UCF STIG Viewer Logo

BlackBerry Enterprise Service v10.2.x BlackBerry Device Service STIG


Overview

Date Finding Count (45)
2014-04-15 CAT I (High): 14 CAT II (Med): 27 CAT III (Low): 4
STIG Description
Developed by BlackBerry Ltd. in coordination with DISA for use in the DoD. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-48547 High The BlackBerry Device Service server must disable the transfer of any file-based data via Bluetooth (Bluetooth MAP without prompt) via centrally managed policy.
V-48543 High The BlackBerry Device Service server must disable the transfer of any file-based data via Bluetooth via centrally managed policy.
V-48583 High The BlackBerry Device Service server must use organization defined replay-resistant authentication mechanisms for network access to privileged accounts.
V-48581 High The BlackBerry Device Service server must require administrators to be authenticated with an individual authenticator prior to using a group authenticator.
V-48607 High The BlackBerry Device Service server must disable any mobile OS service that connects to a cloud storage server via centrally managed policy.
V-48609 High The BlackBerry Device Service server must direct all Work Space application traffic through the BlackBerry Device Service server via centrally managed policy.
V-48589 High The BlackBerry Device Service server must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
V-48503 High The BlackBerry Device Service server must implement separation of administrator duties by requiring a specific role be assigned to each administrator account.
V-48555 High The BlackBerry Device Service server must disable the transfer of any file-based data via Near Field Communication (NFC) via centrally managed policy.
V-48545 High The BlackBerry Device Service server must disable the transfer of any file-based data via Bluetooth (Bluetooth MAP) via centrally managed policy.
V-48549 High The BlackBerry Device Service server must disable the transfer of any file-based data via Bluetooth (Transfer Work Contacts Using Bluetooth PBAP or HFP) via centrally managed policy.
V-48591 High The BlackBerry Device Service server must employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions.
V-48617 High The BlackBerry Device Service server must disable any mobile OS service that connects to a cloud-based service via centrally managed policy.
V-48595 High The BlackBerry Device Service server must have disable copying data from inside a non-secure data area on a mobile device into the security container via centrally managed policy.
V-48519 Medium The BlackBerry Device Service server must disable the Audio/Video Remote Control Profile (AVRCP) Bluetooth profile via centrally managed policy.
V-48557 Medium The BlackBerry Device Service server must enable Bluetooth 128 bit encryption via centrally managed policy.
V-48553 Medium The BlackBerry Device Service server must enable Bluetooth pairing using a randomly generated passkey size of at least 8 digits via centrally managed policy.
V-48577 Medium The BlackBerry Device Service server must be configured to prevent users from performing self-service tasks.
V-48513 Medium The BlackBerry Device Service server must enforce the email client S/MIME encryption algorithm to be 3DES or AES256 via centrally managed policy.
V-48509 Medium The BlackBerry Device Service server must bind removable storage media cards to the mobile device via centrally managed policy.
V-48517 Medium The BlackBerry Device Service server must disable the Advanced Audio Distribution Profile (A2DP) Bluetooth profile via centrally managed policy.
V-48603 Medium The BlackBerry Device Service server must disable the mobile device users access to BlackBerry World for Work Space and only allow access to apps published from BlackBerry Device Service.
V-48587 Medium The key store password for the certificate that the BlackBerry Administration Service (BAS) and BlackBerry Web Desktop Manager (BWDM) use must be changed from the default.
V-48605 Medium The BlackBerry Device Service server must force the display of a warning banner on the lock screen of the mobile device via centrally managed policy.
V-48585 Medium The BlackBerry Device Service server must support administrator authentication to the server via the Enterprise Authentication Mechanisms authentication.
V-48525 Medium The BlackBerry Device Service server must disable the Hands-Free Profile (HFP) Bluetooth profile via centrally managed policy.
V-48527 Medium The BlackBerry Device Service server must disable the Message Access Profile (MAP) Bluetooth profile via centrally managed policy.
V-48523 Medium The BlackBerry Device Service server must disable the Phone Book Access Profile (PBAP) Bluetooth profile via centrally managed policy.
V-48561 Medium BlackBerry Web Desktop Manager must be configured to permit users to activate new BlackBerry devices only.
V-48575 Medium The BlackBerry Device Service server must configure the Work Space to prohibit the download of software from a DoD non-approved source (e.g., a non-DoD operated mobile device application store or BlackBerry Device Service server).
V-48565 Medium The BlackBerry Device Service server must set the number of incorrect password attempts before a data wipe procedure is initiated to 10 via centrally managed policy.
V-48567 Medium The BlackBerry Device Service server must enable a Work Space password via centrally managed policy.
V-48569 Medium The BlackBerry Device Service server must set the number of letters in the Work Space password to at least one via centrally managed policy.
V-48559 Medium The BlackBerry Device Service server must be configured to accept only trusted connections to back-office enclave application or web push servers. Push servers are set up to push content to BlackBerry users.
V-48571 Medium The BlackBerry Device Service server must enable a minimum Work Space password length of six or more characters via centrally managed policy.
V-48613 Medium The BlackBerry Device Service server must have the administrative functionality disallow hyperlinks within Work Space applications from opening within the Personal Space browser application via centrally managed policy.
V-48611 Medium The BlackBerry Device Service server must disallow Personal Space applications access to the Work Space network connection via centrally managed policy.
V-48529 Medium The BlackBerry Device Service server must disable the Personal Area Networking Profile (PAN) Bluetooth profile via centrally managed policy.
V-48531 Medium The BlackBerry Device Service server must disable the Hands-Free Profile (SPP) Bluetooth profile via centrally managed policy.
V-48537 Medium The BlackBerry Device Service server must disable Bluetooth Discoverable Mode via centrally managed policy.
V-48573 Medium The BlackBerry Device Service server must set the Work Space inactivity timeout to 15 minutes via centrally managed policy.
V-48601 Low The BlackBerry Device Service server must enforce the minimum password length for the Personal Space password to 4 digits via centrally managed policy.
V-48579 Low BlackBerry Web Desktop Manager must be configured to disable a users capability to perform a user-initiated backup or restore.
V-48593 Low The server PKI digital certificate installed on the BlackBerry Device Service (BDS) Server to support BlackBerry Administration Service and BlackBerry Web Desktop Manager (BWDM) authentication must be a DoD PKI issued certificate.
V-48599 Low The BlackBerry Device Service server must allow only Work Space contacts to be read from a native Personal Space application via centrally managed policy.