Title

The BlackBerry Device Service server must provide the administrative functionality to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user. (Cat II impact)

Discussion

DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source. To prevent access to unapproved sources, the operating system in most cases can be configured to disable user access to public application stores. In some cases, some applications are required for secure operation of the mobile devices controlled by the MDM. In these cases, the ability for users to remove the application is needed as to ensure proper secure operations of the device.

Check Content

Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user. If this function is not present, this is a finding. Application lists can be created for installation on the mobile devices. The applications can be identified as "Optional" or "Required". If an application is identified as "Required", it must be installed on the device, and cannot be removed by the user. Create a software configuration: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software. 2. Click Create a software configuration. 3. In the Configuration information section, in the Name field, type a name for the software configuration. 4. Click Save. Add an app to a software configuration: You must add an app to a software configuration to send the app to BlackBerry devices. If you want to upgrade an app, you must add the new version of the app to the appropriate software configuration. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Software. 2. Click Manage software configurations. 3. Click the software configuration that you want to add an app to. 4. Click Edit software configuration. 5. On the Applications tab, click Add applications to software configuration. 6. Search for the app that you want to add to the software configuration. 7. In the search results, select an app that you want to add to the software configuration. 8. For apps in the applications repository, in the Disposition drop-down list for the app, perform one of the following actions: * To install the app automatically on devices, and to prevent users from removing the app, select Required. * To permit users to install and remove the app, and to add the app to the Work tab in the BlackBerry World storefront, select Optional. 9. Repeat steps 6 to 8 for each app that you want to add to the software configuration. 10. Click Add to software configuration. 11. Click Save all. See the "Managing app availability on devices" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Version: 6.2 Administration Guide for further details and other available options.

Fix Text

Configure the BlackBerry Device Service server so it has the administrative functionality to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user.

Additional Identifiers

Rule ID:

Vulnerability ID: BBDS-00-000280

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.