BlackBerry UEM STIG Version Comparison
BlackBerry UEM Security Technical Implementation Guide
Comparison
There are 3 differences between versions v1 r1 (July 6, 2020) (the "left" version) and v2 r1 (Jan. 22, 2021) (the "right" version).
Check BUEM-00-000440 was removed from the benchmark in the "right" version. The text below reflects the old wording.
This check's original form is available here.
Text Differences
Title
The BlackBerry UEM server must configure the MDM Agent/platform to enable the DoD required device enrollment restrictions allowed for enrollment [specific device model] (if function is not automatically implemented during BlackBerry UEM server install).
Check Content
On the BlackBerry UEM, do the following: 1. Log in to the BlackBerry UEM console. 2. Select the "Policies and profiles" tab on the left pane. 3. Expand the Activation profiles from the menu in the left pane. 4. Select the Activation Profile to be reviewed. 5. Select the "Settings" tab. Select each supported operating system tab and perform the following: - Confirm that "Allow selected device models" is selected in the "Device model restrictions" field. - Verify that the devices listed in the "Allowed device models" field match the list provided by the administrator. If the "Allow selected device models" is not displayed in the "Device model restrictions" field or the devices listed in the "Allowed device models" field do not match the list provided by the administrator, this is a finding.
Discussion
Good configuration management of a mobile device is a key capability for maintaining the mobile device’s security baseline. Restricting network access to only authorized devices is a key configuration management attribute. Device type is a key way to specify mobile devices that can be adequately secured. SFR ID: FMT_SMF.1.1(2) b, FIA_ENR_EXT.1.2
Fix
On the BlackBerry UEM, do the following based on local site policy for device model restrictions. This procedure selects "allowed" models rather than "disallowed" models. 1. Log in to the BlackBerry UEM console. 2. Select the "Policies and profiles" tab on the left pane. 3. Under the "Policy" dropdown, select "Activation". 4. Select the Activation profile to be modified. 5. Select the pencil icon to edit the profile. 6. Select the "Settings" tab. 7. Select each supported operating system tab. 8. In the "Device model restrictions" field, use the drop-down menu to select "Allow selected device models". 9. Select the "edit" button in the "Allowed device models" field. 10. Using the pop-up menu, select the allowed model(s) and press the "->" arrow icon to add the selection to the "selected" window. 11. Once all models are selected, click "Save". 12. Repeat as applicable for other operating systems. 13. Click "Save".