An error occurred:

Check: BB10-3X-020290

BlackBerry OS 10.3.x STIG: BB10-3X-020290 (in versions v1 r4 through v1 r3)

Title

BlackBerry OS 10.3 must implement the management setting: Check certificate expiry for MDM connection. (Cat II impact)

Discussion

Without strong authentication of the MDM, the MDM agent may connect to a rogue MDM and the mobile device could then come under management control of the rogue MDM. This could lead to exposure of sensitive DoD data. SFR ID: FMT_SMF_EXT.1.1 #45

Check Content

Review BlackBerry OS 10.3 configuration settings to determine if the BlackBerry implements the management setting: Check certificate expiry for MDM connection. This procedure is performed on only on the BES console. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Scroll down to the “Security and privacy” group of IT policy rules. 6. Verify "Check certificate expiry for MDM connection" is selected. If the BES IT Policy rule "Check certificate expiry for MDM connection" is not selected, this is a finding.

Fix Text

On the BES 12, do the following: 1. Log into the BES 12 console and select the "POLICIES AND PROFILES” tab at the top of the screen. 2. Expand the “IT policies” tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the “Settings” and “BlackBerry” tabs. 5. Click the pencil icon (upper right corner) to edit the IT Policy. 6. Scroll down to the “Security and privacy” group of IT policy rules. 7. Select the check box next to the IT Policy "Check certificate expiry for MDM connection ". 8. Click "Save". Note: Procedures above are for BES 12 only. BES 10 procedures may be slightly different.

Additional Identifiers

Rule ID: SV-80247r1_rule

Vulnerability ID: V-65757

Group Title: PP-MDF-991000

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

The organization implements the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings