{
  "id": 690,
  "benchmarkId": "Omnissa_WS1_UEM_Server_STIG",
  "slug": "omnissa_ws1_uem_server",
  "stigSlug": "omnissa_ws1_uem_server",
  "versionStatus": "current",
  "status": "accepted",
  "statusDate": "2026-06-15T00:00:00.000Z",
  "title": "Omnissa WS1 UEM Server Security Technical Implementation Guide",
  "description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of War (DoW) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
  "version": "V1R1",
  "vendor": null,
  "createdAt": "2026-07-11T12:27:53.950Z",
  "updatedAt": "2026-07-11T12:27:53.950Z",
  "groups": [
    {
      "id": 40861,
      "benchmarkId": 690,
      "groupId": "V-284249",
      "title": "SRG-APP-000001-UEM-000001",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-284249r1223990_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "OMW1-00-000100",
      "ruleTitle": "The Omnissa WS1 UEM server must limit the number of concurrent sessions per privileged user account to three or less concurrent sessions.",
      "ruleVulnDiscussion": "Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to denial-of-service (DoS) attacks. \n \nThis requirement may be met via the application or by utilizing information system session control provided by a web server with specialized session management capabilities. If it has been specified that this requirement will be handled by the application, the capability to limit the maximum number of concurrent single user sessions must be designed and built into the application.  \n \nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be defined based upon mission needs and the operational environment for each system.  \n \nSatisfies: FMT_SMF.1.1(2) b  \nReference: PP-MDM-431010",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000054",
      "ruleIdents": [
        "CCI-000054"
      ],
      "ruleFixText": "Authenticate to the Workspace ONE UEM console as an administrator. \n \nNavigate to Groups & Settings >> All Settings >> Admin >> Console Security >> Session Management. \n \nNext to \"Allow Multiple Sessions\", click \"Disabled\". Click \"Save\". \n \nNote: If this procedure is not seen on the console, the CSP is managing the setting. Contact the CSP to implement the required setting.",
      "ruleFixId": "F-88718r1211944_fix",
      "ruleCheckSystem": "C-88813r1211886_chk",
      "ruleCheckContent": "Authenticate to the Workspace ONE UEM console as an administrator. \n \nNavigate to Groups & Settings >> All Settings >> Admin >> Console Security >> Session Management. \n \nIf \"Allow Multiple Sessions\" is not \"Disabled\", this is a finding. \n \nNote: If this procedure is not seen on the console, the Cloud Service Provider (CSP) is managing the setting. Contact the CSP to review the required setting.",
      "createdAt": "2026-07-11T12:27:53.996Z",
      "updatedAt": "2026-07-11T12:27:53.996Z"
    },
    {
      "id": 40862,
      "benchmarkId": 690,
      "groupId": "V-284251",
      "title": "SRG-APP-000003-UEM-000003",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-284251r1223992_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "OMW1-00-000300",
      "ruleTitle": "The Omnissa WS1 UEM server must initiate a session lock after a 15-minute period of inactivity.",
      "ruleVulnDiscussion": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock. \n \nThe session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system level and results in a system lock, but may be at the application level where the application interface window is secured instead.  \n \nSatisfies: FMT_SMF.1.1(2) c.8  \nReference: PP-MDM-411047\n\nSatisfies: SRG-APP-000003-UEM-000003, SRG-APP-000295-UEM-000169",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000057",
      "ruleIdents": [
        "CCI-000057",
        "CCI-002361"
      ],
      "ruleFixText": "Authenticate to the Workspace ONE UEM console as an administrator. \n \nNavigate to Groups & Settings >> All Settings >> Admin >> Console Security >> Session Management. \n \nNext to \"Idle Session Timeout\" enter \"15\". Click \"Save\". \n \nNote: If this procedure is not seen on the console, the CSP is managing the setting. Contact the CSP to implement the required setting.",
      "ruleFixId": "F-88720r1211890_fix",
      "ruleCheckSystem": "C-88815r1211889_chk",
      "ruleCheckContent": "Authenticate to the Workspace ONE UEM console as an administrator. \n \nNavigate to Groups & Settings >> All Settings >> Admin >> Console Security >> Session Management.  \n\nIf \"Idle Session Timeout\" is not set to 15 minutes or less, this is a finding. \n \nNote: If this procedure is not seen on the console, the Cloud Service Provider (CSP) is managing the setting. Contact the CSP to review the required setting.",
      "createdAt": "2026-07-11T12:27:53.996Z",
      "updatedAt": "2026-07-11T12:27:53.996Z"
    },
    {
      "id": 40863,
      "benchmarkId": 690,
      "groupId": "V-284254",
      "title": "SRG-APP-000023-UEM-000012",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-284254r1223995_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "OMW1-00-000600",
      "ruleTitle": "The Omnissa WS1 UEM server must be configured to use a directory service for centralized account management.",
      "ruleVulnDiscussion": "Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error.  \n \nA comprehensive application account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated or by disabling accounts located in noncentralized account stores such as multiple servers. This requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. \n \nThe application must be configured to automatically provide account management functions and these functions must immediately enforce the organization's current account policy. The automated mechanisms may reside within the application itself or may be offered by the operating system or other infrastructure providing automated account management capabilities. Automated mechanisms may be comprised of differing technologies that when placed together contain an overall automated mechanism supporting an organization's automated account management requirements. \n \nAccount management functions include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephonic notification to report atypical system account usage.\n\nSatisfies: SRG-APP-000023-UEM-000012, SRG-APP-000025-UEM-000014, SRG-APP-000148-UEM-000082, SRG-APP-000149-UEM-000083, SRG-APP-000319-UEM-000192, SRG-APP-000345-UEM-000218, SRG-APP-000400-UEM-000271, SRG-APP-000153-UEM-000087, SRG-APP-000157-UEM-000091, SRG-APP-000401-UEM-000272",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000015",
      "ruleIdents": [
        "CCI-000015",
        "CCI-000017",
        "CCI-000764",
        "CCI-000765",
        "CCI-002130",
        "CCI-002238",
        "CCI-002007",
        "CCI-004045",
        "CCI-001941",
        "CCI-004068"
      ],
      "ruleFixText": "1. Set up directory service integration. \na. Authenticate to the Workspace ONE UEM console as an administrator. \nb. Navigate to Groups & Settings >> All Settings >> System >> Enterprise Integration >> Directory Services. Select \"Skip wizard and configure manually\". \nc. Under the \"Server\" tab, complete the directory service connection information. This will be site-specific. Consult Omnissa documentation for \"Directory Services Setup\" for details. \nd. Click \"Save\". \n\n2. Require that device enrollment only uses directory service authentication. \na. Navigate to Groups & Settings >> All Settings >> Devices and Users >> General >> Enrollment. \nb. Under the \"Authentication\" tab, find the \"Authentication Modes\" setting. \nc. Ensure that \"Directory\" is the one and only checked box. \nd. Click \"Save\". \n \n3. Remove all admin accounts that are not the \"break-glass\" account. \na. Navigate to Accounts >> Administrators >> List View. \nb. For each user with an \"Admin Type\" of \"Basic\" that is NOT the \"break-glass\" account, select the three vertical dots next to that user and then select \"Delete\". \nc. Click \"Delete\" when prompted to confirm. \n \n4. Remove all users that are not centrally managed by a directory service. \na. Navigate to Accounts >> Users >> List View. \nb. Click \"Layout\" and select \"Custom\". \nc. For each user with a \"Security Type\" of \"Basic\", select the checkbox next to the user. \nd. Click \"More Actions\", then click \"Delete\". \ne. To confirm, click \"Save\" when prompted.",
      "ruleFixId": "F-88723r1211953_fix",
      "ruleCheckSystem": "C-88818r1211929_chk",
      "ruleCheckContent": "1. Verify directory service integration. \na. Authenticate to the Workspace ONE UEM console as an administrator. \nb. Navigate to Groups & Settings >> All Settings >> System >> Enterprise Integration >> Directory Services. Select \"Skip wizard and configure manually\". \nc. Under the \"Server\" tab, verify directory service connection information. \n \nIf no valid directory service is configured, this is a finding. \n \nIn the bottom right, click \"Test Connection\". \n \nIf the test is not successful, this is a finding. \n \n2. Validate that device enrollment uses directory service authentication only. \na. Navigate to Groups & Settings >> All Settings >> Devices and Users >> General >> Enrollment. \nb. Under the \"Authentication\" tab, find the \"Authentication Modes\" setting. \n \nIf \"Directory\" is not the one and only checked box, this is a finding. \n \n3. Validate there is only one \"break-glass\" local admin configured. \na. Navigate to Accounts >> Administrators >> List View. \nb. Review account types under the \"Admin Type\" column. If any users have an \"Admin Type\" of \"Basic\", outside of a single \"break-glass\" admin, this is a finding. \n \n4. Validate that all users are centrally managed by a directory service. \na. Navigate to Accounts >> Users >> List View. \nb. Click \"Layout\" and select \"Custom\". \nc. Under the \"Security Type\" column, if any \"Basic\" accounts are listed, this is a finding.",
      "createdAt": "2026-07-11T12:27:53.996Z",
      "updatedAt": "2026-07-11T12:27:53.996Z"
    },
    {
      "id": 40864,
      "benchmarkId": 690,
      "groupId": "V-284260",
      "title": "SRG-APP-000065-UEM-000036",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-284260r1224001_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "OMW1-00-001300",
      "ruleTitle": "The Omnissa WS1 UEM server must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.",
      "ruleVulnDiscussion": "By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.  \n \nSatisfies: FMT_SMF.1(2)b.  \nReference: PP-MDM-431028",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000044",
      "ruleIdents": [
        "CCI-000044"
      ],
      "ruleFixText": "Authenticate to the Workspace ONE UEM console as an administrator. \n \nNavigate to Groups & Settings >> All Settings >> Admin >> Console Security >> Passwords. \n \nNext to \"Maximum invalid login attempts\", enter \"3\". Click \"Save\". \n \nNote: If this procedure is not seen on the console, the CSP is managing the setting. Contact the CSP to implement the required setting.",
      "ruleFixId": "F-88729r1211896_fix",
      "ruleCheckSystem": "C-88824r1211895_chk",
      "ruleCheckContent": "Authenticate to the Workspace ONE UEM console as an administrator. \n \nNavigate to Groups & Settings >> All Settings >> Admin >> Console Security >> Passwords. \n \nIf \"Maximum invalid login attempts\" is not set to \"3\", this is a finding. \n \nNote: If this procedure is not seen on the console, the Cloud Service Provider (CSP) is managing the setting. Contact the CSP to review the required setting.",
      "createdAt": "2026-07-11T12:27:53.996Z",
      "updatedAt": "2026-07-11T12:27:53.996Z"
    },
    {
      "id": 40865,
      "benchmarkId": 690,
      "groupId": "V-284275",
      "title": "SRG-APP-000108-UEM-000062",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-284275r1224016_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "OMW1-00-002900",
      "ruleTitle": "The UEM SRG must alert the information system security officer and system administrator (at a minimum) in the event of an audit processing failure.",
      "ruleVulnDiscussion": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.  \n \nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. \n \nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.  \n \nSatisfies: FAU_ALT_EXT.1.1  \nReference: PP-MDM-412059",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000139",
      "ruleIdents": [
        "CCI-000139"
      ],
      "ruleFixText": "Authenticate to the Workspace ONE UEM console as an administrator. \n \n1. Click the administrator's name in the top right to expose a drop-down menu. Select Manage Account Settings >> Notifications. \n2. Toggle the radio button for \"Console and Email\" next to \"Logging Server Failure\". \n3. Enter an email to send the alert to (typically the Security Operations Center [SOC] or group distro).  \n4. Click \"Save\". \n \nNote: If this procedure is not seen on the console, the CSP is managing the setting. Contact the CSP to implement the required setting.",
      "ruleFixId": "F-88744r1211957_fix",
      "ruleCheckSystem": "C-88839r1211956_chk",
      "ruleCheckContent": "Authenticate to the Workspace ONE UEM console as an administrator. \n \nClick the administrator's name in the top right to expose a drop-down menu. Select Manage Account Settings >> Notifications. \n \nIf the radio button for \"Logging Server Failure\" is not set to \"Console and Email\", this is a finding. \n \nNote: If this procedure is not seen on the console, the Cloud Service Provider (CSP) is managing the setting. Contact the CSP to review the required setting.",
      "createdAt": "2026-07-11T12:27:53.996Z",
      "updatedAt": "2026-07-11T12:27:53.996Z"
    },
    {
      "id": 40866,
      "benchmarkId": 690,
      "groupId": "V-284282",
      "title": "SRG-APP-000142-UEM-000080",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-284282r1224025_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "OMW1-00-003700",
      "ruleTitle": "The firewall protecting the Omnissa WS1 UEM server platform must be configured so only DoW-approved ports, protocols, and services are enabled. (Refer to the DoW Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoW-approved ports, protocols, and services).",
      "ruleVulnDiscussion": "All ports, protocols, and services used on DoW networks must be approved and registered via the DoW PPSM process. This is to ensure a risk assessment has been completed before a new port, protocol, or service is configured on a DoW network and has been approved by proper DoW authorities. Otherwise, the new port, protocol, or service could cause a vulnerability to the DoW network, which could be exploited by an adversary.  \n \nSatisfies: FMT_SMF.1.1(2) Refinement b  \nReference: PP-MDM-431006",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000382",
      "ruleIdents": [
        "CCI-000382"
      ],
      "ruleFixText": "Install and configure a DoW-approved firewall to protect the network segment on which the Workspace ONE UEM server is installed.",
      "ruleFixId": "F-88751r1224024_fix",
      "ruleCheckSystem": "C-88846r1224023_chk",
      "ruleCheckContent": "Review the MDM server platform configuration to determine whether a DoW-approved firewall is installed or if the platform operating system provides a firewall service that can restrict both inbound and outbound traffic by Transmission Control Protocol (TCP)/User Datagram Protocol (UDP) port and Internet Protocol (IP) address. \n \nIf there is not a host-based firewall present on the MDM server platform, or if it is not configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, this is a finding.",
      "createdAt": "2026-07-11T12:27:53.996Z",
      "updatedAt": "2026-07-11T12:27:53.996Z"
    },
    {
      "id": 40867,
      "benchmarkId": 690,
      "groupId": "V-284284",
      "title": "SRG-APP-000149-UEM-000083",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-284284r1224027_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "OMW1-00-004020",
      "ruleTitle": "The Omnissa WS1 UEM server must be configured to require a One-Time Password (OTP) or Short Message Service (SMS) two-factor authentication for local accounts.",
      "ruleVulnDiscussion": "DoW sites may implement one \"break-glass\" WS1 UEM local account  for the purpose of server recovery. This account must use two-factor authentication to provide secure access control.  At the current time, WS1 UEM only supports OTP or SMS based authentication as the second authentication factor.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000765",
      "ruleIdents": [
        "CCI-000765"
      ],
      "ruleFixText": "Authenticate to the Workspace ONE UEM console as an administrator. \n \n1. Navigate to Accounts >> Administrators >> List View. \n2. For each account with an \"Admin Type\" of \"Basic\", click the three vertical dots next to the account name and select \"Edit\".  \n3. Click \"Next\" three times to reach the \"Settings\" page. \n4. Enable \"Two Factor Authentication\" and configure either email or SMS notification. \n5. Click \"Save\". \n \nNote: The OTP code will be sent to the email or mobile phone configured on the previous pages. Ensure they are configured correctly. \n \nNote: The only authorized local account is the \"break-glass\" account.",
      "ruleFixId": "F-88753r1211903_fix",
      "ruleCheckSystem": "C-88848r1211902_chk",
      "ruleCheckContent": "Authenticate to the Workspace ONE UEM console as an administrator. \n \n1. Navigate to Accounts >> Administrators >> List View. \n2. For each account with an \"Admin Type\" of \"Basic\", click the three vertical dots next to the account name and select \"Edit\".   \n3. Click \"Next\" three times to reach the \"Settings\" page. \n \nIf \"Two Factor Authentication\" is not enabled, this is a finding. \n \nIf the account has the \"Read Only\" role and is used for automation such as compliance scanning, this is not applicable to that account.",
      "createdAt": "2026-07-11T12:27:53.996Z",
      "updatedAt": "2026-07-11T12:27:53.996Z"
    },
    {
      "id": 40868,
      "benchmarkId": 690,
      "groupId": "V-284305",
      "title": "SRG-APP-000358-UEM-000228",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-284305r1224048_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "OMW1-00-006500",
      "ruleTitle": "The Omnissa WS1 UEM server must be configured to transfer Omnissa WS1 UEM server logs to another server for storage, analysis, and reporting. \n\nNote: Omnissa WS1 UEM server logs include logs of UEM events and logs transferred to the Omnissa WS1 UEM server by UEM agents of managed devices.",
      "ruleVulnDiscussion": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration. \n \nOff-loading is a common process in information systems with limited audit storage capacity. \n \nNote: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices.  \n \nSatisfies: FMT_SMF.1.1(2) c.8, FAU_STG_EXT.1.1(1)  \nReference: PP-MDM-411054\n\nSatisfies: SRG-APP-000358-UEM-000228, SRG-APP-000089-UEM-000050, SRG-APP-000125-UEM-000074, SRG-APP-000275-UEM-000157, SRG-APP-000515-UEM-000390, SRG-APP-000291-UEM-000165, SRG-APP-000292-UEM-000166, SRG-APP-000293-UEM-000167, SRG-APP-000294-UEM-000168, SRG-APP-000320-UEM-000193",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-001851",
      "ruleIdents": [
        "CCI-001851",
        "CCI-000169",
        "CCI-001348",
        "CCI-001294",
        "CCI-000015"
      ],
      "ruleFixText": "Configure the Workspace ONE UEM server to transfer Workspace ONE UEM server logs to another server for storage, analysis, and reporting. \n \nOn the MDM console, do the following:\n\n1. Authenticate to the Workspace ONE UEM console as the administrator. \n2. Navigate to Groups & Settings >> All Settings >> System >> Enterprise Integration >> Syslog. \n3. Set \"Syslog Integration\" to \"ENABLED\". \n4. Configure syslog server hostname, protocol, port, syslog facility, message tag, message content according to organizational standards. \n5. Click \"SAVE\". \n6. Verify changes save successfully and Workspace ONE UEM server can transfer audit logs to the new syslog server.",
      "ruleFixId": "F-88774r1211906_fix",
      "ruleCheckSystem": "C-88869r1211905_chk",
      "ruleCheckContent": "Review the Workspace ONE UEM server configuration settings and verify the server is configured to transfer Workspace ONE UEM server logs to another server for storage, analysis, and reporting. \n \nOn the MDM console, do the following:\n \n1. Authenticate to the Workspace ONE UEM console as the administrator. \n2. Navigate to Groups & Settings >> All Settings >> System >> Enterprise Integration >> Syslog. \n3. If \"Syslog Integration\" is set to \"DISABLED\", this is a finding. \n4. Examine the syslog configuration (server hostname, protocol, port, syslog facility, message tag, message content) for conformance with operational standards.  \n \nIf any are not set according to the standards, this is a finding. \n \nNote: Workspace ONE UEM server logs include logs of MDM events and logs transferred to the Workspace ONE UEM server by MDM agents of managed devices.",
      "createdAt": "2026-07-11T12:27:53.996Z",
      "updatedAt": "2026-07-11T12:27:53.996Z"
    },
    {
      "id": 40869,
      "benchmarkId": 690,
      "groupId": "V-284306",
      "title": "SRG-APP-000374-UEM-000244",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-284306r1224049_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "OMW1-00-006600",
      "ruleTitle": "The Omnissa WS1 UEM server must be configured to record time stamps for audit records in Coordinated Universal Time (UTC).",
      "ruleVulnDiscussion": "If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. \n \nTime stamps generated by the application include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC.  \n \nSatisfies: FAU_GEN.1.2(1)\nSatisfies: SRG-APP-000374-UEM-000244, SRG-APP-000375-UEM-000245",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-001890",
      "ruleIdents": [
        "CCI-001890",
        "CCI-001889"
      ],
      "ruleFixText": "Authenticate to the Workspace ONE UEM console as an administrator. \n \nNavigate to Groups & Settings >> All Settings >> System >> Enterprise Integration >> Syslog. \n \nNext to \"Syslog Format\" select \"RFC-5424 Format\" from the drop-down menu. Click \"Save\".",
      "ruleFixId": "F-88775r1211961_fix",
      "ruleCheckSystem": "C-88870r1211908_chk",
      "ruleCheckContent": "Authenticate to the Workspace ONE UEM console as an administrator. \n \nNavigate to Groups & Settings >> All Settings >> System >> Enterprise Integration >> Syslog. \n \nIf \"Syslog Format\" is not set to \"RFC-5424 Format\", this is a finding.",
      "createdAt": "2026-07-11T12:27:53.996Z",
      "updatedAt": "2026-07-11T12:27:53.996Z"
    },
    {
      "id": 40870,
      "benchmarkId": 690,
      "groupId": "V-284320",
      "title": "SRG-APP-000472-UEM-000347",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-284320r1224063_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "OMW1-00-008200",
      "ruleTitle": "The Omnissa WS1 UEM server must be configured with the periodicity of the following commands to the agent of six hours or less: \n\n- Query connectivity status.\n- Query the current version of the managed device firmware/software. \n- Query the current version of installed mobile applications. \n- Read audit logs kept by the managed device.",
      "ruleVulnDiscussion": "Without verification, security functions may not operate correctly and this failure may go unnoticed.  \n \nSecurity function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. \n \nThis requirement applies to applications performing security functions and the applications performing security function verification/testing.  \n \nSatisfies: FAU_NET_EXT.1.1, FMT_SMF.1.1(2) c.3  \nReference: PP-MDM-411057",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-002696",
      "ruleIdents": [
        "CCI-002696"
      ],
      "ruleFixText": "Configure the Workspace ONE UEM server with a periodicity for reachable events of six hours or less for the following commands to the agent: \n\n- Query connectivity status. \n- Query the current version of the MD firmware/software.\n- Query the current version of installed mobile applications. \n \nOn the MDM console, do the following: \n\n1. Authenticate to the Workspace ONE UEM console as the administrator. \n2. Navigate to Groups & Settings >> All Settings. \n3. Under the \"Devices & Users\" heading: \n \nFor Android, choose Android >> Intelligent Hub Settings. \n\na. To modify any settings, click \"Override\". \nb. Under the \"General\" heading, set \"Heartbeat Interval\" using the drop-down, if necessary. This setting handles querying of connectivity status and current version of mobile device firmware/software. \nc. Under the \"Application List\" heading, set the \"Application List Interval\", as necessary, to the appropriate number of minutes. There is no control for periodicity of reading audit logs. They are sent to the server automatically. \n \nFor iOS, choose Apple >> MDM Sample Schedule. \n\na. To modify any settings, click \"Override\". \nb. Set \"Device Information Sample\", as necessary, to the appropriate number of hours. This will control periodicity of both querying connectivity and querying the current version of mobile device firmware/software. \n\nQuerying of installed mobile applications is controlled by both \"Application List Sample\" and \"Managed App List Sample\" fields. \"Application List Sample\" requests all the apps on the device (managed and unmanaged), whereas \"Managed App List Sample\" only returns MDM installed apps. Both samples return app versions. \n\nThere is no control for periodicity of reading audit logs. They are sent to the server automatically. \n \nNote: If this procedure is not seen on the console, the CSP is managing the setting. Contact the CSP to implement the required setting.",
      "ruleFixId": "F-88789r1211964_fix",
      "ruleCheckSystem": "C-88884r1211963_chk",
      "ruleCheckContent": "Review the Workspace ONE UEM server for a periodicity for reachable events of six hours or less for the following commands to the agent:  \n\n- Query connectivity status.\n- Query the current version of the mobile device firmware/software.\n- Query the current version of installed mobile applications. \n\nOn the MDM console, do the following:\n \n1. Authenticate to the Workspace ONE UEM console as the administrator. \n2. Navigate to Groups & Settings >> All Settings. \n3. Under the \"Devices & Users\" heading: \n \nFor Android, choose Android >> Intelligent Hub Settings.\n\na. Under the \"General\" heading, if \"Heartbeat Interval\" is set to more than six hours, this is a finding. This setting handles querying of connectivity status and current version of mobile device firmware/software. \nb. Under the \"Application List\" heading, if the \"Application List Interval\" is set to more than 360 minutes, this is a finding. This setting handles querying for the current version of installed mobile applications. \n \nFor iOS choose Apple >> MDM Sample Schedule.\n\na. If \"Device Information Sample\" is set to more than six hours, this is a finding. This setting handles querying of connectivity status and current version of mobile device firmware/software. \nb. If \"Application List Sample\" and \"Managed App List Sample\" are set to more than six hours, this is a finding. This setting handles querying for the current version of installed mobile applications. \n \nNote: If this procedure is not seen on the console, the Cloud Service Provider (CSP) is managing the setting. Contact the CSP to review the required setting.",
      "createdAt": "2026-07-11T12:27:53.996Z",
      "updatedAt": "2026-07-11T12:27:53.996Z"
    },
    {
      "id": 40871,
      "benchmarkId": 690,
      "groupId": "V-284349",
      "title": "SRG-APP-000164-UEM-000094",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-284349r1224092_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "OMW1-00-011400",
      "ruleTitle": "The Omnissa WS1 UEM server must enforce a minimum 15-character password length.",
      "ruleVulnDiscussion": "The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. \n \nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.  \n \nUse of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.  \n \nSatisfies: FMT_SMF.1(2)b  \nReference: PP-MDM-431018",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-004066",
      "ruleIdents": [
        "CCI-004066"
      ],
      "ruleFixText": "Authenticate to the Workspace ONE UEM console as an administrator. \n \nNavigate to Groups & Settings >> All Settings >> Admin >> Console Security >> Passwords. \n \nConfigure \"Minimum Password Length\" to \"15\". \n \nNote: If this procedure is not seen on the console, the CSP is managing the setting. Contact the CSP to implement the required setting.",
      "ruleFixId": "F-88818r1211915_fix",
      "ruleCheckSystem": "C-88913r1211914_chk",
      "ruleCheckContent": "Authenticate to the Workspace ONE UEM console as an administrator. \n \nNavigate to Groups & Settings >> All Settings >> Admin >> Console Security >> Passwords. \n \nIf \"Minimum Password Length\" is not set to \"15\", this is a finding. \n \nNote: If this procedure is not seen on the console, the Cloud Service Provider (CSP) is managing the setting. Contact the CSP to review the required setting.",
      "createdAt": "2026-07-11T12:27:53.996Z",
      "updatedAt": "2026-07-11T12:27:53.996Z"
    },
    {
      "id": 40872,
      "benchmarkId": 690,
      "groupId": "V-284350",
      "title": "SRG-APP-000165-UEM-000095",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-284350r1224093_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "OMW1-00-011500",
      "ruleTitle": "The Omnissa WS1 UEM server must prohibit password reuse for a minimum of five generations.",
      "ruleVulnDiscussion": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.  \n \nTo meet password policy requirements, passwords need to be changed at specific policy-based intervals.  \n \nIf the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.  \n \nSatisfies: FMT_SMF.1(2)b  \nReference: PP-MDM-431025",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-004061",
      "ruleIdents": [
        "CCI-004061"
      ],
      "ruleFixText": "Authenticate to the Workspace ONE UEM console as an administrator. \n \n1. Navigate to Groups & Settings >> All Settings >> Admin >> Console Security >> Passwords. \n2. Configure \"Enforced password history\" to \"5 passwords remembered\". \n3. Click \"Save\". \n \nNote: If this procedure is not seen on the console, the CSP is managing the setting. Contact the CSP to implement the required setting.",
      "ruleFixId": "F-88819r1211918_fix",
      "ruleCheckSystem": "C-88914r1211917_chk",
      "ruleCheckContent": "Authenticate to the Workspace ONE UEM console as an administrator. \n \nNavigate to Groups & Settings >> All Settings >> Admin >> Console Security >> Passwords. \n \nIf \"Enforced password history\" is not set to \"5 passwords remembered\", this is a finding. \n \nNote: If this procedure is not seen on the console, the Cloud Service Provider (CSP) is managing the setting. Contact the CSP to review the required setting.",
      "createdAt": "2026-07-11T12:27:53.996Z",
      "updatedAt": "2026-07-11T12:27:53.996Z"
    },
    {
      "id": 40873,
      "benchmarkId": 690,
      "groupId": "V-284351",
      "title": "SRG-APP-000166-UEM-000096",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-284351r1224094_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "OMW1-00-011600",
      "ruleTitle": "The Omnissa WS1 UEM server must enforce password complexity by requiring at least one uppercase character to be used.",
      "ruleVulnDiscussion": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n \nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.  \n \nSatisfies: FMT_SMF.1(2)b  \nReference: PP-MDM-431020\n\nSatisfies: SRG-APP-000166-UEM-000096, SRG-APP-000167-UEM-000097, SRG-APP-000168-UEM-000098, SRG-APP-000169-UEM-000099",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-004066",
      "ruleIdents": [
        "CCI-004066"
      ],
      "ruleFixText": "Authenticate to the Workspace ONE UEM console as an administrator. \n \n1. Navigate to Groups & Settings >> All Settings >> Admin >> Console Security >> Passwords. \n2. Configure \"Password complexity level\" to \"Mixed case, alphabetic, numeric and special characters\". \n3. Click \"Save\". \n \nNote: If this procedure is not seen on the console, the CSP is managing the setting. Contact the CSP to implement the required setting.",
      "ruleFixId": "F-88820r1211966_fix",
      "ruleCheckSystem": "C-88915r1211920_chk",
      "ruleCheckContent": "Authenticate to the Workspace ONE UEM console as an administrator. \n \nNavigate to Groups & Settings >> All Settings >> Admin >> Console Security >> Passwords. \n \nIf \"Password complexity level\" is not set to \"Mixed case, alphabetic, numeric and special characters\", this is a finding. \n \nNote: If this procedure is not seen on the console, the Cloud Service Provider (CSP) is managing the setting. Contact the CSP to review the required setting.",
      "createdAt": "2026-07-11T12:27:53.996Z",
      "updatedAt": "2026-07-11T12:27:53.996Z"
    },
    {
      "id": 40874,
      "benchmarkId": 690,
      "groupId": "V-284354",
      "title": "SRG-APP-000174-UEM-000104",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-284354r1224097_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "OMW1-00-012200",
      "ruleTitle": "The Omnissa WS1 UEM server must enforce a 60-day maximum password lifetime restriction.",
      "ruleVulnDiscussion": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals.  \n \nOne method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised.  \n \nThis requirement does not include emergency administration accounts, which are meant for access to the application in case of failure. These accounts are not required to have maximum password lifetime restrictions.  \n \nSatisfies: FMT_SMF.1(2)b  \nReference: PP-MDM-431024",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-004066",
      "ruleIdents": [
        "CCI-004066"
      ],
      "ruleFixText": "Authenticate to the Workspace ONE UEM console as an administrator. \n \n1. Navigate to Groups & Settings >> All Settings >> Admin >> Console Security >> Passwords. \n2. Configure \"Password Expiration Period (days)\" to \"60\" or less. \n3. Click \"Save\". \n \nNote: If this procedure is not seen on the console, the CSP is managing the setting. Contact the CSP to implement the required setting.",
      "ruleFixId": "F-88823r1211924_fix",
      "ruleCheckSystem": "C-88918r1211923_chk",
      "ruleCheckContent": "Authenticate to the Workspace ONE UEM console as an administrator. \n \nNavigate to Groups & Settings >> All Settings >> Admin >> Console Security >> Passwords. \n \nIf \"Password Expiration Period (days)\" is not set to \"60\" (or less), this is a finding. \n \nNote: If this procedure is not seen on the console, the Cloud Service Provider (CSP) is managing the setting. Contact the CSP to review the required setting.",
      "createdAt": "2026-07-11T12:27:53.996Z",
      "updatedAt": "2026-07-11T12:27:53.996Z"
    },
    {
      "id": 40875,
      "benchmarkId": 690,
      "groupId": "V-284358",
      "title": "SRG-APP-000329-UEM-000202",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-284358r1224101_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "OMW1-00-013100",
      "ruleTitle": "The Omnissa WS1 UEM server must be configured to have at least one user in defined administrator roles.",
      "ruleVulnDiscussion": "Having several administrative roles for the UEM server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations of which they may not understand or approve, which can weaken overall security and increase the risk of compromise. \n \nPre-Defined roles: \n\nSystem Administrator: Responsible for server installation, initial configuration, and maintenance functions. Responsible for the setup and maintenance of security configuration administrator and auditor accounts. Responsible for the maintenance of applications in the MAS. \n \nAirWatch Administrator: The AirWatch Administrator role allows comprehensive access to the Workspace ONE UEM environment. However, this access excludes the Administration tab under System Configuration, because that tab manages top-level UEM console settings. \n \nDevice Manager: The Device Manager role grants users significant access to the UEM console. However, this role is not designed to configure most System Configurations. These configurations include Active Directory (AD)/Lightweight Directory Access Protocol (LDAP), Simple Mail Transfer Protocol (SMTP), device-UEM interface hubs such as the Omnissa Workspace ONE Intelligent Hub, and so on. For these tasks, use a top-tier role like the AirWatch Administrator or System Administrator. \n \nRead Only: The Read Only role provides access to most of the UEM console, but limits access to read-only status. Use this role to audit or record the settings in a Workspace ONE UEM environment. This role is not useful for system operators or administrators but is ideal for compliance auditors or scanners.\n \nSatisfies: FMT_SMR.1.1(1)  \nReference: PP-MDM-411058",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000366",
      "ruleIdents": [
        "CCI-000366"
      ],
      "ruleFixText": "Authenticate to the Workspace ONE UEM console as an administrator. \n \nNavigate to Accounts >> Administrators >> Admin Roles. \n \nFrom the Roles page, locate the following predefined roles: \n \n- AirWatch Administrator. \n- Device Manager.\n- Read Only.\n \nEnsure that at least one user exists in each group or the org-defined replacement roles. \n \nEnsure that the \"AirWatch Administrator\" and \"Device Manager\" roles are restricted to the smallest possible set of administrators following least privilege principles.",
      "ruleFixId": "F-88827r1211927_fix",
      "ruleCheckSystem": "C-88922r1211926_chk",
      "ruleCheckContent": "Authenticate to the Workspace ONE UEM console as an administrator. \n \nNavigate to Accounts >> Administrators >> Admin Roles. \n \nFrom the Roles page, locate the following predefined roles: \n \n- AirWatch Administrator.\n- Device Manager. \n- Read Only.\n \nIf any role above does not have at least one member, this is a finding. \n \nIf the \"AirWatch Administrator\" and \"Device Manager\" roles are not restricted to the smallest possible set of administrators following least privilege principles, this is a finding. \n \nIf any of these predefined roles were removed in favor of org-defined roles, ensure that these new roles duplicate the functionality of the default roles, as described in the discussion. If they do not, this is a finding.",
      "createdAt": "2026-07-11T12:27:53.996Z",
      "updatedAt": "2026-07-11T12:27:53.996Z"
    }
  ],
  "profiles": [
    {
      "id": 6143,
      "benchmarkId": 690,
      "profileId": "MAC-1_Classified",
      "title": "I - Mission Critical Classified",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:54.046Z",
      "updatedAt": "2026-07-11T12:27:54.046Z"
    },
    {
      "id": 6144,
      "benchmarkId": 690,
      "profileId": "MAC-1_Public",
      "title": "I - Mission Critical Public",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:54.046Z",
      "updatedAt": "2026-07-11T12:27:54.046Z"
    },
    {
      "id": 6145,
      "benchmarkId": 690,
      "profileId": "MAC-1_Sensitive",
      "title": "I - Mission Critical Sensitive",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:54.046Z",
      "updatedAt": "2026-07-11T12:27:54.046Z"
    },
    {
      "id": 6146,
      "benchmarkId": 690,
      "profileId": "MAC-2_Classified",
      "title": "II - Mission Support Classified",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:54.046Z",
      "updatedAt": "2026-07-11T12:27:54.046Z"
    },
    {
      "id": 6147,
      "benchmarkId": 690,
      "profileId": "MAC-2_Public",
      "title": "II - Mission Support Public",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:54.046Z",
      "updatedAt": "2026-07-11T12:27:54.046Z"
    },
    {
      "id": 6148,
      "benchmarkId": 690,
      "profileId": "MAC-2_Sensitive",
      "title": "II - Mission Support Sensitive",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:54.046Z",
      "updatedAt": "2026-07-11T12:27:54.046Z"
    },
    {
      "id": 6149,
      "benchmarkId": 690,
      "profileId": "MAC-3_Classified",
      "title": "III - Administrative Classified",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:54.046Z",
      "updatedAt": "2026-07-11T12:27:54.046Z"
    },
    {
      "id": 6150,
      "benchmarkId": 690,
      "profileId": "MAC-3_Public",
      "title": "III - Administrative Public",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:54.046Z",
      "updatedAt": "2026-07-11T12:27:54.046Z"
    },
    {
      "id": 6151,
      "benchmarkId": 690,
      "profileId": "MAC-3_Sensitive",
      "title": "III - Administrative Sensitive",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:54.046Z",
      "updatedAt": "2026-07-11T12:27:54.046Z"
    }
  ]
}