STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

VMware Workspace ONE UEM Security Technical Implementation Guide

Version

V2R2

Benchmark ID

VMware_Workspace_ONE_UEM_STIG

Total Checks

20

Tags

vmware
CAT I: 7CAT II: 13CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSON

Checks (20)

V-221637MEDIUMThe Workspace ONE UEM server or platform must be configured to initiate a session lock after a 15-minute period of inactivity.V-221638MEDIUMThe Workspace ONE UEM server must be configured with an enterprise certificate for signing policies (if function is not automatically implemented during Workspace ONE UEM server install).V-221640MEDIUMThe Workspace ONE UEM server must be configured to transfer Workspace ONE UEM server logs to another server for storage, analysis, and reporting. Note: Workspace ONE UEM server logs include logs of MDM events and logs transferred to the Workspace ONE UEM server by MDM agents of managed devices.V-221641MEDIUMThe Workspace ONE UEM server must be configured to display the required DoD warning banner upon administrator logon. Note: This requirement is not applicable if the TOE platform is selected in FTA_TAB.1.1 in the Security Target (ST).V-221642MEDIUMThe Workspace ONE UEM server must be configured with a periodicity for reachable events of six hours or less for the following commands to the agent: - query connectivity status; - query the current version of the MD firmware/software; - query the current version of installed mobile applications; - read audit logs kept by the MD.V-221643MEDIUMThe Workspace ONE UEM server must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, or auditor.V-221644MEDIUMThe Workspace ONE UEM server must be configured to leverage the MDM platform user and administrator accounts and groups for Workspace ONE UEM server user identification and authentication.V-221645MEDIUMAuthentication of MDM platform accounts must be configured so they are implemented via an enterprise directory service.V-221646HIGHThe Workspace ONE UEM server must be maintained at a supported version.V-221647MEDIUMThe Workspace ONE UEM server must be protected by a DoD-approved firewall.V-221648MEDIUMThe firewall protecting the Workspace ONE UEM server must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support MDM server and platform functions.V-221649MEDIUMThe firewall protecting the Workspace ONE UEM server must be configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).V-221650MEDIUMAll Workspace ONE UEM server local accounts created during application installation and configuration must be disabled or removed.V-221651MEDIUMThe MDM Agent must be configured to enable the following function: [selection: read audit logs of the MD]. This requirement is inherently met if the function is automatically implemented during MDM Agent install/device enrollment.V-251259HIGHThe Workspace ONE UEM local accounts password must be configured with length of 15 characters.V-251260HIGHThe Workspace ONE UEM local accounts must be configured with at least one lowercase character, one uppercase character, one number, and one special character.V-251261HIGHThe Workspace ONE UEM local accounts must be configured with password maximum lifetime of 60 days.V-251262HIGHThe Workspace ONE UEM local accounts must prohibit password reuse for a minimum of five generations.V-251263HIGHThe Workspace ONE UEM must enforce the limit of three consecutive invalid logon attempts by a user.V-251264HIGHThe Workspace ONE UEM must use multifactor authentication for local access to privileged accounts.