Check: BUEM-12-006600
BB UEM 12-7 STIG:
BUEM-12-006600
(in versions v1 r2 through v1 r1)
Title
The BlackBerry UEM 12.7 server must be configured to leverage the MDM platform user accounts and groups for MDM server user identification and authentication. (Cat II impact)
Discussion
A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MDM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the BlackBerry UEM 12.7 server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos). SFR ID: FIA
Check Content
Review the BlackBerry UEM 12.7 server configuration settings, and verify the server is configured to leverage the MDM Platform user accounts and groups for BlackBerry UEM 12.7 server user identification and authentication. On the BlackBerry UEM 12.7, do the following: 1. Navigate to the BlackBerry UEM 12.7 console. 2. Verify the BlackBerry UEM 12.7 does not prompt for additional authentication before opening the UEM console. If the BlackBerry UEM 12.7 server prompts for additional authentication before opening the UEM console, this is a finding.
Fix Text
On the BlackBerry UEM 12.7, do the following: Configure constrained delegation for the Microsoft Active Directory account to support single sign-on: 1. Log in to the BlackBerry UEM 12.7 host server and use the Windows Server ADSI Edit tool to add the following SPNs for BES12 to the Microsoft Active Directory account: - HTTP/<host_FQDN_or_pool_name> (for example, HTTP/domain123.example.com) - BASPLUGIN111/<host_FQDN_or_pool_name> (for example, BASPLUGIN111/domain123.example.com) Note: - If you configured high availability for the management consoles in a UEM domain, specify the pool name. Otherwise, specify the FQDN of the computer that hosts the management console. - Verify that no other accounts in the Microsoft Active Directory forest have the same SPNs. 2. Open Microsoft Active Directory Users and Computers. 3. In the Microsoft Active Directory account properties, on the "Delegation" tab, select the following options: - Trust this user for delegation to specified services only - Use Kerberos only 4. Add the SPNs from step 1 to the list of services. Configure single sign-on for UEM: Note: - When you configure single sign-on for UEM, you configure it for the management console and UEM Self-Service. - If you enable single sign-on for multiple Microsoft Active Directory connections, verify that there are no trust relationships between the Microsoft Active Directory forests. 1. Log in to the BlackBerry UEM 12.7 console and select the "Settingsā tab at the left pane. 2. Click on the "External integration" tab on the left pane. 3. Click "Company directory". 4. In the Configured directory connections section, click the name of a Microsoft Active Directory connection. 5. On the Authentication tab, select the check box next to "Enable Windows single sign-on". 6. Click "Save". 7. Click "Save" on popup window. Note: UEM validates the information for Microsoft Active Directory authentication. If the information is invalid, UEM prompts you to specify the correct information. 8. Click "Close". 9. Restart the UEM services on each server that hosts a UEM instance.
Additional Identifiers
Rule ID: SV-93155r1_rule
Vulnerability ID: V-78449
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
CCI-002226 |
The organization defines the personnel or roles to whom privileged accounts are to be restricted on the information system. |
CCI-002227 |
The organization restricts privileged accounts on the information system to organization-defined personnel or roles. |