UCF STIG Viewer Logo

VMware Workspace ONE UEM Security Technical Implementation Guide


Overview

Date Finding Count (20)
2021-11-04 CAT I (High): 7 CAT II (Med): 13 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-251264 High The Workspace ONE UEM must use multifactor authentication for local access to privileged accounts.
V-221646 High The Workspace ONE UEM server must be maintained at a supported version.
V-251259 High The Workspace ONE UEM local accounts password must be configured with length of 15 characters.
V-251263 High The Workspace ONE UEM must enforce the limit of three consecutive invalid logon attempts by a user.
V-251262 High The Workspace ONE UEM local accounts must prohibit password reuse for a minimum of five generations.
V-251261 High The Workspace ONE UEM local accounts must be configured with password maximum lifetime of 60 days.
V-251260 High The Workspace ONE UEM local accounts must be configured with at least one lowercase character, one uppercase character, one number, and one special character.
V-221637 Medium The Workspace ONE UEM server or platform must be configured to initiate a session lock after a 15-minute period of inactivity.
V-221650 Medium All Workspace ONE UEM server local accounts created during application installation and configuration must be disabled or removed.
V-221648 Medium The firewall protecting the Workspace ONE UEM server must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support MDM server and platform functions.
V-221649 Medium The firewall protecting the Workspace ONE UEM server must be configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).
V-221647 Medium The Workspace ONE UEM server must be protected by a DoD-approved firewall.
V-221644 Medium The Workspace ONE UEM server must be configured to leverage the MDM platform user and administrator accounts and groups for Workspace ONE UEM server user identification and authentication.
V-221645 Medium Authentication of MDM platform accounts must be configured so they are implemented via an enterprise directory service.
V-221642 Medium The Workspace ONE UEM server must be configured with a periodicity for reachable events of six hours or less for the following commands to the agent: - query connectivity status; - query the current version of the MD firmware/software; - query the current version of installed mobile applications; - read audit logs kept by the MD.
V-221643 Medium The Workspace ONE UEM server must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, or auditor.
V-221640 Medium The Workspace ONE UEM server must be configured to transfer Workspace ONE UEM server logs to another server for storage, analysis, and reporting. Note: Workspace ONE UEM server logs include logs of MDM events and logs transferred to the Workspace ONE UEM server by MDM agents of managed devices.
V-221641 Medium The Workspace ONE UEM server must be configured to display the required DoD warning banner upon administrator logon. Note: This requirement is not applicable if the TOE platform is selected in FTA_TAB.1.1 in the Security Target (ST).
V-221638 Medium The Workspace ONE UEM server must be configured with an enterprise certificate for signing policies (if function is not automatically implemented during Workspace ONE UEM server install).
V-221651 Medium The MDM Agent must be configured to enable the following function: [selection: read audit logs of the MD]. This requirement is inherently met if the function is automatically implemented during MDM Agent install/device enrollment.