Title

The BlackBerry Device Service server must protect audit information on a managed mobile device from unauthorized distribution. (Cat III impact)

Discussion

Audit data is considered sensitive, and is intended to be read by the System Administrator only. Allowing non-administrators access to this data could expose vulnerabilities in the system.

Check Content

Review the BlackBerry Device Service server configuration to determine whether there is administrative functionality to protect audit information on a managed mobile device from unauthorized distribution. The "Log Submission" rule on the BlackBerry Device Service server specifies whether a BlackBerry device can generate log files and them to the BlackBerry Technical Solution Center. If this rule is set to No, the device cannot generate and send log files to the BlackBerry Technical Solution Center. The "Transfer Work Files Using Bluetooth OPP" rule on the BlackBerry Device Service server specifies whether a BlackBerry device can send work files and objects such as contacts to another Bluetooth enabled or NFC-enabled device using the Bluetooth OPP. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Group. 2. Click Manage groups. 3. Click the name of the group. 4. Click Edit group. 5. Click the Policies tab. 6. In the IT policy list, select the IT policy. 7. Click Save all. To add an IT policy to a user account: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User. 2. Click Manage users. 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the Add to user configuration list, click Set IT policy. 6. In the IT policy drop-down list, select the IT policy. 7. Click Save. For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service, Version: 6.2 Administration Guide. If the centrally managed BlackBerry Device Service server security policy has not been configured to protect audit information on a managed mobile device from unauthorized distribution, this is a finding.

Fix Text

Configure the centrally managed BlackBerry Device Service server security policy to protect audit information on a managed mobile device from unauthorized distribution.

Additional Identifiers

Rule ID:

Vulnerability ID: BBDS-00-002431

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.