{"stig":{"title":"BlackBerry UEM Security Technical Implementation Guide","version":"2","release":"1"},"checks":[{"vulnId":"V-224371","ruleId":"SV-224371r604136_rule","severity":"low","ruleTitle":"The BlackBerry UEM server must [selection: invoke platform-provided functionality, implement functionality] to generate an audit record of the following auditable events: c. [selection: Commands issued to the MDM Agent].","description":"Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. For audit logs to be useful, administrators must have the ability to view them.\n\nSFR ID: FAU_GEN.1.1(1)","checkContent":"Review the audit record which can be found in the UEM console in Settings >> Infrastructure >> Audit settings >> Security event audit settings section.\n\nVerify both \"Command\" events are listed and \"setting\" is set to \"All\" for the \"Command delivered\" event.\nIf both \"Command\" events are not listed and \"setting\" is not set to \"All\" for the \"Command delivered\" event, this is a finding.","fixText":"On the BlackBerry UEM, do the following:\n1. On the menu bar, click Settings >> Infrastructure >> Audit settings.\n2. In the right pane, click the edit icon.\n3. To add security events to audit, click + . Select the events and click Add.\n4. Select each \"Command\" event (Command delivered, Command sent).\n5. In the Setting column, select \"all\" for the \"Command delivered\" event. \n6. Click Save.\nNote: For audit record fields for server audits, include: Commands sent to the device.","ccis":["CCI-000366"]},{"vulnId":"V-224372","ruleId":"SV-224372r604136_rule","severity":"medium","ruleTitle":"The BlackBerry UEM server must be configured to communicate the following commands to the MDM Agent: read audit logs kept by the MD.","description":"Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. For audit logs to be useful, administrators must have the ability to view them.\n\nSFR ID: FMT_SMF.1.1(1) #19","checkContent":"Verify each Android device being managed by UEM has been configured to enable device auditing.\n\nVerify the policy pushed by UEM to each Android device include \"Enable auditing\".\n\nIf auditing has not been enabled for each Android device being managed by UEM, this is a finding.","fixText":"This requirement is only applicable on Android devices and is configured via each Android device STIG (enabling device Auditing).\n\nEnable device auditing for each Android device being managed by UEM using procedures in the Android STIG.","ccis":["CCI-000366"]},{"vulnId":"V-224374","ruleId":"SV-224374r604136_rule","severity":"medium","ruleTitle":"The BlackBerry UEM server or platform must be configured to initiate a session lock after a 15-minute period of inactivity.","description":"A session time-out lock is a temporary action taken when a user (MDM system administrator) stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to leaving the vicinity, applications must be able to identify when a user's application session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system level and results in a system lock but may be at the application level where the application interface window is secured instead.\n\nSFR ID: FMT_SMF.1.1(2) c.8","checkContent":"Review the BlackBerry UEM server configuration to determine whether the system is locked after 15 minutes. \n\nHave the system administrator log into the console. Verify the session locks after 15 minutes of inactivity.\n\nIf the \"Session timeout\" is not set correctly, this is a finding.","fixText":"On the BlackBerry UEM, do the following to set the session timeout:\n1. Log in to the BlackBerry UEM console.\n2. Go to the menu bar on the left.\n3. Go to Settings >> General Settings >> Console.\n4. Under \"Session settings\", enter \"15\".\n5. Select \"Save\".","ccis":["CCI-000057"]},{"vulnId":"V-224375","ruleId":"SV-224375r604136_rule","severity":"medium","ruleTitle":"The BlackBerry UEM server must be configured to transfer BlackBerry UEM server logs to another server for storage, analysis, and reporting. \n\nNote: BlackBerry UEM server logs include logs of MDM events and logs transferred to the BlackBerry UEM server by MDM agents of managed devices.","description":"Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. Since the BlackBerry UEM server has limited capability to store mobile device log files and perform analysis and reporting of mobile device log files, the BlackBerry UEM server must have the capability to transfer log files to an audit log management server.\n\nSFR ID: FMT_SMF.1.1(2) c.8, FAU_STG_EXT.1.1(1)","checkContent":"Review the Syslog audit records from the syslog audit management server and verify UEM logs are included.\n\nIf UEM logs are not found on the Syslog server, this is a finding.","fixText":"The Admin must access the UEM server.\nConfiguring trust: \n1. Get the CA that signs the Syslog server cert.\n2. Upload the CA into the UEM server.\n - From the CMD prompt on the UEM server follow the instructions found on page 70-71 of the Admin Guide, \"Setup export of server audit records to a syslog server\".\n3. Configure UEM to send audit data to the Syslog server.\n - Copy the script in Appendix A of the Admin Guide.\n - In the script, change the hostname and port number to match your environment.\n - Set the host name and port number, for example:\n SET @v_hostname = 'localhost';\n SET @v_port = '31000';\n4. Execute the SQL script against the BlackBerry UEM database. \n5. Restart the BlackBerry UEM Core service.","ccis":["CCI-001851"]},{"vulnId":"V-224376","ruleId":"SV-224376r604136_rule","severity":"medium","ruleTitle":"The BlackBerry UEM server must be configured to display the required DoD warning banner upon administrator logon. \n\nNote: This requirement is not applicable if the TOE platform is selected in FTA_TAB.1.1 in the Security Target (ST).","description":"Note: The advisory notice and consent warning message is not required if the general purpose OS or network device displays an advisory notice and consent warning message when the administrator logs on to the general purpose OS or network device prior to accessing the BlackBerry UEM server or BlackBerry UEM server platform.\n\nBefore granting access to the system, the BlackBerry UEM server/server platform is required to display the DoD-approved system use notification message or banner that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. This ensures the legal requirements for auditing and monitoring are met.\n\nThe approved DoD text must be used as specified in the KS referenced in DoDI 8500.01.\n\nThe non-bracketed text below must be used without any changes as the warning banner. \n\n[A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating “OK.”]\n\nYou are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. \nBy using this IS (which includes any device attached to this IS), you consent to the following conditions: \n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. \n-At any time, the USG may inspect and seize data stored on this IS. \n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. \n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. \n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\n\nSFR ID: FMT_SMF.1.1(2) c.2","checkContent":"Review the BlackBerry UEM server documentation and configuration settings to determine if the warning banner is using the appropriate designated wording. \nOn the BlackBerry UEM, do the following:\n1. Log in to the BlackBerry UEM console.\n2. Select the \"Settings\" tab on the left pane.\n3. Expand the \"General\" settings tab on the left pane.\n4. Select \"Login notices\" from the menu in the left pane.\n5. Verify the checkbox next to \"Enable a login notice for the management console\" is checked.\n6. Verify the console logon notice text exactly matches the VulDiscussion text. \n7. Verify the checkbox next to \"Enable a login notice for the self-service console\" is checked if the self-service portal is used at the site.\n8. Verify the self-service console logon notice text exactly matches the VulDiscussion text. \n\nAlternately, have the administrator log in to the UEM console to view the warning banner.\n\nIf the console notice wording does not exactly match the VulDiscussion text, this is a finding.","fixText":"On the BlackBerry UEM, do the following:\n1. Log in to the BlackBerry UEM console.\n2. Select the \"Settings\" tab on the left pane.\n3. Expand the \"General\" settings tab on the left pane.\n4. Select \"Login notices\" from the menu in the left pane.\n5. Click the \"pencil\" icon (upper right corner) to edit the \"Login notice\".\n6. Select the checkbox next to \"Enable a login notice for the management console\".\n7. In the \"Enable a login notice for the management console\" field, type the DoD banner found in the VulDiscussion.\n8. Click \"Save\". \n\nIf the self-service portal is used in the organization select the checkbox next to \"Enable a login notice for the self-service console\" before selecting \"Save in step 8.","ccis":["CCI-000048"]},{"vulnId":"V-224377","ruleId":"SV-224377r604136_rule","severity":"medium","ruleTitle":"The BlackBerry UEM server must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, or auditor.","description":"Having several administrative roles for the BlackBerry UEM server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations they may not understand or approve of, which can weaken overall security and increase the risk of compromise.\n\n- Server primary administrator: Responsible for server installation, initial configuration, and maintenance functions. Responsible for the setup and maintenance of security configuration administrator and auditor accounts. Responsible for the maintenance of applications in the MAS.\n- Security configuration administrator: Responsible for security configuration of the server, defining device user groups, setup and maintenance of device user group administrator accounts, and defining privileges of device user group administrators.\n- Device user group administrator: Responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. Responsible for defining which apps user groups or individual users have access to in the MAS. Can only perform administrative functions assigned by the security configuration administrator.\n- Auditor: Responsible for reviewing and maintaining server and mobile device audit logs.\n\nSFR ID: FMT_SMR.1.1(1)","checkContent":"Review the BlackBerry UEM server configuration settings.\n\nVerify the server is configured with the \"Administrator\" roles: \na. UEM Security Administrator;\nb. Auditor;\nc. One or more Site Custom Administrator or UEM predefined enterprise/help desk roles.\n\nNote: The exact name of the role is not important. Each role should include functions close to the role descriptions listed in the VulDiscussion.\n\nNote: The intent of the requirement is that separate people perform each administrator role; few users are assigned to the \"UEM Security Administrator\" role; the \"auditor\" role is limited to only authorized permissions; and day-to-day management of user accounts, group accounts, and profiles are performed from site-specific custom administrator roles or UEM predefined enterprise/help desk roles instead of the \"UEM Security Administrator\".\n\nOn the BlackBerry UEM, do the following:\n1. Log in to the BlackBerry UEM console.\n2. Select the \"Settings\" tab at the top of the screen.\n3. Expand the \"General\" settings tab on the left pane.\n4. Expand the \"Administrators\" tab on the left pane.\n5. Select the \"Roles\" tab on the left pane.\n6. Verify at least one user is assigned to each of the following roles:\na. UEM Security Administrator;\nb. Auditor;\nc. One or more Site Custom Administrator or UEM predefined enterprise/help desk roles.\n\nVerify the auditor role function is limited to only reviewing and maintaining server and mobile device audit logs as follows:\n1. Log in to the BlackBerry UEM console. Select the \"Settings\" tab at the top of the screen.\n2. Expand the \"Administrators\" tab on the left pane.\n3. Select the \"Roles\" tab on the left pane.\n4. Click the \"Auditor\" role.\n5. Verify the role only has the following permissions assigned:\n- View audit information;\n- View audit settings;\n- Edit audit settings and purge data; and\n- Edit logging settings.\n\nTalk to the \"UEM Security Administrator\".\n\nVerify custom administrator roles/UEM predefined enterprise/help desk roles are used for day-to-day management of user accounts, group accounts, and profiles.\n\nIf at least one user is not associated with the \"UEM Security Administrator\", \"Auditor\", and one or more site custom administrator roles/UEM predefined enterprise/help desk roles, this is a finding.\n\nIf the \"auditor\" role has more permissions than authorized, this is a finding.\n\nIf day-to-day management of user accounts, group accounts, and profiles is primarily performed by \"UEM Security Administrators\" instead of one or more site custom administrator roles/UEM predefined enterprise/help desk roles, this is a finding.","fixText":"On the BlackBerry UEM, do the following:\n\nUsing the procedures below:\n- Assign at least one user to the UEM Security Administrator role. Few administrators should be assigned to this role. \nNote: UEM automatically restricts the following functions to only the Security Administrator: Full permissions to manage the BlackBerry Enterprise Solution. Create and edit roles.\n- Define an \"Auditor\" role (see the VulDiscussion for role functions). Assign at least one user (UEM administrator) to the role. The role should include only the following UEM permissions:\n ** View audit information;\n ** Delete BlackBerry Dynamics audit log files;\n ** View and export BlackBerry Dynamics audit log files;\n ** View audit settings;\n ** Edit audit settings and purge data;\n ** Edit logging settings.\n- Define site custom administrator roles or UEM predefined enterprise/help desk roles as needed to administer device policies and user accounts (for example, see the Security Configuration Administrator and Device User Group Administrator in the VulDiscussion). Assign users to the roles as required. These roles should be used for day-to-day management of user accounts, group accounts, and profiles.\n\nTo set up specific roles, do the following:\n1. Go to Settings >> Administrators >> Roles.\n2. Select \"roles\" in the left pane.\n3. Select \"add a role\" on the top right.\n4. Assign appropriate name and functions to the role. \n5. Click \"Save\".\n\nTo assign users or groups to a role, do the following:\n1. Log in to the BlackBerry UEM console and select the \"Settings\" tab at the top of the screen.\n2. Expand the \"General\" settings tab on the left pane.\n3. Expand the \"Administrators\" tab on the left pane.\n\nTo assign a role to a user:\n1. Click \"Users\".\n2. Click the \"Add an administrator icon\" (upper right corner).\n3. If necessary, search for a user account.\n4. Click the name of the user account.\n5. In the Role drop-down list, click the role to be added.\n6. Click \"Save\".\n\nTo assign a role to a group:\n1. Click \"Groups\".\n2. Click the Add an administrator icon (upper right corner).\n3. If necessary, search for a user group.\n4. Click the name of the user group.\n5. In the Role drop-down list, click the role to be added.\n6. Click \"Save\".\n\nNote: The intent of the requirement is that separate people perform each administrator role. The exact name of the role is not important.","ccis":["CCI-002226","CCI-002227","CCI-000366"]},{"vulnId":"V-224378","ruleId":"SV-224378r604136_rule","severity":"medium","ruleTitle":"The BlackBerry UEM server must be configured to audit DoD or site-defined auditable events. Note: See VulDiscussion for a list of DoD required auditable events.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the application (e.g., process, module). Certain specific application functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which the application will provide an audit record generation capability as the following: \n\n(i) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n(ii) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; and\n\n(iii) All account creation, modification, disabling, and termination actions.\n\nDoD Required auditable events (from the MDM Protection Profile):\n- Change in enrollment status\n- Failure to apply policies to a mobile device\n- Start up and shut down of the MDM System\n- All administrative actions\n- Commands issued to the MDM Agent, none]\n- Specifically defined auditable events listed in Table 2 of the MDM Protection Profile\n\nSFR ID: FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8","checkContent":"Review the list of audit events:\n1.  In the UEM console go to Settings >> Infrastructure >> Audit settings\n2.  Verify all required events are listed and \"setting\" is set to \"All\" for all events where this selection is available.  \n\nNote: Events are organized by category. All events for each required event category should be selected (see the list below).\n\nIf all required events are not listed and \"setting\" is not set to \"All\" for all events where this selection is available, this is a finding.\n\nRequired events:  all \"Enrollment\" events, all \"Policy\" events, all \"Server\" events, all \"System\" related events, and all \"Application\" events","fixText":"On the BlackBerry UEM console, do the following:\n1. On the menu bar, click Settings >> Infrastructure >> Audit settings.\n2. In the right pane, click the edit icon.\n3. To add security events to audit, click + . Select the events and click Add.\n4. Select each event in each event category from the list below.\n5. In the Setting column, insure \"all\" has been selected for each event that has this selection available. \n6. Click Save.\n\nRequired events:  all \"Enrollment\" events, all \"Policy\" events, all \"Server\" events, all \"System\" related events, and all \"Application\" events","ccis":["CCI-000168"]},{"vulnId":"V-224379","ruleId":"SV-224379r604136_rule","severity":"medium","ruleTitle":"The BlackBerry UEM server must be configured to leverage the MDM platform user accounts and groups for BlackBerry UEM server user identification and CAC authentication.","description":"A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire BlackBerry UEM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the BlackBerry UEM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos).\n\nSFR ID: FIA","checkContent":"Review the BlackBerry UEM server configuration settings.\n\nVerify the server is configured to leverage the MDM Platform user accounts and groups for BlackBerry UEM server user identification and authentication.\n\nOn the BlackBerry UEM, do the following:\n1. Navigate to the BlackBerry UEM console.\n2. Verify the BlackBerry UEM does not prompt for additional authentication before opening the UEM console.\n\nIf the BlackBerry UEM server prompts for additional authentication before opening the UEM console, this is a finding.","fixText":"On the BlackBerry UEM, do the following:\n\nConfigure constrained delegation for the Microsoft Active Directory account to support single sign-on:\n\n1. Log in to the BlackBerry UEM host server and use the Windows Server ADSI Edit tool to add the following SPNs for BES12 to the Microsoft Active Directory account:\n- HTTP/<host_FQDN_or_pool_name> (for example, HTTP/domain123.example.com)\n- BASPLUGIN111/<host_FQDN_or_pool_name> (for example, BASPLUGIN111/domain123.example.com)\n Note:\n- If high availability is configured for the management consoles in a UEM domain, specify the pool name. Otherwise, specify the FQDN of the computer that hosts the management console.\n- Verify that no other accounts in the Microsoft Active Directory forest have the same SPNs.\n2. Open \"Microsoft Active Directory Users and Computers\".\n3. In the Microsoft Active Directory account properties, on the \"Delegation\" tab, select the following options:\n- Trust this user for delegation to specified services only.\n- Use Kerberos only.\n4. Add the SPNs from Step 1 to the list of services.\n\nConfigure single sign-on for UEM:\nNote: \n- When configuring single sign-on for UEM, it is configured for the management console and UEM Self-Service.\n- If enabling single sign-on for multiple Microsoft Active Directory connections, verify there are no trust relationships between the Microsoft Active Directory forests.\n1. Log in to the BlackBerry UEM console.\n2. Select the \"Settings\" tab on the left pane.\n3. Click the \"External integration\" tab on the left pane.\n4. Click \"Company directory\".\n5. In the \"Configured directory connections\" section, click the name of a Microsoft Active Directory connection.\n6. On the \"Authentication\" tab, select the checkbox next to \"Enable Windows single sign-on\".\n7. Click \"Save\".\n8. Click \"Save\" on the pop-up window.\nNote: UEM validates the information for Microsoft Active Directory authentication. If the information is invalid, UEM prompts to specify the correct information.\n9. Click \"Close\".\n10. Restart the UEM services on each server that hosts a UEM instance.","ccis":["CCI-000015"]},{"vulnId":"V-224380","ruleId":"SV-224380r604136_rule","severity":"medium","ruleTitle":"Authentication of MDM platform accounts must be configured so they are implemented via an enterprise directory service.","description":"A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire BlackBerry UEM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the BlackBerry UEM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos).\n\nSFR ID: FIA","checkContent":"Review the BlackBerry UEM server configuration settings.\n\nVerify the server is configured to leverage the MDM Platform user accounts and groups for BlackBerry UEM server user identification and authentication.\n\nOn the BlackBerry UEM, do the following:\n1. Navigate to the BlackBerry UEM console.\n2. Verify the BlackBerry UEM does not prompt for additional authentication before opening the UEM console.\n\nIf the BlackBerry UEM server prompts for additional authentication before opening the UEM console, this is a finding.","fixText":"On the BlackBerry UEM, do the following:\n\nConfigure constrained delegation for the Microsoft Active Directory account to support single sign-on:\n\n1. Log in to the BlackBerry UEM host server and use the Windows Server ADSI Edit tool to add the following SPNs for BES12 to the Microsoft Active Directory account:\n- HTTP/<host_FQDN_or_pool_name> (for example, HTTP/domain123.example.com)\n- BASPLUGIN111/<host_FQDN_or_pool_name> (for example, BASPLUGIN111/domain123.example.com)\n Note:\n- If high availability is configured for the management consoles in a UEM domain, specify the pool name. Otherwise, specify the FQDN of the computer that hosts the management console.\n- Verify that no other accounts in the Microsoft Active Directory forest have the same SPNs.\n2. Open \"Microsoft Active Directory Users and Computers\".\n3. In the Microsoft Active Directory account properties, on the \"Delegation\" tab, select the following options:\n- Trust this user for delegation to specified services only.\n- Use Kerberos only.\n4. Add the SPNs from Step 1 to the list of services.\n\nConfigure single sign-on for UEM:\nNote: \n- When configuring single sign-on for UEM, it is configured for the management console and UEM Self-Service.\n- If enabling single sign-on for multiple Microsoft Active Directory connections, verify there are no trust relationships between the Microsoft Active Directory forests.\n1. Log in to the BlackBerry UEM console.\n2. Select the \"Settings\" tab on the left pane.\n3. Click the \"External integration\" tab on the left pane.\n4. Click \"Company directory\".\n5. In the \"Configured directory connections\" section, click the name of a Microsoft Active Directory connection.\n6. On the \"Authentication\" tab, select the checkbox next to \"Enable Windows single sign-on\".\n7. Click \"Save\".\n8. Click \"Save\" on the pop-up window.\nNote: UEM validates the information for Microsoft Active Directory authentication. If the information is invalid, UEM prompts to specify the correct information.\n9. Click \"Close\".\n10. Restart the UEM services on each server that hosts a UEM instance.","ccis":["CCI-000015"]},{"vulnId":"V-224381","ruleId":"SV-224381r604136_rule","severity":"high","ruleTitle":"The BlackBerry UEM server must be maintained at a supported version.","description":"Versions of BlackBerry UEM are maintained by BlackBerry for specific periods of time. Unsupported versions will not receive security updates for new vulnerabilities which leaves them subject to exploitation.\n\nA list of supported UEM versions is maintained by BlackBerry here: https://www.blackberry.com/us/en/support/software-support-life-cycle.\n\nSFR ID: FPT_TUD_EXT.1","checkContent":"Review the UEM console version, via the help page. Correlate the version with the latest supported version of UEM.\n\nIf the installed version of UEM is not a supported version, this is a finding.","fixText":"The administrator must check https://www.blackberry.com/uk/en/support/software-support-life-cycle for the latest supported and unsupported versions of software.\n\nOnce confirmed, the administrator must update BlackBerry UEM to the latest supported version after the following reupgrade tasks: https://docs.blackberry.com/en/endpoint-management/blackberry-uem/12_12/installation-configuration/installation-and-upgrade/ksa1400184024142 & https://docs.blackberry.com/en/endpoint-management/blackberry-uem/12_12/installation-configuration/installation-and-upgrade/ksa1400184232267/ksa1420584119147.","ccis":["CCI-000366"]},{"vulnId":"V-224382","ruleId":"SV-224382r604136_rule","severity":"medium","ruleTitle":"The BlackBerry UEM server platform must be protected by a DoD-approved firewall.","description":"Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Unneeded services and processes provide additional threat vectors and avenues of attack to the information system. The BlackBerry UEM server is a critical component of the mobility architecture and must be configured to enable only those ports, protocols, and services (PPS) necessary to support functionality. All others must be expressly disabled or removed. A DoD-approved firewall implements the required network restrictions. A host-based firewall is appropriate where the BlackBerry UEM server runs on a standalone platform. Network firewalls or other architectures may be preferred where the BlackBerry UEM server runs in a cloud or virtualized solution.\n\nSFR ID: FMT_SMF.1.1(2) b / CM-7 b\n\nSatisfies: SRG-APP-000142","checkContent":"Review the BlackBerry UEM server platform configuration to determine whether a DoD-approved firewall is installed or if the platform operating system provides a firewall service that can restrict both inbound and outbound traffic by TCP/UDP port and IP address.\n\nIf there is not a host-based firewall present on the BlackBerry UEM server platform, this is a finding.","fixText":"Install a DoD-approved firewall.","ccis":["CCI-000382"]},{"vulnId":"V-224383","ruleId":"SV-224383r604136_rule","severity":"medium","ruleTitle":"The firewall protecting the BlackBerry UEM server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support BlackBerry UEM server and platform functions.","description":"Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations. Since BlackBerry UEM server is a critical component of the mobility architecture and must be configured to enable only those ports, protocols, and services (PPS) necessary to support functionality, all others must be expressly disabled or removed. A firewall installed on the BlackBerry UEM server provides a protection mechanism to ensure unwanted service requests do not reach the BlackBerry UEM server and outbound traffic is limited to only BlackBerry UEM server functionality.\n\nSFR ID: FMT_SMF.1.1(2) b / CM-7 b\n\nSatisfies:  SRG-APP-000142","checkContent":"Ask the BlackBerry UEM administrator for a list of ports, protocols, and IP address ranges necessary to support BlackBerry UEM server and platform functionality. A list can usually be found in the STIG Supplemental document or BlackBerry UEM product documentation.\n\nCompare the list against the configuration of the firewall and identify discrepancies.\n\nIf the host-based firewall is not configured to support only those ports, protocols, and IP address ranges necessary for operation, this is a finding.","fixText":"Configure the firewall on the BlackBerry UEM server to only permit ports, protocols, and IP address ranges necessary for operation.","ccis":["CCI-000382"]},{"vulnId":"V-224384","ruleId":"SV-224384r604136_rule","severity":"medium","ruleTitle":"The firewall protecting the BlackBerry UEM server platform must be configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).","description":"All ports, protocols, and services used on DoD networks must be approved and registered via the DoD PPSM process. This is to ensure that a risk assessment has been completed before a new port, protocol, or service is configured on a DoD network and has been approved by proper DoD authorities. Otherwise, the new port, protocol, or service could cause a vulnerability to the DoD network, which could be exploited by an adversary.\n\nSFR ID: FMT_SMF.1.1(2) b / CM-7 b\n\nSatisfies:  SRG-APP-000142","checkContent":"Ask the BlackBerry UEM administrator for a list of ports, protocols, and services that have been configured on the host-based firewall of the BlackBerry UEM server or generate the list by inspecting the firewall. Verify all allowed ports, protocols, and services are included on the DoD PPSM CAL list.\n\nIf any allowed ports, protocols, and services on the BlackBerry UEM host-based firewall are not included on the DoD PPSM CAL list, this is a finding.","fixText":"Turn off any ports, protocols, and services on the BlackBerry UEM host-based firewall that are not on the DoD PPSM CAL list.","ccis":["CCI-000382"]},{"vulnId":"V-224385","ruleId":"SV-224385r604136_rule","severity":"medium","ruleTitle":"All BlackBerry UEM server local accounts created during application installation and configuration must be disabled or removed.","description":"A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire BlackBerry UEM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the BlackBerry UEM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos).\n\nSFR ID: FMT_SMF.1.1(2) b / IA-5(1)(a)\n\nSatisfies:  SRG-APP-000148","checkContent":"Review the BlackBerry UEM server configuration settings.\n\nVerify the server is configured to leverage the MDM Platform user accounts and groups for BlackBerry UEM 12.11 server user identification and authentication.\n\nOn the BlackBerry UEM, do the following:\n1. Navigate to the BlackBerry UEM console.\n2. Verify the BlackBerry UEM does not prompt for additional authentication before opening the UEM console.\n\nIf the BlackBerry UEM server prompts for additional authentication before opening the UEM console, this is a finding.","fixText":"On the BlackBerry UEM, do the following:\n\nConfigure constrained delegation for the Microsoft Active Directory account to support single sign-on:\n\n1. Log in to the BlackBerry UEM 12.12 host server and use the Windows Server ADSI Edit tool to add the following SPNs for BES12 to the Microsoft Active Directory account:\n- HTTP/<host_FQDN_or_pool_name> (for example, HTTP/domain123.example.com)\n- BASPLUGIN111/<host_FQDN_or_pool_name> (for example, BASPLUGIN111/domain123.example.com)\n Note:\n- If high availability is configured for the management consoles in a UEM domain, specify the pool name. Otherwise, specify the FQDN of the computer that hosts the management console.\n- Verify that no other accounts in the Microsoft Active Directory forest have the same SPNs.\n2. Open \"Microsoft Active Directory Users and Computers\".\n3. In the Microsoft Active Directory account properties, on the \"Delegation\" tab, select the following options:\n- Trust this user for delegation to specified services only.\n- Use Kerberos only.\n4. Add the SPNs from Step 1 to the list of services.\n\nConfigure single sign-on for UEM:\nNote: \n- When configuring single sign-on for UEM, it is configured for the management console and UEM Self-Service.\n- If enabling single sign-on for multiple Microsoft Active Directory connections, verify there are no trust relationships between the Microsoft Active Directory forests.\n1. Log in to the BlackBerry UEM 12.12 console.\n2. Select the \"Settings\" tab on the left pane.\n3. Click the \"External integration\" tab on the left pane.\n4. Click \"Company directory\".\n5. In the \"Configured directory connections\" section, click the name of a Microsoft Active Directory connection.\n6. On the \"Authentication\" tab, select the checkbox next to \"Enable Windows single sign-on\".\n7. Click \"Save\".\n8. Click \"Save\" on the pop-up window.\nNote: UEM validates the information for Microsoft Active Directory authentication. If the information is invalid, UEM prompts to specify the correct information.\n9. Click \"Close\".\n10. Restart the UEM services on each server that hosts a UEM instance.","ccis":["CCI-000764"]},{"vulnId":"V-224386","ruleId":"SV-224386r604136_rule","severity":"medium","ruleTitle":"The BlackBerry UEM server must connect to [assignment: [SQL Server]] with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.","description":"Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. \n\nThis requirement applies only to those applications that are either distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, TLS VPNs, or IPsec.\n\nCommunication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.\n\nSatisfies: PP-MDM-431009 / SRG-APP-000439, SRG-APP-000440\n\nSFR ID: FMT_SMF.1.1(2) b / SC-8, SC-8 (1), SC-8 (2)","checkContent":"Talk to the site UEM Administrator to confirm the SQL server has been configured to connect to UEM using the TLS connection or confirm during a review of the SQL server.\n\nIf the SQL server has not been configured to connect to UEM using the TLS connection, this is a finding.","fixText":"Confirm the Administrator has configured the SQL server to connect to UEM using the TLS connection.","ccis":["CCI-002418","CCI-002420","CCI-002421","CCI-002422"]},{"vulnId":"V-224387","ruleId":"SV-224387r604136_rule","severity":"medium","ruleTitle":"The BlackBerry UEM server Blackberry Web Services must not be authorized access from external sources unnecessarily.","description":"By limiting access to the subset of Administrator UI functions to internal administrators, the risk of an attacker developing a custom application to administer UEM potentially changing pre-configuration items in UEM is reduced\n\nSFR ID: FMT_SMF.1.1(2) b / CM-7 b\n\nSatisfies:  SRG-APP-000142","checkContent":"Verify BlackBerry UEM server Blackberry Web Services has not been configured to allow access from external sources unnecessarily.\n\n1. Log in to the UEM Server console.\n2. On the left bar, access Settings >> General Settings >> Blackberry Web Services access.\n3. Verify the status has not changed from disabled unless the ISSM has approved access. \n\nIf BlackBerry UEM server Blackberry Web Services has not disabled access from external sources unnecessarily without ISSM approval, this is a finding.","fixText":"Configure BlackBerry UEM server Blackberry Web Services to block access by unnecessary to external sources (default configuration).\n\n1. Access the UEM Server console.\n2. On the left bar, access Settings >> General Settings >> Blackberry Web Services access.\n3. If the status is not set to \"disabled\", change the status to \"disabled\" unless access has been approved by the ISSM.","ccis":["CCI-000382"]}]}