Title

The BlackBerry Device Service server must be configured to accept only trusted connections to back-office enclave application or web push servers. Push servers are set up to push content to BlackBerry users. (Cat II impact)

Discussion

Device authentication is a solution enabling an organization to manage both users and devices. This requirement applies to MDM servers that provide mobile device and user access to network shares, web servers, and other network resources located on the internal enclave (back-office servers, etc.). This connection bypasses user network authentication mechanisms (i.e., CAC authentication). Therefore, the MDM server must allow connections to only back-office network resources that support CAC authentication with the mobile device user. In this case, a trusted connection refers to mutual PKI based authentication between the MDM server and the network server.

Check Content

Verify BDS has been configured to require trusted connections to push enclave application or web servers, using the following procedure. In the BlackBerry Administration Service in the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service. - Click the instance that you want to change. - On the "Instance information" tab, click "Edit instance." - In the "Access control" section, verify "Push authentication" is set to Yes. If BDS has not been configured to require trusted connections to push enclave application or web servers, this is a finding.

Fix Text

Configure the BlackBerry Device Service server to push content to BlackBerry devices.

Additional Identifiers

Rule ID:

Vulnerability ID: BBDS-00-000300

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.