{
  "id": 688,
  "benchmarkId": "Omnissa_WS1_UEM_Agent_STIG",
  "slug": "omnissa_ws1_uem_agent",
  "stigSlug": "omnissa_ws1_uem_agent",
  "versionStatus": "current",
  "status": "accepted",
  "statusDate": "2026-06-15T00:00:00.000Z",
  "title": "Omnissa WS1 UEM Agent Security Technical Implementation Guide",
  "description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of War (DoW) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
  "version": "V1R1",
  "vendor": null,
  "createdAt": "2026-07-11T12:27:52.398Z",
  "updatedAt": "2026-07-11T12:27:52.398Z",
  "groups": [
    {
      "id": 40857,
      "benchmarkId": 688,
      "groupId": "V-284237",
      "title": "SRG-APP-000089-UEM-100012",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-284237r1223978_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "OMW1-00-100350",
      "ruleTitle": "The Omnissa WS1 UEM Agent must be configured to enable the following function: \n\nRead audit logs of the managed endpoint device: Android.",
      "ruleVulnDiscussion": "Audit logs and alerts enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify when the security posture of the device is not as expected. This enables the UEM administrator to take an appropriate remedial action.\n\nSatisfies: FMT_SMF_EXT.4.1\nReference: PP-UEM-401005\n\nSatisfies: SRG-APP-000089-UEM-100012, SRG-APP-000358-UEM-100013",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000169",
      "ruleIdents": [
        "CCI-000169",
        "CCI-001851"
      ],
      "ruleFixText": "Configure the MDM Agent to enable the following function: \n\nRead audit logs of the MD.\n\nOn the MDM console, do the following:\n\n1. Authenticate to the Workspace ONE UEM console as the administrator.\n2. Navigate to Groups & Settings >> All Settings >> Devices & Users >> General >> Privacy. Enable \"Request Device Log\" in the privacy settings.\n3. Select \"Save\".",
      "ruleFixId": "F-88706r1211875_fix",
      "ruleCheckSystem": "C-88801r1211874_chk",
      "ruleCheckContent": "Review the MDM Agent documentation and configuration settings to determine if the following function is enabled: \n\nRead audit logs of the MD.\n\nThis validation procedure is performed on the MDM Administration Console.\n\nOn the MDM console, do the following:\n\n1. Authenticate to the Workspace ONE UEM console as the administrator.\n2. Navigate to Groups & Settings >> All Settings >> Devices & Users >> General >> Privacy. Enable \"Request Device Log\" in the privacy settings.\n\nIf \"Request Device Log\" is present, then no device log is being requested from the MD, and this is a finding.",
      "createdAt": "2026-07-11T12:27:52.441Z",
      "updatedAt": "2026-07-11T12:27:52.441Z"
    },
    {
      "id": 40858,
      "benchmarkId": 688,
      "groupId": "V-284246",
      "title": "SRG-APP-000516-UEM-100011",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-284246r1223987_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "OMW1-00-101300",
      "ruleTitle": "The Omnissa WS1 UEM Agent must be configured to perform one of the following actions upon an attempt to unenroll the mobile device from management:  \n\n- Prevent the unenrollment from occurring.\n- Wipe the device to factory default settings.\n- Wipe the work profile with all associated applications and data.",
      "ruleVulnDiscussion": "Access control of mobile devices to DoW sensitive information or access to DoW networks must be controlled so that DoW data will not be compromised. The primary method of access control of mobile devices is via enrollment of authorized mobile devices on the UEM server. Therefore, the UEM server must have the capability to enforce a policy for this control.\n\nSatisfies: FMT_UNR_EXT.1.1",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000366",
      "ruleIdents": [
        "CCI-000366"
      ],
      "ruleFixText": "Authenticate to the Workspace ONE UEM console as an administrator.\n\nNavigate to Groups & Settings >> All Settings >> Devices & Users >> Android >> Intelligent Hub Settings.\n\nFind \"Block User Unenrollment\" and choose \"Enabled\". Click \"Save\".\n\nNavigate to Groups & Settings >> All Settings >> Devices & Users >> Apple >> Automated Device Enrollment.\n\nEdit the DEP profile and navigate to \"MDM features\". Choose \"Enabled\" for \"Lock MDM Profile\". Click \"Save\".",
      "ruleFixId": "F-88715r1211878_fix",
      "ruleCheckSystem": "C-88810r1211877_chk",
      "ruleCheckContent": "Authenticate to the Workspace ONE UEM console as an administrator.\n\nNavigate to Groups & Settings >> All Settings >> Devices & Users >> Android >> Intelligent Hub Settings.\n\nIf \"Block User Unenrollment\" is not \"Enabled\", this is a finding.\n\nNavigate to Groups & Settings >> All Settings >> Devices & Users >> Apple >> Automated Device Enrollment.\n\nEdit the DEP profile and navigate to \"MDM features\". If \"Lock MDM Profile\" is not \"Enabled\", this is a finding.",
      "createdAt": "2026-07-11T12:27:52.441Z",
      "updatedAt": "2026-07-11T12:27:52.441Z"
    }
  ],
  "profiles": [
    {
      "id": 6125,
      "benchmarkId": 688,
      "profileId": "MAC-1_Classified",
      "title": "I - Mission Critical Classified",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:52.483Z",
      "updatedAt": "2026-07-11T12:27:52.483Z"
    },
    {
      "id": 6126,
      "benchmarkId": 688,
      "profileId": "MAC-1_Public",
      "title": "I - Mission Critical Public",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:52.483Z",
      "updatedAt": "2026-07-11T12:27:52.483Z"
    },
    {
      "id": 6127,
      "benchmarkId": 688,
      "profileId": "MAC-1_Sensitive",
      "title": "I - Mission Critical Sensitive",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:52.483Z",
      "updatedAt": "2026-07-11T12:27:52.483Z"
    },
    {
      "id": 6128,
      "benchmarkId": 688,
      "profileId": "MAC-2_Classified",
      "title": "II - Mission Support Classified",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:52.483Z",
      "updatedAt": "2026-07-11T12:27:52.483Z"
    },
    {
      "id": 6129,
      "benchmarkId": 688,
      "profileId": "MAC-2_Public",
      "title": "II - Mission Support Public",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:52.483Z",
      "updatedAt": "2026-07-11T12:27:52.483Z"
    },
    {
      "id": 6130,
      "benchmarkId": 688,
      "profileId": "MAC-2_Sensitive",
      "title": "II - Mission Support Sensitive",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:52.483Z",
      "updatedAt": "2026-07-11T12:27:52.483Z"
    },
    {
      "id": 6131,
      "benchmarkId": 688,
      "profileId": "MAC-3_Classified",
      "title": "III - Administrative Classified",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:52.483Z",
      "updatedAt": "2026-07-11T12:27:52.483Z"
    },
    {
      "id": 6132,
      "benchmarkId": 688,
      "profileId": "MAC-3_Public",
      "title": "III - Administrative Public",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:52.483Z",
      "updatedAt": "2026-07-11T12:27:52.483Z"
    },
    {
      "id": 6133,
      "benchmarkId": 688,
      "profileId": "MAC-3_Sensitive",
      "title": "III - Administrative Sensitive",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:52.483Z",
      "updatedAt": "2026-07-11T12:27:52.483Z"
    }
  ]
}