BlackBerry devices must be protected by authenticated login procedures to unlock the device. Either CAC or Password authentication is required. IT Policy rule “Password Required” (Device Only policy group) is set to “Yes” or “True”

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3545	WIR1400-01	SV-3545r13_rule	ECSC-1	High

Description
Authenticated device unlock is a key security control for the BlackBerry system to restrict access to DoD data by unauthorized individuals.

STIG	Date
BlackBerry Enterprise Server, Part 3 Security Technical Implementation Guide	2011-04-11

Details

Check Text ( C-11522r7_chk )
This is a BES IT Policy check. Recommend that all checks related to BES IT policies be reviewed using the following procedure. BES 5.0 (Follow steps 1-4 below) 1. Make a list of all IT Policies that have been assigned to BlackBerry user accounts. You can view the list of IT Policies set up on the BES as follows (do not list the default IT Policy) (Use Method #1 or Method #2 below): Method #1 BAS > BlackBerry solution management box > Policy > Manage IT policies. Look at each IT policy listed under Manage IT policies to be checked. -Click on the policy name. - Click on “View users with IT policy.” - Click Search. A list of all users assigned to the policy will be shown. For each policy that has users assigned to it, complete steps. Method #2 -Launch and log into the Blackberry Monitoring Service. -On the monitoring menu, expand Reporting. -Click Create custom report. -Select the following fields for the report: Select report type: User. Report title: IT Policies on BES. Select the following columns: “IT policy name” and “User name.” Sort by “IT policy name.” Report format: PDF recommended. Generate report. 2. Check each “Required” IT Policy rule listed in Table 1, BlackBerry STIG Configuration Tables. (There are approximately 125 rules with required configuration settings.) Note all IT policy rules that have not been set correctly and the name of the IT policy you are currently reviewing. The name of each IT policy that has an IT policy rule not set correctly should be noted in VMS. Note: Table 1 shows which Check STIG ID # should be marked as a finding for each IT policy rule not set correctly. 3. Repeat steps 2 for each IT Policy that has users assigned to it. 4. In VMS, for each check with a finding, list the IT Policies that were found to be noncompliant. BES 4.1.x (Follow Steps 1-5 below): 1. Make a list of all IT Policies that have been assigned to BlackBerry user accounts. You can view the list of IT Policies set up on the BES as follows (do not list the default IT Policy): - In BlackBerry Manager, click on BlackBerry Domain. - Select the “All Users” tab. - If “IT Policy Name” is not listed as one of the column headings, do the following: o Right click on the “Name” column heading. o In the “Column Chooser” dialog box, add “IT Policy Name” to the list of columns listed under the “Visible columns” window. o Move the “IT Policy Name” column up the list until it is listed immediately after the “Name” column. o Click “OK” to close the dialog box. The “IT Policy Name” column should now be shown. - Click on the “IT Policy Name” column heading to sort the list of users by IT Policy. - Make a list of all IT Policies assigned to users. Do not list the Default policy. 2. Pick one of the IT policies and verify the IT policy rule listed below is set as specified in Table 1. IT Policy settings can be checked as follows: - In the BlackBerry Manager, click BlackBerry Domain (left pane). - On the Global tab, click Edit Properties. - Click IT Policy. - In the IT Policy Administration section, double click IT Policies. - Double-click an IT Policy to check. - Click Properties. - Select each policy group in turn, and check the setting of each rule in the policy group. 3. Check each “Required” IT Policy rule listed in Table 1. (There are approximately 110 rules with required configuration settings.) Note all IT policy rules that have not been set correctly (and the policy you are currently reviewing). Note: Table 1 shows which Check STIG ID # should be marked as a finding for each IT policy rule not set correctly. 4. Repeat steps 3 and 4 for each IT Policy that has users assigned to it. 5. In VMS, for each check with a finding, list the IT Policies that were found to be non-compliant. ***** For this check, verify IT Policy rule “Password Required” (Device Only policy group) is set as required.

Check Text ( C-11522r7_chk )

This is a BES IT Policy check. Recommend that all checks related to BES IT policies be reviewed using the following procedure.

BES 5.0
(Follow steps 1-4 below)

1. Make a list of all IT Policies that have been assigned to BlackBerry user accounts. You can view the list of IT Policies set up on the BES as follows (do not list the default IT Policy) (Use Method #1 or Method #2 below):

Method #1
BAS > BlackBerry solution management box > Policy > Manage IT policies. Look at each IT policy listed under Manage IT policies to be checked.
-Click on the policy name.
- Click on “View users with IT policy.”
- Click Search. A list of all users assigned to the policy will be shown. For each policy that has users assigned to it, complete steps.

Method #2
-Launch and log into the Blackberry Monitoring Service.
-On the monitoring menu, expand Reporting.
-Click Create custom report.
-Select the following fields for the report:
**Select report type: User.
**Report title: IT Policies on BES.
**Select the following columns: “IT policy name” and “User name.”
**Sort by “IT policy name.”
**Report format: PDF recommended.
**Generate report.

2. Check each “Required” IT Policy rule listed in Table 1, BlackBerry STIG Configuration Tables. (There are approximately 125 rules with required configuration settings.) Note all IT policy rules that have not been set correctly and the name of the IT policy you are currently reviewing. The name of each IT policy that has an IT policy rule not set correctly should be noted in VMS.

Note: Table 1 shows which Check STIG ID # should be marked as a finding for each IT policy rule not set correctly.

3. Repeat steps 2 for each IT Policy that has users assigned to it.

4. In VMS, for each check with a finding, list the IT Policies that were found to be noncompliant.

BES 4.1.x
(Follow Steps 1-5 below):

1. Make a list of all IT Policies that have been assigned to BlackBerry user accounts. You can view the list of IT Policies set up on the BES as follows (do not list the default IT Policy):

- In BlackBerry Manager, click on BlackBerry Domain.
- Select the “All Users” tab.
- If “IT Policy Name” is not listed as one of the column headings, do the following:
o Right click on the “Name” column heading.
o In the “Column Chooser” dialog box, add “IT Policy Name” to the list of columns listed under the “Visible columns” window.
o Move the “IT Policy Name” column up the list until it is listed immediately after the “Name” column.
o Click “OK” to close the dialog box. The “IT Policy Name” column should now be shown.
- Click on the “IT Policy Name” column heading to sort the list of users by IT Policy.
- Make a list of all IT Policies assigned to users. Do not list the Default policy.

2. Pick one of the IT policies and verify the IT policy rule listed below is set as specified in Table 1. IT Policy settings can be checked as follows:

- In the BlackBerry Manager, click BlackBerry Domain (left pane).
- On the Global tab, click Edit Properties.
- Click IT Policy.
- In the IT Policy Administration section, double click IT Policies.
- Double-click an IT Policy to check.
- Click Properties.
- Select each policy group in turn, and check the setting of each rule in the policy group.

3. Check each “Required” IT Policy rule listed in Table 1. (There are approximately 110 rules with required configuration settings.) Note all IT policy rules that have not been set correctly (and the policy you are currently reviewing). Note: Table 1 shows which Check STIG ID # should be marked as a finding for each IT policy rule not set correctly.

4. Repeat steps 3 and 4 for each IT Policy that has users assigned to it.

5. In VMS, for each check with a finding, list the IT Policies that were found to be non-compliant.

***** For this check, verify IT Policy rule “Password Required” (Device Only policy group) is set as required.

Fix Text (F-23386r1_fix)
Configure the IT Policy rule as specified in the "Checks" block.