CylancePROTECT Mobile must be configured with the following compliance actions when a hardware attestation failure occurs (Android only): -Prompt for compliance: Immediate enforcement action. -Enforcement action for BlackBerry Dynamics apps: Do not allow BlackBerry Dynamics apps to run.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-257269	BBCP-00-013500	SV-257269r918391_rule		Medium

Description
When a compliance failure is detected, compliance actions must be implemented immediately to limit exposure of sensitive data and unauthorized access to the mobile device.

STIG	Date
BlackBerry CylancePROTECT Mobile for UEM Security Technical Implementation Guide	2023-11-21

Details

Check Text ( C-60953r918389_chk )
Verify the following compliance actions when a hardware attestation failure occurs have been configured (Android only): -Prompt for compliance: Immediate enforcement action. -Enforcement action for BlackBerry Dynamics apps: Do not allow BlackBerry Dynamics apps to run. 1. Log on to the BlackBerry UEM console. 2. In the management console on the menu bar, click Policies and profiles >> Compliance >> Compliance. 3. Select the appropriate compliance profile (have the site system administrator identify the profile). 4. On the Android tab in the BlackBerry Protect section, verify the "Hardware attestation failed" box is checked. 5. In the "Prompt for compliance" drop-down list, verify "Immediate enforcement action" is selected. 6. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, verify "Do not allow BlackBerry Dynamics apps to run" is selected. If required compliance actions when a hardware attestation failure occurs have not been configured, this is a finding.

Check Text ( C-60953r918389_chk )

Verify the following compliance actions when a hardware attestation failure occurs have been configured (Android only):
-Prompt for compliance: Immediate enforcement action.
-Enforcement action for BlackBerry Dynamics apps: Do not allow BlackBerry Dynamics apps to run.

1. Log on to the BlackBerry UEM console.
2. In the management console on the menu bar, click Policies and profiles >> Compliance >> Compliance.
3. Select the appropriate compliance profile (have the site system administrator identify the profile).
4. On the Android tab in the BlackBerry Protect section, verify the "Hardware attestation failed" box is checked.
5. In the "Prompt for compliance" drop-down list, verify "Immediate enforcement action" is selected.
6. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, verify "Do not allow BlackBerry Dynamics apps to run" is selected.

If required compliance actions when a hardware attestation failure occurs have not been configured, this is a finding.

Fix Text (F-60895r918390_fix)
Configure the following compliance actions when a hardware attestation failure occurs (Android only): -Prompt for compliance: Immediate enforcement action. -Enforcement action for BlackBerry Dynamics apps: Do not allow BlackBerry Dynamics apps to run. 1. Log on to the BlackBerry UEM console. 2. In the management console on the menu bar, click Policies and profiles >> Compliance >> Compliance. 3. Create a new compliance profile or select and edit an existing compliance profile. 4. On the Android tab in the BlackBerry Protect section, select the "Hardware attestation failed" check box. 5. Configure the behavior prompt settings: Prompt for compliance: "Immediate enforcement action". 6. Configure other prompt settings (method, count, and interval) as desired (no required selections). 7. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, select "Do not allow BlackBerry Dynamics apps to run". 8. Click "Add" or "Save". 9. Assign the profile to users and groups.

Fix Text (F-60895r918390_fix)

Configure the following compliance actions when a hardware attestation failure occurs (Android only):
-Prompt for compliance: Immediate enforcement action.
-Enforcement action for BlackBerry Dynamics apps: Do not allow BlackBerry Dynamics apps to run.

1. Log on to the BlackBerry UEM console.
2. In the management console on the menu bar, click Policies and profiles >> Compliance >> Compliance.
3. Create a new compliance profile or select and edit an existing compliance profile.
4. On the Android tab in the BlackBerry Protect section, select the "Hardware attestation failed" check box.
5. Configure the behavior prompt settings: Prompt for compliance: "Immediate enforcement action".
6. Configure other prompt settings (method, count, and interval) as desired (no required selections).
7. In the "Enforcement action for BlackBerry Dynamics apps" drop-down list, select "Do not allow BlackBerry Dynamics apps to run".
8. Click "Add" or "Save".
9. Assign the profile to users and groups.