Check: BBCP-00-013700
BlackBerry CylancePROTECT Mobile for UEM STIG:
BBCP-00-013700
(in versions v1 r2 through v1 r1)
Title
CylancePROTECT Mobile must be configured with the following compliance actions when a hardware attestation boot state failure occurs (Android only): -Prompt behavior: "Immediate enforcement action". -Enforcement action for BlackBerry Dynamics apps: "Do not allow BlackBerry Dynamics apps to run". (Cat II impact)
Discussion
When a compliance failure is detected, compliance actions must be implemented immediately to limit exposure of sensitive data and unauthorized access to the mobile device.
Check Content
Verify the following compliance actions when a hardware attestation boot state failure occurs are configured (Android only): -Prompt behavior: "Immediate enforcement action". -Enforcement action for BlackBerry Dynamics apps: "Do not allow BlackBerry Dynamics apps to run". 1. Log on to the BlackBerry UEM console. 2. In the management console on the menu bar, click Policies and profiles >> Compliance >> Compliance. 3. Select the appropriate compliance profile (have the site system administrator identify the profile). 4. On the Android tab in the BlackBerry Protect section, verify the "Hardware attestation boot state is unverified" is selected. 5. In the "Prompt behavior" drop-down list, verify "Immediate enforcement action" is selected. 6. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, verify "Do not allow BlackBerry Dynamics apps to run" is selected. If required compliance actions when a hardware attestation boot state failure occurs are not configured, this is a finding.
Fix Text
Configure the following compliance actions when a hardware attestation boot state failure occurs (Android only): -Prompt behavior:" Immediate enforcement action". -Enforcement action for BlackBerry Dynamics apps: "Do not allow BlackBerry Dynamics apps to run". 1. Log on to the BlackBerry UEM console. 2. In the management console on the menu bar, click Policies and profiles >> Compliance >> Compliance. 3. Create a new compliance profile or select and edit an existing compliance profile. 4. On the Android tab in the BlackBerry Protect section, select the "Hardware attestation boot state is unverified" check box. 5. In the "Prompt behavior" drop-down list, select "Immediate enforcement action". 6. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, select "Do not allow BlackBerry Dynamics apps to run". 7. Click "Add" or "Save". 8. Assign the profile to users and groups.
Additional Identifiers
Rule ID: SV-257271r918397_rule
Vulnerability ID: V-257271
Group Title: SRG-APP-000516-AS-000237
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |