BlackBerry Web Desktop Manager (BWDM) must be configured for CAC authentication.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22058	WIR1095-01	SV-25495r2_rule	ECWN-1	Low

Description
The BWDM provides the capability for users to self provision their BlackBerry, and to synchronize the BlackBerrys to the BES. The BWDM works by providing a web client interface to the BlackBerry database via the BlackBerry Administrative Service (BAS). Users must log into the BAS to access the data service. The BAS is a private web server. CTO 0715rev 1 requires either CAC authentication or a complex 15-character password to log into DoD private Web servers. DoD users must use their CAC for authentication to the BAS because they do not know their 256 character AD password.

Description

The BWDM provides the capability for users to self provision their BlackBerry, and to synchronize the BlackBerrys to the BES. The BWDM works by providing a web client interface to the BlackBerry database via the BlackBerry Administrative Service (BAS). Users must log into the BAS to access the data service. The BAS is a private web server. CTO 0715rev 1 requires either CAC authentication or a complex 15-character password to log into DoD private Web servers. DoD users must use their CAC for authentication to the BAS because they do not know their 256 character AD password.

STIG	Date
BlackBerry Handheld Device Security Technical Implementation Guide	2011-07-14

Details

Check Text ( C-27007r2_chk )
Detailed Policy Requirement: If BES 5.0.1 or an earlier version is used, follow these instructions: -BlackBerry Web Desktop Manager can not be used. In this case only BlackBerry Desktop Manager can be used. Follow instructions found in USCYBERCOM IAVM Notice 2010-A-0132. If BES 5.0.2 or later is used, follow these instructions: -Follow instructions found in USCYBERCOM IAVM Notice 2010-A-0132. -If BWDM is used, it must be configured for CAC authentication on the BES (called Single Sign-On Authentication in the BES admin guide). Note: User authentication via CAC is supported in BES 5.0.2 and later. The user will not need to enter their CAC PIN because they have already authenticated to the network via CAC authentication, which is verified during the connection process to the BAS. Note: Neither BWDM or BlackBerry Desktop Manager is required, but if they are used on any desktops, they must meet the above requirements. Check Procedures: Determine the version of the BES being used to manage the BlackBerrys at the site. If BES 5.0.1 or earlier is used, verify the requirements found in USCYBERCOM IAVM Notice 2010-A-0132 have been followed. Check a sample of Blackberry user PCs (3-4). If BES 5.0.2 is used, the site can use either BlackBerry Desktop Manager or BlackBerry Web Desktop Manager. Check a sample of BlackBerry user PCs (3-4). If BlackBerry Desktop Manager is used verify the requirements found in USCYBERCOM IAVM Notice 2010-A-0132 have been followed. If BlackBerry Web Desktop Manager is used, no further action is required since the BES review will verify the BES has been configured for Single Sign-On Authentication.

Check Text ( C-27007r2_chk )

Detailed Policy Requirement:

If BES 5.0.1 or an earlier version is used, follow these instructions:

-BlackBerry Web Desktop Manager can not be used. In this case only BlackBerry Desktop Manager can be used. Follow instructions found in USCYBERCOM IAVM Notice 2010-A-0132.

If BES 5.0.2 or later is used, follow these instructions:

-Follow instructions found in USCYBERCOM IAVM Notice 2010-A-0132.

-If BWDM is used, it must be configured for CAC authentication on the BES (called Single Sign-On Authentication in the BES admin guide).

Note: User authentication via CAC is supported in BES 5.0.2 and later. The user will not need to enter their CAC PIN because they have already authenticated to the network via CAC authentication, which is verified during the connection process to the BAS.

Note: Neither BWDM or BlackBerry Desktop Manager is required, but if they are used on any desktops, they must meet the above requirements.

Check Procedures:

Determine the version of the BES being used to manage the BlackBerrys at the site.

If BES 5.0.1 or earlier is used, verify the requirements found in USCYBERCOM IAVM Notice 2010-A-0132 have been followed. Check a sample of Blackberry user PCs (3-4).

If BES 5.0.2 is used, the site can use either BlackBerry Desktop Manager or BlackBerry Web Desktop Manager. Check a sample of BlackBerry user PCs (3-4). If BlackBerry Desktop Manager is used verify the requirements found in USCYBERCOM IAVM Notice 2010-A-0132 have been followed. If BlackBerry Web Desktop Manager is used, no further action is required since the BES review will verify the BES has been configured for Single Sign-On Authentication.

Fix Text (F-23324r2_fix)
Configure BlackBerry Web Desktop Manager (BWDM) for CAC authentication, if used or use approved version of BlackBerry Desktop Manager.