The BlackBerry Device Service server must be configured to accept only trusted connections to back-office enclave application or web push servers. Push servers are set up to push content to BlackBerry users.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-39035	BBDS-00-000300	SV-50840r2_rule		Medium

Description
Device authentication is a solution enabling an organization to manage both users and devices. This requirement applies to MDM servers that provide mobile device and user access to network shares, web servers, and other network resources located on the internal enclave (back-office servers, etc.). This connection bypasses user network authentication mechanisms (i.e., CAC authentication). Therefore, the MDM server must allow connections to only back-office network resources that support CAC authentication with the mobile device user. In this case, a trusted connection refers to mutual PKI based authentication between the MDM server and the network server.

Description

Device authentication is a solution enabling an organization to manage both users and devices. This requirement applies to MDM servers that provide mobile device and user access to network shares, web servers, and other network resources located on the internal enclave (back-office servers, etc.). This connection bypasses user network authentication mechanisms (i.e., CAC authentication). Therefore, the MDM server must allow connections to only back-office network resources that support CAC authentication with the mobile device user. In this case, a trusted connection refers to mutual PKI based authentication between the MDM server and the network server.

STIG	Date
BlackBerry Enterprise Service v10.1.x BlackBerry Device Service STIG	2014-10-06

Details

Check Text ( C-46478r4_chk )
Verify the site has configured the BDS to require trusted connections to push enclave applications or web servers, using the following procedure. Log into BlackBerry Administration Service, and under "Servers and components" on the left side of the screen, navigate to "'BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service > ". - On the "Instance information" tab, click "Edit instance". - In the "Access control" section, verify "Push authentication:" is set to "Yes". If not set as required, this is a finding.

Check Text ( C-46478r4_chk )

Verify the site has configured the BDS to require trusted connections to push enclave applications or web servers, using the following procedure.

Log into BlackBerry Administration Service, and under "Servers and components" on the left side of the screen, navigate to "'BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service > ".
- On the "Instance information" tab, click "Edit instance".
- In the "Access control" section, verify "Push authentication:" is set to "Yes".

If not set as required, this is a finding.

Fix Text (F-43991r1_fix)
Configure the BlackBerry Device Service server to push content to BlackBerry devices.