version of installed mobile applications. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings. 3. Under the "Devices & Users" heading: For Android, choose Android >> Intelligent Hub Settings. To modify any settings, click "Override". a. Under the General heading, set "Heartbeat Interval" using the drop-down if necessary. This setting handles querying of connectivity status and current version of MD firmware/software. b. Under the Application List heading, set the "Application List Interval" as necessary to the appropriate number of minutes. c. There is no control for periodicity of reading audit logs. They are sent to the server automatically. For iOS, choose Apple >> MDM Sample Schedule. To modify any settings, click "Override". a. Set "Device Information Sample" as necessary to the appropriate number of hours. This will control periodicity of both querying connectivity and querying the current version of MD firmware/software. b. Querying of installed mobile applications is controlled by both "Application List Sample" and "Managed App List Sample" fields. Application List Sample requests all the apps on the device (managed and unmanaged), whereas Managed App List Sample only returns MDM installed apps. Both samples return app versions. c. There is no control for periodicity of reading audit logs. They are sent to the server automatically.
Review the Workspace ONE UEM server configuration settings and verify the server is configured with the Administrator roles: - Server primary administrator - Security configuration administrator - Device user group administrator - Auditor On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console. 2. Navigate to Accounts >> Administrators >> Roles. 3. From the Roles page, examine the currently defined roles under the "General Info" heading. Each role can be selected for examination by clicking on the name link. Each role will have a set of attributes for which that role has been granted: "Read", "Edit", or no access. If the MDM console administrative role is not present or the role attributes are not set to organizational standards, this is a finding.
Configure the Workspace ONE UEM server with the Administrator roles: - Server primary administrator - Security configuration administrator - Device user group administrator - Auditor On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console. 2. Navigate to Accounts >> Administrators >> Roles. 3. From the Roles page, click "Add Role". 4. Name the role according to the organization standard for the function and provide a role description. 5. Add role attributes by selecting each of the role categories ensuring "Read" and/or "Edit" are selected appropriately for each function for the role. A default set will be checked but should be reviewed and overridden as appropriate to the role. 6. After reviewing the choices in each category and verifying correctness, click "Save" to save the new role.
Review the configuration steps necessary to leverage MDM platform user and administrator accounts and groups for Workspace ONE UEM server user identification and authentication: On the Workspace ONE UEM console, complete the following procedure to ensure the Workspace ONE UEM (MDM) Server is configured to leverage an enterprise authentication mechanism, and that Workspace ONE UEM users and administrators can only use directory accounts to enroll into the Workspace ONE UEM (MDM) Server: 1. For Workspace ONE UEM server Platform configuration, refer to "https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1907/Directory_Service_Integration/GUID-AWT-DIRECTORYSERVICESOVERVIEW.html". 2. Log in to the Workspace ONE UEM Administration console. 3. Choose "Groups and Settings". 4. Choose "All Settings". 5. Under the "System" heading, choose "Enterprise Integration". 6. Choose "Directory Services". 7. Under the "Server" tab, verify directory service connection information. 8. Under the "User" tab, verify User Group connection information. 9. Under the "Group" tab, verify Group connection information. 10. Choose "X" to close screen. 11. Choose "Groups and Settings". 12. Choose "All Settings". 13. Under "Devices and Users", choose "General". 14. Choose "Enrollment". 15. On the "Authentication Modes" setting, verify only the box titled "Directory" is selected. If on the Workspace ONE UEM server console "Directory" is not selected as the authentication mode, this is a finding. If the MDM platform user authentication is not implemented via an enterprise directory service, this is a finding. To verify administrators can only use directory services accounts: 16. Choose Accounts >> Administrators >> List View. 17. Review user types under the Admin Type heading. If any users have an Admin Type of "Basic", this is a finding. To verify users can only use directory services accounts: 18. Choose Accounts >> Users >> List View. If only a small number of user accounts are listed, it is recommended to use the following steps: a. Under the "General Info" tab, click each username link to view the user's summary data. b. Under "Type" in the "User Info" column, if "Basic" is listed, this is a finding. c. Choose "List View" again to be presented with the list of user accounts and repeat steps a and b until the full set of user accounts has been examined. If a large number of user accounts are listed, it is recommended to use the following steps instead: a. Choose the "Export" drop-down and select the format to be used for the export list. b. An "Export List" pop-up window will appear with instructions on where to locate and examine the exported list of user accounts. c. Examine the exported list. If any user accounts are denoted as "Basic" in the "Security Type" column, this is a finding. Exception: One local "Emergency" account may remain.
Configure the Workspace ONE UEM server to leverage the MDM platform user and administrator accounts and groups for Workspace ONE UEM server user identification and authentication. On the Workspace ONE UEM console, complete the following procedure to ensure that the Workspace ONE UEM (MDM) Server is configured to leverage an enterprise authentication mechanism, and that Workspace ONE UEM users can only use directory accounts to enroll into the Workspace ONE UEM (MDM) Server: 1. For Workspace ONE UEM server Platform configuration, refer to "https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1907/Directory_Service_Integration/GUID-AWT-DIRECTORYSERVICESOVERVIEW.html". 2. Log in to the Workspace ONE UEM Administration console. 3. Choose "Groups and Settings". 4. Choose "All Settings". 5. Under the "System" heading, choose "Enterprise Integration". 6. Choose "Directory Services". 7. Under the "Server" tab, verify directory service connection information. If not set according to organizational rules, modify the directory service connection to the correct setting. 8. Under "User" tab, verify User Group connection information. If not set according to organizational rules, modify the User Group connection to the correct setting. 9. Under the "Group" tab, verify Group connection information. If not set according to organizational rules, modify the Group connection to the correct setting. 10. If any changes were made to Server, User, or Group settings, click "Save". 11. Choose "X" to close screen. 12. Choose "Groups and Settings". 13. Choose "All Settings". 14. Under "Devices and Users", choose "General". 15. Choose "Enrollment". 16. On the "Authentication Modes" setting, verify only the box titled "Directory" is selected. If "Directory" is unchecked, select it. If any other boxes are checked, uncheck them. 17. If any changes were made to "Authentication Modes" settings, click "Save". 18. Choose "X" to close the window. To verify and remove any administrator accounts that are not Directory Service accounts: 19. Choose Account >> Administrators >> List View. 20. Review user types under the "Admin Type" heading, and select all users, and only users with an Admin Type of "Basic". Do NOT select users with an Admin Type of "Directory". Selecting one or more users with the Basic Admin Type will cause the "More Actions" drop-down to appear. 21. From the More Actions drop-down select "Delete". This will result in an "Are you sure you want to delete this record?" pop-up box asking to confirm deletion of the selected account(s). 22. Click "OK" to delete the selected accounts. To verify and remove user accounts that are not Directory Service accounts: 23. Choose Accounts >> Users >> List View. If only a small number of user accounts are listed, it is recommended to use the following steps: a. Under the "General Info" tab, click each username link to view the user's summary data. b. Under "Type" in the "User Info" column, if "Basic" is listed, the user account must be removed. Choose the "More" drop-down and select "Delete". A pop-up window will appear stating whether the user was successfully deleted. Click "OK" to close the window. c. Choose "List View" again to be presented with the list of user accounts and repeat steps a and b until the full set of user accounts has been examined. If a large number of user accounts are listed, it is recommended to use the following steps instead: a. Choose the "Export" drop-down and select the format to be used for the export list. b. An "Export List" pop-up window will appear with instructions on where the exported list of user accounts is located. c. Examine the exported list. If any user accounts are denoted as Basic in the "Security Type" column, the account must be deleted. d: To delete a user account, click on the username link of the user account under "List View". Choose the "More" drop-down and select "Delete". A pop-up window will appear stating whether the user was successfully deleted. Click "OK" to close the window. e. Choose "List View" again to be presented with the list of remaining user accounts and repeat step d until all user accounts with a Security Type of "Basic" have been deleted. Exception: One local "Emergency" account may remain.
Review the MDM platform to verify user and administrator authentication is implemented via an enterprise directory service. On the Workspace ONE UEM console complete the following procedure to ensure that the Workspace ONE UEM (MDM) Server is configured to leverage an enterprise authentication mechanism, and that Workspace ONE UEM users and administrators can only use directory accounts to enroll into the Workspace ONE UEM (MDM) Server: 1. For Workspace ONE UEM server Platform configuration, refer to "https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1907/Directory_Service_Integration/GUID-AWT-DIRECTORYSERVICESOVERVIEW.html". 2. Log in to the Workspace ONE UEM Administration console. 3. Choose "Groups and Settings". 4. Choose "All Settings". 5. Under "System" heading, choose "Enterprise Integration". 6. Choose "Directory Services". 7. Under "Server" tab, verify directory service connection information. 8. Under "User" tab, verify User Group connection information. 9. Under "Group" tab, verify Group connection information. 10. Choose "X" to close screen. 11. Choose "Groups and Settings". 12. Choose "All Settings". 13. Under "Devices and Users", choose "General". 14. Choose "Enrollment". 15. On "Authentication Modes" setting, verify only the box titled "Directory" is selected. If on the Workspace ONE UEM server console "Directory" is not selected as the authentication mode, this is a finding. If the MDM platform user authentication is not implemented via an enterprise directory service, this is a finding. To verify administrators can only use directory services accounts: 16. Choose Accounts >> Administrators >> List View. 17. Review user types under the Admin Type heading. If any users have an Admin Type of "Basic", this is a finding. Exception: One local "Emergency" account may remain that uses WS1 authentication services. To verify users can only use directory services accounts: 18. Choose Accounts >> Users >> List View. If only a small number of user accounts are listed, it is recommended to use the following steps: a. Under the "General Info" tab, click on each username link to view the user's summary data. b. Under "Type" in the "User Info" column, if "Basic" is listed, this is a finding. c. Choose "List View" again to be presented with the list of user accounts and repeat steps a and b until the full set of user accounts has been examined. If a large number of user accounts are listed, it is recommended to use the following steps instead: a. Choose the "Export" drop-down and select the format to be used for the export list. b. An "Export List" pop-up window will appear with instructions on where to locate and examine the exported list of user accounts. c. Examine the exported list. If any user accounts are denoted as Basic in the Security Type column, this is a finding.
Configure the MDM platform so that user and administrator authentication is implemented via an enterprise directory service. On the Workspace ONE UEM console complete the following procedure to ensure that the Workspace ONE UEM (MDM) Server is configured to leverage an enterprise authentication mechanism, and that Workspace ONE UEM users can only use directory accounts to enroll into the Workspace ONE UEM (MDM) Server: Exception: One local "Emergency" account may remain that uses WS1 authentication services. 1. For Workspace ONE UEM server Platform configuration, refer to "https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1907/Directory_Service_Integration/GUID-AWT-DIRECTORYSERVICESOVERVIEW.html". 2. Log in to the Workspace ONE UEM Administration console. 3. Choose "Groups and Settings". 4. Choose "All Settings". 5. Under "System" heading, choose "Enterprise Integration". 6. Choose "Directory Services". 7. Under "Server" tab, verify directory service connection information. If not set according to organizational rules, modify the directory service connection to the correct setting. 8. Under "User" tab, verify User Group connection information. If not set according to organizational rules, modify the User Group connection to the correct setting. 9. Under "Group" tab, verify Group connection information. If not set according to organizational rules, modify the Group connection to the correct setting. 10. If any changes made to Server, User, or Group settings, click "Save". 11. Choose "X" to close screen. 12. Choose "Groups and Settings". 13. Choose "All Settings". 14. Under "Devices and Users", choose "General". 15. Choose "Enrollment". 16. On the "Authentication Modes" setting, verify only the box titled "Directory" is selected. If "Directory" is unchecked, select it. If any other boxes are checked, uncheck them. 17. If any changes were made to "Authentication Modes" settings, click "Save". 18. Choose "X" to close the window. To verify and remove any administrator accounts that are not Directory Service accounts: 19. Choose Accounts >> Administrators >> List View. 20. Review user types under the "Admin Type" heading, and select all users, and only users, with an Admin Type of "Basic". Do NOT select users with an Admin Type of "Directory". Selecting one or more users with the Basic Admin Type will cause the "More Actions" drop-down to appear. 21. From the More Actions drop down, select "Delete". This will result in an "Are you sure you want to delete this record?" pop-up box asking to confirm deletion of the selected account(s). 22. Click "OK" to delete the selected accounts. To verify and remove any user accounts that are not Directory Service accounts: 23. Choose Accounts >> Users >> List View. If only a small number of user accounts are listed, it is recommended to use the following steps: a. Under the "General Info" tab, click each username link to view the user's summary data. b. Under "Type" in the "User Info" column, if "Basic" is listed, the user account must be removed. Choose the "More" drop-down and select "Delete". A pop-up window will appear stating whether the user was successfully deleted. Click "OK" to close the window. c. Choose "List View" again to be presented with the list of user accounts and repeat steps a and b until the full set of user accounts has been examined. If a large number of user accounts are listed, it is recommended to use the following steps instead: a. Choose the "Export" drop-down and select the format to be used for the export list. b. An "Export List" pop-up window will appear with instructions on where the exported list of user accounts is located. c. Examine the exported list. If any user accounts are denoted as "Basic" in the "Security Type" column, the account must be deleted. d. To delete a user account, click the username link of the user account under "List View". Choose the "More" drop-down and select "Delete". A pop-up window will appear stating whether the user was successfully deleted. Click "OK" to close the window. e. Choose "List View" again to be presented with the list of remaining user accounts and repeat step d until all user accounts with a Security Type of "Basic" have been deleted.
Verify the installed version of Workspace ONE UEM server is currently supported. On the Workspace ONE UEM server console, do the following to determine the version number of the server: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Click "About" on the bottom of the left hand menu. The version and build of the installed software will be displayed. List of current supported versions: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/support/product-lifecycle-matrix.pdf, scroll to Workspace ONE UEM Console. If the displayed Workspace ONE server version is not currently supported, this is a finding.
Update the Workspace ONE UEM server to a supported version. See (https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/support/product-lifecycle-matrix.pdf) for the list of current Workspace ONE UEM supported versions.
Review the MDM server platform configuration to determine whether a DoD-approved firewall is installed or if the platform operating system provides a firewall service that can restrict both inbound and outbound traffic by TCP/UDP port and IP address. If there is not a host-based firewall present on the MDM server platform, or if it is not configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, this is a finding.
Install and configure a DoD-approved firewall to protect the network segment on which the Workspace ONE UEM server is installed.
Ask the MDM administrator for a list of ports, protocols, and IP address ranges necessary to support MDM server and platform functionality. A list can usually be found in the STIG Supplemental document or MDM product documentation. Compare the list against the configuration of the firewall and identify discrepancies. If the host-based firewall is not configured to support only those ports, protocols, and IP address ranges necessary for operation, this is a finding.
Configure the firewall on the MDM server to only permit ports, protocols, and IP address ranges necessary for operation.
Ask the MDM administrator for a list of ports, protocols, and services that have been configured on the host-based firewall of the MDM server or generate the list by inspecting the firewall. Verify all allowed ports, protocols, and services are included on the DoD PPSM CAL list. If any allowed ports, protocols, and services on the MDM host-based firewall are not included on the DoD PPSM CAL list, this is a finding.
Turn off any ports, protocols, and services on the MDM host-based firewall that are not on the DoD PPSM CAL list.
Review the configuration for Workspace ONE UEM server administrative accounts for any local accounts: 1. Log in to the Workspace ONE UEM Administration console. 2. Choose Accounts >> Administrators >> List View. 3. Review user types under the Admin Type heading. If any users have an Admin Type of "Basic", this is a finding. Exception: One local "Emergency" account may remain.
Configure the Workspace ONE UEM server to remove any local accounts created during installation and configuration. Exception: One local "Emergency" account may remain. 1. Log in to the Workspace ONE UEM Administration console. 2. Choose Accounts >> Administrators >> List View. 3. Review user types under the Admin Type heading, and select all users, and only users with an Admin Type of "Basic". Do NOT select users with an Admin Type of "Directory". Selecting one or more users with the "Basic" Admin Type will cause the "More Actions" drop-down to appear. 4. From the More Actions drop down select "Delete". This will result in an "Are you sure you want to delete this record?" pop-up box asking to confirm deletion of the selected account(s). 5. Click "OK" to delete the selected accounts.
Review the MDM Agent documentation and configuration settings to determine if the following function is enabled: read audit logs of the MD. This validation procedure is performed on the MDM Administration Console. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings >> Devices & Users >> General >> Privacy and enable Request Device Log in the privacy settings. If "Request Device Log" is present, then no device log is being requested from the MD and this is a finding.
Configure the MDM Agent to enable the following function: read audit logs of the MD. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings >> Devices & Users >> General >> Privacy and enable Request Device Log in the privacy settings. 3. Select "SAVE".
Verify WS1 UEM is configured to enforce a local account password length of at least 15 characters for the emergency local account. 1. Log in to the WS1UEM console. 2. Go to Settings >> Admin >> Console Security >> Passwords. 3. Verify "Minimum Password Length" is set to 15. If the minimum password length is not set to 15, this is a finding.
Configure WS1 UEM to enforce a local account password length of at least 15 characters for the emergency local account. 1. Log in to the WS1UEM console. 2. Go to Settings >> Admin >> Console Security >> Passwords. 3. Configure "Minimum Password Length" to 15.
Verify WS1 UEM is configured to enforce a local account password with at least one lower case letter, one uppercase character, one number, and one special character for the emergency local account. 1. Log in to the WS1UEM console. 2. Go to Settings >> Admin >> Console Security >> Passwords. 3. Verify "Password complexity level" to "Mixed case, alphabetic, numeric and special characters". If password complexity is not set as listed above, this is a finding.
Configure WS1 UEM to enforce a local account password with at least one lower case letter, one uppercase character, one number, and one special character for the emergency local account. 1. Log in to the WS1UEM console. 2. Go to Settings >> Admin >> Console Security >> Passwords. 3. Configure "Password complexity level" to "Mixed case, alphabetic, numeric and special characters".
Verify WS1 UEM is configured to have a local account password lifetime of 60 days for the emergency local account. 1. Log in to the WS1UEM console. 2. Go to Settings >> Admin >> Console Security >> Passwords. 3. Verify "Password Expiration Period (days)" is set to 60. If WS1 UEM is not configured to have a local account password lifetime of 60 days, this is a finding.
Configure WS1 UEM to have a local account password lifetime of 60 days for the emergency local account. 1. Log in to the WS1UEM console. 2. Go to Settings >> Admin >> Console Security >> Passwords. 3. Configure "Password Expiration Period (days)" to 60.
Verify WS1 UEM is configured to prohibit password reuse for a minimum of five generations for local account passwords for the emergency local account. 1. Log in to the WS1UEM console. 2. Go to Settings >> Admin >> Console Security >> Passwords. 3. Verify "Enforced password history" to "5 passwords remembered". If WS1 UEM is not configured to prohibit password reuse for a minimum of five generations for local account passwords, this is a finding.
Configure WS1 UEM to prohibit password reuse for a minimum of five generations for local account passwords for the emergency local account. 1. Log in to the WS1UEM console. 2. Go to Settings >> Admin >> Console Security >> Passwords. 3. Configure "Enforced password history" to "5 passwords remembered".
Verify WS1 UEM is configured to enforce a limit of three invalid logon attempts for a local account. 1. Log in to the WS1UEM console. 2. Go to Settings >> Admin >> Console Security >> Passwords. 3. Verify "Maximum invalid login attempts" is set to 3. If WS1 UEM is not configured to enforce a limit of three invalid logon attempts for a local account, this is a finding.
Configure WS1 UEM to enforce a limit of three invalid logon attempts for a local account. 1. Log in to the WS1UEM console. 2. Go to Settings >> Admin >> Console Security >> Passwords. 3. Configure "Maximum invalid login attempts" to 3.
Verify WS1 UEM is using multifactor authentication for the local emergency account. Use one of the following two methods to confirm compliance: Method 1 Have the emergency account admin user log into the emergency account and verify the server requires 2FA before console access is granted. Method 2 1. Log in to the WS1UEM console. 2. Go to Accounts >> Administrators >> List View. 3. Select the Emergency account user and double-click on the account. 4. In the Add/Edit Admin screen, verify "Two-Factor Authentication" has been selected with either Email of SMS. Verify Notification has been selected and the token expiration time is 10 minutes or less. If WS1 UEM is not using multifactor authentication for the local emergency account, this is a finding.
Configure WS1 UEM to use multifactor authentication for the local emergency account. 1. Log in to the WS1UEM console. 2. Go to Accounts >> Administrators >> List View. 3. Select Add, then Add Admin. 4. Select "Basic" for the User Type and fill in user name, password, etc. 5. Select "Two-Factor Authentication and then select email or SMS as the delivery method and 10 minutes or less token expiration time. 6. Select either email or SMS Notification. 7. Complete all other required fields in the enrollment form, including either the telephone number or email address of the emergency account user. 8. Select Save.