CylancePROTECT Mobile must be configured with the following Android security patch compliance and hardware certificate attestation controls: -"Android hardware attestation frequency" = 6 hours -"Device grace period" = 0 hours -"Challenge frequency for noncompliant devices" = 6 hours.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-257267	BBCP-00-013300	SV-257267r940014_rule		Medium

Description
The required application configurations will ensure that the minimum security baseline of the system is maintained to limit exposure of sensitive data and unauthorized access to the mobile device.

STIG	Date
BlackBerry CylancePROTECT Mobile for UEM Security Technical Implementation Guide	2023-11-21

Details

Check Text ( C-60951r940014_chk )
Verify the following Android security patch compliance and hardware certificate attestation controls are enabled for CylancePROTECT Mobile: -"Android hardware attestation frequency" = 6 hours. -"Device grace period" = 3 days (72 hours). -"Challenge frequency for noncompliant devices = 1 day (24 hours). 1. Log on to the BlackBerry UEM console. 2. In the management console, click Settings >> General Settings >> Attestation. 3. In the "Android hardware attestation frequency" section, select verify "Enable hardware patch level attestation challenges for Android devices" is selected. 4. In the "Challenge frequency" drop-down list, verify the device attestation response is set to "1 day" (24 hours). 5. In the "Device grace period drop-down" list, verify the grace period is set to "3 days" (72 hours). 6. In the "Challenge frequency for noncompliant devices" field, verify the frequency UEM tests the integrity of devices that are not currently in compliance is set to "6 hours". If required Android security patch compliance and hardware certificate attestation controls are not enabled, this is a finding.

Check Text ( C-60951r940014_chk )

Verify the following Android security patch compliance and hardware certificate attestation controls are enabled for CylancePROTECT Mobile:
-"Android hardware attestation frequency" = 6 hours.
-"Device grace period" = 3 days (72 hours).
-"Challenge frequency for noncompliant devices = 1 day (24 hours).

1. Log on to the BlackBerry UEM console.
2. In the management console, click Settings >> General Settings >> Attestation.
3. In the "Android hardware attestation frequency" section, select verify "Enable hardware patch level attestation challenges for Android devices" is selected.
4. In the "Challenge frequency" drop-down list, verify the device attestation response is set to "1 day" (24 hours).
5. In the "Device grace period drop-down" list, verify the grace period is set to "3 days" (72 hours).
6. In the "Challenge frequency for noncompliant devices" field, verify the frequency UEM tests the integrity of devices that are not currently in compliance is set to "6 hours".

If required Android security patch compliance and hardware certificate attestation controls are not enabled, this is a finding.

Fix Text (F-60893r939250_fix)
Configure the following Android security patch compliance and hardware certificate attestation controls: -"Android hardware attestation frequency" = 6 hours. -"Device grace period" = 3 days (72 hours). -"Challenge frequency for noncompliant devices" = 1 day (24 hours). 1. Log on to the BlackBerry UEM console. 2. In the management console, click Settings >> General Settings >> Attestation. 3. In the "Android hardware attestation frequency" section, select "Enable hardware patch level attestation challenges for Android devices" checkbox. 4. in the "Challenge frequency" drop-down list, set the device must return an attestation response to "1 day" (24 hours). 5. In the Device grace period drop-down list, set the grace period to "3 days" (72 hours). 6. In the Challenge frequency for noncompliant devices field, set how often UEM tests the integrity of devices that are not currently in compliance to "6 hours". 7. Click "Save".

Fix Text (F-60893r939250_fix)

Configure the following Android security patch compliance and hardware certificate attestation controls:
-"Android hardware attestation frequency" = 6 hours.
-"Device grace period" = 3 days (72 hours).
-"Challenge frequency for noncompliant devices" = 1 day (24 hours).

1. Log on to the BlackBerry UEM console.
2. In the management console, click Settings >> General Settings >> Attestation.
3. In the "Android hardware attestation frequency" section, select "Enable hardware patch level attestation challenges for Android devices" checkbox.
4. in the "Challenge frequency" drop-down list, set the device must return an attestation response to "1 day" (24 hours).
5. In the Device grace period drop-down list, set the grace period to "3 days" (72 hours).
6. In the Challenge frequency for noncompliant devices field, set how often UEM tests the integrity of devices that are not currently in compliance to "6 hours".
7. Click "Save".