UCF STIG Viewer Logo

BlackBerry Enterprise Service v10.1.x BlackBerry Device Service STIG


Overview

Date Finding Count (51)
2014-10-06 CAT I (High): 12 CAT II (Med): 30 CAT III (Low): 9
STIG Description
Developed by Research In Motion Ltd. in coordination with DISA for use in the DoD.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-54981 High BlackBerry Device service 6.2 and BlackBerry Enterprise Service 10.1.x BlackBerry Device Service MDM servers that are no longer supported by the vendor for security updates must not be installed on a system.
V-38939 High The BlackBerry Device Service server must direct all Work Space application traffic through the BlackBerry Device Service server via centrally managed policy.
V-38935 High The BlackBerry Device Service server must disallow mobile device applications the ability to reset the Work Space lock timer via centrally managed policy.
V-38937 High The BlackBerry Device Service server must disable any mobile OS service that connects to a cloud storage server via centrally managed policy.
V-38954 High BlackBerry accounts must not be assigned to the default IT policy on the BlackBerry Device Service server or any other non-STIG compliant IT policy.
V-38951 High The BlackBerry Device Service server must implement separation of administrator duties by requiring a specific role be assigned to each administrator account.
V-39039 High The BlackBerry Device Service server must employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions.
V-39038 High The BlackBerry Device Service server must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
V-39031 High The BlackBerry Device Service server must require administrators to be authenticated with an individual authenticator prior to using a group authenticator.
V-38965 High The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Enable or disable the transfer of any file-based data via Bluetooth.
V-38948 High The BlackBerry Device Service server must disable copying data from inside a non-secure data area on a mobile device into the security container via centrally managed policy.
V-39032 High The BlackBerry Device Service server must use organization defined replay-resistant authentication mechanisms for network access to privileged accounts.
V-39022 Medium The BlackBerry Device Service server must set the Work Space inactivity timeout to 15 minutes via centrally managed policy.
V-38959 Medium If the BlackBerry Device Service server includes a mobile email management capability, the email client S/MIME encryption algorithm must be 3DES or AES. When AES is used, AES-128 bit encryption key length is the minimum requirement; AES-256 is desired.
V-38952 Medium The BlackBerry Device Service server must deploy operating system and application updates via over-the-air (OTA) provisioning for managed mobile devices.
V-39018 Medium The BlackBerry Device Service server must enable a Work Space password length of eight or more characters via centrally managed policy.
V-38992 Medium BlackBerry Web Desktop Manager must be configured to permit users to activate new BlackBerry devices only.
V-39013 Medium The BlackBerry Device Service server must enable a Work Space password via centrally managed policy.
V-39012 Medium The BlackBerry Device Service server must set the number of incorrect password attempts before a data wipe procedure is initiated to 10 via centrally managed policy.
V-39015 Medium The BlackBerry Device Service server must set the number of numbers in the Work Space password to at least one via centrally managed policy.
V-39014 Medium The BlackBerry Device Service server must set the number of uppercase letters in the Work Space password to at least one via centrally managed policy.
V-40718 Medium The BlackBerry Device Service server must disable the Advanced Audio Distribution Profile (A2DP) Bluetooth profile via centrally managed policy.
V-39023 Medium The BlackBerry Device Service server must be configured to restrict the download of software within the Work Space to DoD-approved sources only (e.g., DoD-operated mobile device application store or BlackBerry Device Service server).
V-40719 Medium The BlackBerry Device Service server must disable the Audio/Video Remote Control Profile (AVRCP) Bluetooth profile via centrally managed policy.
V-38966 Medium The BlackBerry Device Service server must enable Bluetooth pairing using a randomly generated passkey size of at least 8 digits via centrally managed policy.
V-38967 Medium The BlackBerry Device Service server must enable Bluetooth 128-bit encryption via centrally managed policy.
V-38964 Medium The BlackBerry Device Service server must disable Bluetooth Discoverable Mode via centrally managed policy.
V-39036 Medium The BlackBerry Device Service server must support administrator authentication to the server via the Enterprise Authentication Mechanisms authentication.
V-39035 Medium The BlackBerry Device Service server must be configured to accept only trusted connections to back-office enclave application or web push servers. Push servers are set up to push content to BlackBerry users.
V-38940 Medium The BlackBerry Device Service server must disallow Personal Space applications access to the Work Space network connection via centrally managed policy.
V-38941 Medium The BlackBerry Device Service server must have the administrative functionality disallow hyperlinks within Work Space applications from opening within the Personal Space browser application via centrally managed policy.
V-40727 Medium The BlackBerry Device Service server must disable the transfer of work messages using Bluetooth MAP via centrally managed policy.
V-40726 Medium The BlackBerry Device Service server must disable the transfer of work files using Bluetooth OPP via centrally managed policy.
V-40725 Medium The BlackBerry Device Service server must force the display of a warning banner on the lock screen of the mobile device via centrally managed policy.
V-40724 Medium The BlackBerry Device Service server must disable the mobile device users access to BlackBerry World for Work Space and only allow access to apps published from BlackBerry Device Service.
V-40723 Medium The BlackBerry Device Service server must disable the Personal Area Networking Profile (PAN) Bluetooth profile via centrally managed policy.
V-40722 Medium The BlackBerry Device Service server must disable the Message Access Profile (MAP) Bluetooth profile via centrally managed policy.
V-40721 Medium The BlackBerry Device Service server must disable the Hands-Free Profile (HFP) Bluetooth profile via centrally managed policy.
V-40720 Medium The BlackBerry Device Service server must disable the Phone Book Access Profile (PBAP) Bluetooth profile via centrally managed policy.
V-39026 Medium BlackBerry Web Desktop Manager must be configured to disable a users capability to perform self-service tasks.
V-40729 Medium The BlackBerry Device Service server must disable the Bluetooth transfer of Work Space contacts via centrally managed policy.
V-40728 Medium The BlackBerry Device Service server must disable the transfer of work messages using Bluetooth MAP without a user prompt via centrally managed policy.
V-39028 Low The BlackBerry Device Service server must disallow any native applications pertaining to billing via centrally managed policy.
V-38943 Low The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Set the number of allowed repeated characters in the mobile device unlock password.
V-38932 Low The BlackBerry Device Service server must enforce the minimum password length for the Personal Space password to 4 digits via centrally managed policy.
V-39037 Low The key store password for the certificate that the BlackBerry Administration Service (BAS) and BlackBerry Web Desktop Manager (BWDM) use must be changed from the default.
V-39029 Low The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disallow any native applications pertaining to billing on a managed mobile device.
V-38949 Low The BlackBerry Device Service server must allow only Work Space contacts to be read from a native Personal Space application via centrally managed policy.
V-38946 Low The BlackBerry Device Service server must have the administrative functionality to centrally manage the following security policy rule on managed mobile devices: Disallow sequential numbers in the mobile device unlock password.
V-39027 Low BlackBerry Web Desktop Manager must be configured to disable a users capability to perform a backup or restore of the Work Space.
V-39040 Low The server PKI digital certificate installed on the BlackBerry Device Service (BDS) Server to support BlackBerry Administration Service and BlackBerry Web Desktop Manager (BWDM) authentication must be a DoD PKI issued certificate. A self signed certificate will not be used.