The Workspace ONE UEM server must be configured to leverage the MDM platform user and administrator accounts and groups for Workspace ONE UEM server user identification and authentication.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-221644	VMW1-00-000620	SV-221644r807444_rule		Medium

Description
A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire Workspace ONE UEM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the Workspace ONE UEM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos). SFR ID: FIA

Description

A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire Workspace ONE UEM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the Workspace ONE UEM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos). SFR ID: FIA

STIG	Date
VMware Workspace ONE UEM Security Technical Implementation Guide	2021-11-04

Details

Check Text ( C-23359r805063_chk )
Review the configuration steps necessary to leverage MDM platform user and administrator accounts and groups for Workspace ONE UEM server user identification and authentication: On the Workspace ONE UEM console, complete the following procedure to ensure the Workspace ONE UEM (MDM) Server is configured to leverage an enterprise authentication mechanism, and that Workspace ONE UEM users and administrators can only use directory accounts to enroll into the Workspace ONE UEM (MDM) Server: 1. For Workspace ONE UEM server Platform configuration, refer to "https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1907/Directory_Service_Integration/GUID-AWT-DIRECTORYSERVICESOVERVIEW.html". 2. Log in to the Workspace ONE UEM Administration console. 3. Choose "Groups and Settings". 4. Choose "All Settings". 5. Under the "System" heading, choose "Enterprise Integration". 6. Choose "Directory Services". 7. Under the "Server" tab, verify directory service connection information. 8. Under the "User" tab, verify User Group connection information. 9. Under the "Group" tab, verify Group connection information. 10. Choose "X" to close screen. 11. Choose "Groups and Settings". 12. Choose "All Settings". 13. Under "Devices and Users", choose "General". 14. Choose "Enrollment". 15. On the "Authentication Modes" setting, verify only the box titled "Directory" is selected. If on the Workspace ONE UEM server console "Directory" is not selected as the authentication mode, this is a finding. If the MDM platform user authentication is not implemented via an enterprise directory service, this is a finding. To verify administrators can only use directory services accounts: 16. Choose Accounts >> Administrators >> List View. 17. Review user types under the Admin Type heading. If any users have an Admin Type of "Basic", this is a finding. To verify users can only use directory services accounts: 18. Choose Accounts >> Users >> List View. If only a small number of user accounts are listed, it is recommended to use the following steps: a. Under the "General Info" tab, click each username link to view the user's summary data. b. Under "Type" in the "User Info" column, if "Basic" is listed, this is a finding. c. Choose "List View" again to be presented with the list of user accounts and repeat steps a and b until the full set of user accounts has been examined. If a large number of user accounts are listed, it is recommended to use the following steps instead: a. Choose the "Export" drop-down and select the format to be used for the export list. b. An "Export List" pop-up window will appear with instructions on where to locate and examine the exported list of user accounts. c. Examine the exported list. If any user accounts are denoted as "Basic" in the "Security Type" column, this is a finding. Exception: One local "Emergency" account may remain.

Check Text ( C-23359r805063_chk )

Review the configuration steps necessary to leverage MDM platform user and administrator accounts and groups for Workspace ONE UEM server user identification and authentication:

On the Workspace ONE UEM console, complete the following procedure to ensure the Workspace ONE UEM (MDM) Server is configured to leverage an enterprise authentication mechanism, and that Workspace ONE UEM users and administrators can only use directory accounts to enroll into the Workspace ONE UEM (MDM) Server:

1. For Workspace ONE UEM server Platform configuration, refer to "https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1907/Directory_Service_Integration/GUID-AWT-DIRECTORYSERVICESOVERVIEW.html".
2. Log in to the Workspace ONE UEM Administration console.
3. Choose "Groups and Settings".
4. Choose "All Settings".
5. Under the "System" heading, choose "Enterprise Integration".
6. Choose "Directory Services".
7. Under the "Server" tab, verify directory service connection information.
8. Under the "User" tab, verify User Group connection information.
9. Under the "Group" tab, verify Group connection information.
10. Choose "X" to close screen.
11. Choose "Groups and Settings".
12. Choose "All Settings".
13. Under "Devices and Users", choose "General".
14. Choose "Enrollment".
15. On the "Authentication Modes" setting, verify only the box titled "Directory" is selected.

If on the Workspace ONE UEM server console "Directory" is not selected as the authentication mode, this is a finding.

If the MDM platform user authentication is not implemented via an enterprise directory service, this is a finding.

To verify administrators can only use directory services accounts:
16. Choose Accounts >> Administrators >> List View.
17. Review user types under the Admin Type heading. If any users have an Admin Type of "Basic", this is a finding.

To verify users can only use directory services accounts:
18. Choose Accounts >> Users >> List View.
If only a small number of user accounts are listed, it is recommended to use the following steps:
a. Under the "General Info" tab, click each username link to view the user's summary data.
b. Under "Type" in the "User Info" column, if "Basic" is listed, this is a finding.
c. Choose "List View" again to be presented with the list of user accounts and repeat steps a and b until the full set of user accounts has been examined.

If a large number of user accounts are listed, it is recommended to use the following steps instead:
a. Choose the "Export" drop-down and select the format to be used for the export list.
b. An "Export List" pop-up window will appear with instructions on where to locate and examine the exported list of user accounts.
c. Examine the exported list. If any user accounts are denoted as "Basic" in the "Security Type" column, this is a finding.

Exception: One local "Emergency" account may remain.

Fix Text (F-23348r807443_fix)
Configure the Workspace ONE UEM server to leverage the MDM platform user and administrator accounts and groups for Workspace ONE UEM server user identification and authentication. On the Workspace ONE UEM console, complete the following procedure to ensure that the Workspace ONE UEM (MDM) Server is configured to leverage an enterprise authentication mechanism, and that Workspace ONE UEM users can only use directory accounts to enroll into the Workspace ONE UEM (MDM) Server: 1. For Workspace ONE UEM server Platform configuration, refer to "https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1907/Directory_Service_Integration/GUID-AWT-DIRECTORYSERVICESOVERVIEW.html". 2. Log in to the Workspace ONE UEM Administration console. 3. Choose "Groups and Settings". 4. Choose "All Settings". 5. Under the "System" heading, choose "Enterprise Integration". 6. Choose "Directory Services". 7. Under the "Server" tab, verify directory service connection information. If not set according to organizational rules, modify the directory service connection to the correct setting. 8. Under "User" tab, verify User Group connection information. If not set according to organizational rules, modify the User Group connection to the correct setting. 9. Under the "Group" tab, verify Group connection information. If not set according to organizational rules, modify the Group connection to the correct setting. 10. If any changes were made to Server, User, or Group settings, click "Save". 11. Choose "X" to close screen. 12. Choose "Groups and Settings". 13. Choose "All Settings". 14. Under "Devices and Users", choose "General". 15. Choose "Enrollment". 16. On the "Authentication Modes" setting, verify only the box titled "Directory" is selected. If "Directory" is unchecked, select it. If any other boxes are checked, uncheck them. 17. If any changes were made to "Authentication Modes" settings, click "Save". 18. Choose "X" to close the window. To verify and remove any administrator accounts that are not Directory Service accounts: 19. Choose Account >> Administrators >> List View. 20. Review user types under the "Admin Type" heading, and select all users, and only users with an Admin Type of "Basic". Do NOT select users with an Admin Type of "Directory". Selecting one or more users with the Basic Admin Type will cause the "More Actions" drop-down to appear. 21. From the More Actions drop-down select "Delete". This will result in an "Are you sure you want to delete this record?" pop-up box asking to confirm deletion of the selected account(s). 22. Click "OK" to delete the selected accounts. To verify and remove user accounts that are not Directory Service accounts: 23. Choose Accounts >> Users >> List View. If only a small number of user accounts are listed, it is recommended to use the following steps: a. Under the "General Info" tab, click each username link to view the user's summary data. b. Under "Type" in the "User Info" column, if "Basic" is listed, the user account must be removed. Choose the "More" drop-down and select "Delete". A pop-up window will appear stating whether the user was successfully deleted. Click "OK" to close the window. c. Choose "List View" again to be presented with the list of user accounts and repeat steps a and b until the full set of user accounts has been examined. If a large number of user accounts are listed, it is recommended to use the following steps instead: a. Choose the "Export" drop-down and select the format to be used for the export list. b. An "Export List" pop-up window will appear with instructions on where the exported list of user accounts is located. c. Examine the exported list. If any user accounts are denoted as Basic in the "Security Type" column, the account must be deleted. d: To delete a user account, click on the username link of the user account under "List View". Choose the "More" drop-down and select "Delete". A pop-up window will appear stating whether the user was successfully deleted. Click "OK" to close the window. e. Choose "List View" again to be presented with the list of remaining user accounts and repeat step d until all user accounts with a Security Type of "Basic" have been deleted. Exception: One local "Emergency" account may remain.

Fix Text (F-23348r807443_fix)

Configure the Workspace ONE UEM server to leverage the MDM platform user and administrator accounts and groups for Workspace ONE UEM server user identification and authentication.

On the Workspace ONE UEM console, complete the following procedure to ensure that the Workspace ONE UEM (MDM) Server is configured to leverage an enterprise authentication mechanism, and that Workspace ONE UEM users can only use directory accounts to enroll into the Workspace ONE UEM (MDM) Server:

1. For Workspace ONE UEM server Platform configuration, refer to "https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1907/Directory_Service_Integration/GUID-AWT-DIRECTORYSERVICESOVERVIEW.html".
2. Log in to the Workspace ONE UEM Administration console.
3. Choose "Groups and Settings".
4. Choose "All Settings".
5. Under the "System" heading, choose "Enterprise Integration".
6. Choose "Directory Services".
7. Under the "Server" tab, verify directory service connection information. If not set according to organizational rules, modify the directory service connection to the correct setting.
8. Under "User" tab, verify User Group connection information. If not set according to organizational rules, modify the User Group connection to the correct setting.
9. Under the "Group" tab, verify Group connection information. If not set according to organizational rules, modify the Group connection to the correct setting.
10. If any changes were made to Server, User, or Group settings, click "Save".
11. Choose "X" to close screen.
12. Choose "Groups and Settings".
13. Choose "All Settings".
14. Under "Devices and Users", choose "General".
15. Choose "Enrollment".
16. On the "Authentication Modes" setting, verify only the box titled "Directory" is selected. If "Directory" is unchecked, select it. If any other boxes are checked, uncheck them.
17. If any changes were made to "Authentication Modes" settings, click "Save".
18. Choose "X" to close the window.

To verify and remove any administrator accounts that are not Directory Service accounts:
19. Choose Account >> Administrators >> List View.
20. Review user types under the "Admin Type" heading, and select all users, and only users with an Admin Type of "Basic". Do NOT select users with an Admin Type of "Directory". Selecting one or more users with the Basic Admin Type will cause the "More Actions" drop-down to appear.
21. From the More Actions drop-down select "Delete". This will result in an "Are you sure you want to delete this record?" pop-up box asking to confirm deletion of the selected account(s).
22. Click "OK" to delete the selected accounts.

To verify and remove user accounts that are not Directory Service accounts:
23. Choose Accounts >> Users >> List View.

If only a small number of user accounts are listed, it is recommended to use the following steps:
a. Under the "General Info" tab, click each username link to view the user's summary data.
b. Under "Type" in the "User Info" column, if "Basic" is listed, the user account must be removed. Choose the "More" drop-down and select "Delete". A pop-up window will appear stating whether the user was successfully deleted. Click "OK" to close the window.
c. Choose "List View" again to be presented with the list of user accounts and repeat steps a and b until the full set of user accounts has been examined.

If a large number of user accounts are listed, it is recommended to use the following steps instead:
a. Choose the "Export" drop-down and select the format to be used for the export list.
b. An "Export List" pop-up window will appear with instructions on where the exported list of user accounts is located.
c. Examine the exported list. If any user accounts are denoted as Basic in the "Security Type" column, the account must be deleted.
d: To delete a user account, click on the username link of the user account under "List View". Choose the "More" drop-down and select "Delete". A pop-up window will appear stating whether the user was successfully deleted. Click "OK" to close the window.
e. Choose "List View" again to be presented with the list of remaining user accounts and repeat step d until all user accounts with a Security Type of "Basic" have been deleted.

Exception: One local "Emergency" account may remain.