<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="Omnissa_WS1_UEM_Server_STIG" xml:lang="en" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2026-06-15">accepted</status><title>Omnissa WS1 UEM Server Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of War (DoW) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><front-matter xml:lang="en"></front-matter><rear-matter xml:lang="en"></rear-matter><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 1 Benchmark Date: 26 May 2026</plain-text><plain-text id="generator">3.5.2</plain-text><plain-text id="conventionsVersion">1.10.0</plain-text><version>1</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-284249" selected="true" /><select idref="V-284251" selected="true" /><select idref="V-284254" selected="true" /><select idref="V-284260" selected="true" /><select idref="V-284275" selected="true" /><select idref="V-284282" selected="true" /><select idref="V-284284" selected="true" /><select idref="V-284305" selected="true" /><select idref="V-284306" selected="true" /><select idref="V-284320" selected="true" /><select idref="V-284349" selected="true" /><select idref="V-284350" selected="true" /><select idref="V-284351" selected="true" /><select idref="V-284354" selected="true" /><select idref="V-284358" selected="true" /></Profile><Profile id="MAC-1_Public"><title>I - Mission Critical Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-284249" selected="true" /><select idref="V-284251" selected="true" /><select idref="V-284254" selected="true" /><select idref="V-284260" selected="true" /><select idref="V-284275" selected="true" /><select idref="V-284282" selected="true" /><select idref="V-284284" selected="true" /><select idref="V-284305" selected="true" /><select idref="V-284306" selected="true" /><select idref="V-284320" selected="true" /><select idref="V-284349" selected="true" /><select idref="V-284350" selected="true" /><select idref="V-284351" selected="true" /><select idref="V-284354" selected="true" /><select idref="V-284358" selected="true" /></Profile><Profile id="MAC-1_Sensitive"><title>I - Mission Critical Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-284249" selected="true" /><select idref="V-284251" selected="true" /><select idref="V-284254" selected="true" /><select idref="V-284260" selected="true" /><select idref="V-284275" selected="true" /><select idref="V-284282" selected="true" /><select idref="V-284284" selected="true" /><select idref="V-284305" selected="true" /><select idref="V-284306" selected="true" /><select idref="V-284320" selected="true" /><select idref="V-284349" selected="true" /><select idref="V-284350" selected="true" /><select idref="V-284351" selected="true" /><select idref="V-284354" selected="true" /><select idref="V-284358" selected="true" /></Profile><Profile id="MAC-2_Classified"><title>II - Mission Support Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-284249" selected="true" /><select idref="V-284251" selected="true" /><select idref="V-284254" selected="true" /><select idref="V-284260" selected="true" /><select idref="V-284275" selected="true" /><select idref="V-284282" selected="true" /><select idref="V-284284" selected="true" /><select idref="V-284305" selected="true" /><select idref="V-284306" selected="true" /><select idref="V-284320" selected="true" /><select idref="V-284349" selected="true" /><select idref="V-284350" selected="true" /><select idref="V-284351" selected="true" /><select idref="V-284354" selected="true" /><select idref="V-284358" selected="true" /></Profile><Profile id="MAC-2_Public"><title>II - Mission Support Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-284249" selected="true" /><select idref="V-284251" selected="true" /><select idref="V-284254" selected="true" /><select idref="V-284260" selected="true" /><select idref="V-284275" selected="true" /><select idref="V-284282" selected="true" /><select idref="V-284284" selected="true" /><select idref="V-284305" selected="true" /><select idref="V-284306" selected="true" /><select idref="V-284320" selected="true" /><select idref="V-284349" selected="true" /><select idref="V-284350" selected="true" /><select idref="V-284351" selected="true" /><select idref="V-284354" selected="true" /><select idref="V-284358" selected="true" /></Profile><Profile id="MAC-2_Sensitive"><title>II - Mission Support Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-284249" selected="true" /><select idref="V-284251" selected="true" /><select idref="V-284254" selected="true" /><select idref="V-284260" selected="true" /><select idref="V-284275" selected="true" /><select idref="V-284282" selected="true" /><select idref="V-284284" selected="true" /><select idref="V-284305" selected="true" /><select idref="V-284306" selected="true" /><select idref="V-284320" selected="true" /><select idref="V-284349" selected="true" /><select idref="V-284350" selected="true" /><select idref="V-284351" selected="true" /><select idref="V-284354" selected="true" /><select idref="V-284358" selected="true" /></Profile><Profile id="MAC-3_Classified"><title>III - Administrative Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-284249" selected="true" /><select idref="V-284251" selected="true" /><select idref="V-284254" selected="true" /><select idref="V-284260" selected="true" /><select idref="V-284275" selected="true" /><select idref="V-284282" selected="true" /><select idref="V-284284" selected="true" /><select idref="V-284305" selected="true" /><select idref="V-284306" selected="true" /><select idref="V-284320" selected="true" /><select idref="V-284349" selected="true" /><select idref="V-284350" selected="true" /><select idref="V-284351" selected="true" /><select idref="V-284354" selected="true" /><select idref="V-284358" selected="true" /></Profile><Profile id="MAC-3_Public"><title>III - Administrative Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-284249" selected="true" /><select idref="V-284251" selected="true" /><select idref="V-284254" selected="true" /><select idref="V-284260" selected="true" /><select idref="V-284275" selected="true" /><select idref="V-284282" selected="true" /><select idref="V-284284" selected="true" /><select idref="V-284305" selected="true" /><select idref="V-284306" selected="true" /><select idref="V-284320" selected="true" /><select idref="V-284349" selected="true" /><select idref="V-284350" selected="true" /><select idref="V-284351" selected="true" /><select idref="V-284354" selected="true" /><select idref="V-284358" selected="true" /></Profile><Profile id="MAC-3_Sensitive"><title>III - Administrative Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-284249" selected="true" /><select idref="V-284251" selected="true" /><select idref="V-284254" selected="true" /><select idref="V-284260" selected="true" /><select idref="V-284275" selected="true" /><select idref="V-284282" selected="true" /><select idref="V-284284" selected="true" /><select idref="V-284305" selected="true" /><select idref="V-284306" selected="true" /><select idref="V-284320" selected="true" /><select idref="V-284349" selected="true" /><select idref="V-284350" selected="true" /><select idref="V-284351" selected="true" /><select idref="V-284354" selected="true" /><select idref="V-284358" selected="true" /></Profile><Group id="V-284249"><title>SRG-APP-000001-UEM-000001</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-284249r1223990_rule" weight="10.0" severity="medium"><version>OMW1-00-000100</version><title>The Omnissa WS1 UEM server must limit the number of concurrent sessions per privileged user account to three or less concurrent sessions.</title><description>&lt;VulnDiscussion&gt;Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to denial-of-service (DoS) attacks. 
 
This requirement may be met via the application or by utilizing information system session control provided by a web server with specialized session management capabilities. If it has been specified that this requirement will be handled by the application, the capability to limit the maximum number of concurrent single user sessions must be designed and built into the application.  
 
This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be defined based upon mission needs and the operational environment for each system.  
 
Satisfies: FMT_SMF.1.1(2) b  
Reference: PP-MDM-431010&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Omnissa WS1 UEM Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Omnissa WS1 UEM Server</dc:subject><dc:identifier>5751</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000054</ident><fixtext fixref="F-88718r1211944_fix">Authenticate to the Workspace ONE UEM console as an administrator. 
 
Navigate to Groups &amp; Settings &gt;&gt; All Settings &gt;&gt; Admin &gt;&gt; Console Security &gt;&gt; Session Management. 
 
Next to "Allow Multiple Sessions", click "Disabled". Click "Save". 
 
Note: If this procedure is not seen on the console, the CSP is managing the setting. Contact the CSP to implement the required setting.</fixtext><fix id="F-88718r1211944_fix" /><check system="C-88813r1211886_chk"><check-content-ref href="Omnissa_WS1_UEM_Server_STIG.xml" name="M" /><check-content>Authenticate to the Workspace ONE UEM console as an administrator. 
 
Navigate to Groups &amp; Settings &gt;&gt; All Settings &gt;&gt; Admin &gt;&gt; Console Security &gt;&gt; Session Management. 
 
If "Allow Multiple Sessions" is not "Disabled", this is a finding. 
 
Note: If this procedure is not seen on the console, the Cloud Service Provider (CSP) is managing the setting. Contact the CSP to review the required setting.</check-content></check></Rule></Group><Group id="V-284251"><title>SRG-APP-000003-UEM-000003</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-284251r1223992_rule" weight="10.0" severity="medium"><version>OMW1-00-000300</version><title>The Omnissa WS1 UEM server must initiate a session lock after a 15-minute period of inactivity.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock. 
 
The session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system level and results in a system lock, but may be at the application level where the application interface window is secured instead.  
 
Satisfies: FMT_SMF.1.1(2) c.8  
Reference: PP-MDM-411047

Satisfies: SRG-APP-000003-UEM-000003, SRG-APP-000295-UEM-000169&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Omnissa WS1 UEM Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Omnissa WS1 UEM Server</dc:subject><dc:identifier>5751</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000057</ident><ident system="http://cyber.mil/cci">CCI-002361</ident><fixtext fixref="F-88720r1211890_fix">Authenticate to the Workspace ONE UEM console as an administrator. 
 
Navigate to Groups &amp; Settings &gt;&gt; All Settings &gt;&gt; Admin &gt;&gt; Console Security &gt;&gt; Session Management. 
 
Next to "Idle Session Timeout" enter "15". Click "Save". 
 
Note: If this procedure is not seen on the console, the CSP is managing the setting. Contact the CSP to implement the required setting.</fixtext><fix id="F-88720r1211890_fix" /><check system="C-88815r1211889_chk"><check-content-ref href="Omnissa_WS1_UEM_Server_STIG.xml" name="M" /><check-content>Authenticate to the Workspace ONE UEM console as an administrator. 
 
Navigate to Groups &amp; Settings &gt;&gt; All Settings &gt;&gt; Admin &gt;&gt; Console Security &gt;&gt; Session Management.  

If "Idle Session Timeout" is not set to 15 minutes or less, this is a finding. 
 
Note: If this procedure is not seen on the console, the Cloud Service Provider (CSP) is managing the setting. Contact the CSP to review the required setting.</check-content></check></Rule></Group><Group id="V-284254"><title>SRG-APP-000023-UEM-000012</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-284254r1223995_rule" weight="10.0" severity="medium"><version>OMW1-00-000600</version><title>The Omnissa WS1 UEM server must be configured to use a directory service for centralized account management.</title><description>&lt;VulnDiscussion&gt;Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error.  
 
A comprehensive application account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated or by disabling accounts located in noncentralized account stores such as multiple servers. This requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. 
 
The application must be configured to automatically provide account management functions and these functions must immediately enforce the organization's current account policy. The automated mechanisms may reside within the application itself or may be offered by the operating system or other infrastructure providing automated account management capabilities. Automated mechanisms may be comprised of differing technologies that when placed together contain an overall automated mechanism supporting an organization's automated account management requirements. 
 
Account management functions include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephonic notification to report atypical system account usage.

Satisfies: SRG-APP-000023-UEM-000012, SRG-APP-000025-UEM-000014, SRG-APP-000148-UEM-000082, SRG-APP-000149-UEM-000083, SRG-APP-000319-UEM-000192, SRG-APP-000345-UEM-000218, SRG-APP-000400-UEM-000271, SRG-APP-000153-UEM-000087, SRG-APP-000157-UEM-000091, SRG-APP-000401-UEM-000272&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Omnissa WS1 UEM Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Omnissa WS1 UEM Server</dc:subject><dc:identifier>5751</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000015</ident><ident system="http://cyber.mil/cci">CCI-000017</ident><ident system="http://cyber.mil/cci">CCI-000764</ident><ident system="http://cyber.mil/cci">CCI-000765</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><ident system="http://cyber.mil/cci">CCI-002238</ident><ident system="http://cyber.mil/cci">CCI-002007</ident><ident system="http://cyber.mil/cci">CCI-004045</ident><ident system="http://cyber.mil/cci">CCI-001941</ident><ident system="http://cyber.mil/cci">CCI-004068</ident><fixtext fixref="F-88723r1211953_fix">1. Set up directory service integration. 
a. Authenticate to the Workspace ONE UEM console as an administrator. 
b. Navigate to Groups &amp; Settings &gt;&gt; All Settings &gt;&gt; System &gt;&gt; Enterprise Integration &gt;&gt; Directory Services. Select "Skip wizard and configure manually". 
c. Under the "Server" tab, complete the directory service connection information. This will be site-specific. Consult Omnissa documentation for "Directory Services Setup" for details. 
d. Click "Save". 

2. Require that device enrollment only uses directory service authentication. 
a. Navigate to Groups &amp; Settings &gt;&gt; All Settings &gt;&gt; Devices and Users &gt;&gt; General &gt;&gt; Enrollment. 
b. Under the "Authentication" tab, find the "Authentication Modes" setting. 
c. Ensure that "Directory" is the one and only checked box. 
d. Click "Save". 
 
3. Remove all admin accounts that are not the "break-glass" account. 
a. Navigate to Accounts &gt;&gt; Administrators &gt;&gt; List View. 
b. For each user with an "Admin Type" of "Basic" that is NOT the "break-glass" account, select the three vertical dots next to that user and then select "Delete". 
c. Click "Delete" when prompted to confirm. 
 
4. Remove all users that are not centrally managed by a directory service. 
a. Navigate to Accounts &gt;&gt; Users &gt;&gt; List View. 
b. Click "Layout" and select "Custom". 
c. For each user with a "Security Type" of "Basic", select the checkbox next to the user. 
d. Click "More Actions", then click "Delete". 
e. To confirm, click "Save" when prompted.</fixtext><fix id="F-88723r1211953_fix" /><check system="C-88818r1211929_chk"><check-content-ref href="Omnissa_WS1_UEM_Server_STIG.xml" name="M" /><check-content>1. Verify directory service integration. 
a. Authenticate to the Workspace ONE UEM console as an administrator. 
b. Navigate to Groups &amp; Settings &gt;&gt; All Settings &gt;&gt; System &gt;&gt; Enterprise Integration &gt;&gt; Directory Services. Select "Skip wizard and configure manually". 
c. Under the "Server" tab, verify directory service connection information. 
 
If no valid directory service is configured, this is a finding. 
 
In the bottom right, click "Test Connection". 
 
If the test is not successful, this is a finding. 
 
2. Validate that device enrollment uses directory service authentication only. 
a. Navigate to Groups &amp; Settings &gt;&gt; All Settings &gt;&gt; Devices and Users &gt;&gt; General &gt;&gt; Enrollment. 
b. Under the "Authentication" tab, find the "Authentication Modes" setting. 
 
If "Directory" is not the one and only checked box, this is a finding. 
 
3. Validate there is only one "break-glass" local admin configured. 
a. Navigate to Accounts &gt;&gt; Administrators &gt;&gt; List View. 
b. Review account types under the "Admin Type" column. If any users have an "Admin Type" of "Basic", outside of a single "break-glass" admin, this is a finding. 
 
4. Validate that all users are centrally managed by a directory service. 
a. Navigate to Accounts &gt;&gt; Users &gt;&gt; List View. 
b. Click "Layout" and select "Custom". 
c. Under the "Security Type" column, if any "Basic" accounts are listed, this is a finding.</check-content></check></Rule></Group><Group id="V-284260"><title>SRG-APP-000065-UEM-000036</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-284260r1224001_rule" weight="10.0" severity="medium"><version>OMW1-00-001300</version><title>The Omnissa WS1 UEM server must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.</title><description>&lt;VulnDiscussion&gt;By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.  
 
Satisfies: FMT_SMF.1(2)b.  
Reference: PP-MDM-431028&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Omnissa WS1 UEM Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Omnissa WS1 UEM Server</dc:subject><dc:identifier>5751</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000044</ident><fixtext fixref="F-88729r1211896_fix">Authenticate to the Workspace ONE UEM console as an administrator. 
 
Navigate to Groups &amp; Settings &gt;&gt; All Settings &gt;&gt; Admin &gt;&gt; Console Security &gt;&gt; Passwords. 
 
Next to "Maximum invalid login attempts", enter "3". Click "Save". 
 
Note: If this procedure is not seen on the console, the CSP is managing the setting. Contact the CSP to implement the required setting.</fixtext><fix id="F-88729r1211896_fix" /><check system="C-88824r1211895_chk"><check-content-ref href="Omnissa_WS1_UEM_Server_STIG.xml" name="M" /><check-content>Authenticate to the Workspace ONE UEM console as an administrator. 
 
Navigate to Groups &amp; Settings &gt;&gt; All Settings &gt;&gt; Admin &gt;&gt; Console Security &gt;&gt; Passwords. 
 
If "Maximum invalid login attempts" is not set to "3", this is a finding. 
 
Note: If this procedure is not seen on the console, the Cloud Service Provider (CSP) is managing the setting. Contact the CSP to review the required setting.</check-content></check></Rule></Group><Group id="V-284275"><title>SRG-APP-000108-UEM-000062</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-284275r1224016_rule" weight="10.0" severity="medium"><version>OMW1-00-002900</version><title>The UEM SRG must alert the information system security officer and system administrator (at a minimum) in the event of an audit processing failure.</title><description>&lt;VulnDiscussion&gt;It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.  
 
Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. 
 
This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.  
 
Satisfies: FAU_ALT_EXT.1.1  
Reference: PP-MDM-412059&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Omnissa WS1 UEM Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Omnissa WS1 UEM Server</dc:subject><dc:identifier>5751</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000139</ident><fixtext fixref="F-88744r1211957_fix">Authenticate to the Workspace ONE UEM console as an administrator. 
 
1. Click the administrator's name in the top right to expose a drop-down menu. Select Manage Account Settings &gt;&gt; Notifications. 
2. Toggle the radio button for "Console and Email" next to "Logging Server Failure". 
3. Enter an email to send the alert to (typically the Security Operations Center [SOC] or group distro).  
4. Click "Save". 
 
Note: If this procedure is not seen on the console, the CSP is managing the setting. Contact the CSP to implement the required setting.</fixtext><fix id="F-88744r1211957_fix" /><check system="C-88839r1211956_chk"><check-content-ref href="Omnissa_WS1_UEM_Server_STIG.xml" name="M" /><check-content>Authenticate to the Workspace ONE UEM console as an administrator. 
 
Click the administrator's name in the top right to expose a drop-down menu. Select Manage Account Settings &gt;&gt; Notifications. 
 
If the radio button for "Logging Server Failure" is not set to "Console and Email", this is a finding. 
 
Note: If this procedure is not seen on the console, the Cloud Service Provider (CSP) is managing the setting. Contact the CSP to review the required setting.</check-content></check></Rule></Group><Group id="V-284282"><title>SRG-APP-000142-UEM-000080</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-284282r1224025_rule" weight="10.0" severity="medium"><version>OMW1-00-003700</version><title>The firewall protecting the Omnissa WS1 UEM server platform must be configured so only DoW-approved ports, protocols, and services are enabled. (Refer to the DoW Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoW-approved ports, protocols, and services).</title><description>&lt;VulnDiscussion&gt;All ports, protocols, and services used on DoW networks must be approved and registered via the DoW PPSM process. This is to ensure a risk assessment has been completed before a new port, protocol, or service is configured on a DoW network and has been approved by proper DoW authorities. Otherwise, the new port, protocol, or service could cause a vulnerability to the DoW network, which could be exploited by an adversary.  
 
Satisfies: FMT_SMF.1.1(2) Refinement b  
Reference: PP-MDM-431006&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Omnissa WS1 UEM Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Omnissa WS1 UEM Server</dc:subject><dc:identifier>5751</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000382</ident><fixtext fixref="F-88751r1224024_fix">Install and configure a DoW-approved firewall to protect the network segment on which the Workspace ONE UEM server is installed.</fixtext><fix id="F-88751r1224024_fix" /><check system="C-88846r1224023_chk"><check-content-ref href="Omnissa_WS1_UEM_Server_STIG.xml" name="M" /><check-content>Review the MDM server platform configuration to determine whether a DoW-approved firewall is installed or if the platform operating system provides a firewall service that can restrict both inbound and outbound traffic by Transmission Control Protocol (TCP)/User Datagram Protocol (UDP) port and Internet Protocol (IP) address. 
 
If there is not a host-based firewall present on the MDM server platform, or if it is not configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, this is a finding.</check-content></check></Rule></Group><Group id="V-284284"><title>SRG-APP-000149-UEM-000083</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-284284r1224027_rule" weight="10.0" severity="medium"><version>OMW1-00-004020</version><title>The Omnissa WS1 UEM server must be configured to require a One-Time Password (OTP) or Short Message Service (SMS) two-factor authentication for local accounts.</title><description>&lt;VulnDiscussion&gt;DoW sites may implement one "break-glass" WS1 UEM local account  for the purpose of server recovery. This account must use two-factor authentication to provide secure access control.  At the current time, WS1 UEM only supports OTP or SMS based authentication as the second authentication factor.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Omnissa WS1 UEM Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Omnissa WS1 UEM Server</dc:subject><dc:identifier>5751</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000765</ident><fixtext fixref="F-88753r1211903_fix">Authenticate to the Workspace ONE UEM console as an administrator. 
 
1. Navigate to Accounts &gt;&gt; Administrators &gt;&gt; List View. 
2. For each account with an "Admin Type" of "Basic", click the three vertical dots next to the account name and select "Edit".  
3. Click "Next" three times to reach the "Settings" page. 
4. Enable "Two Factor Authentication" and configure either email or SMS notification. 
5. Click "Save". 
 
Note: The OTP code will be sent to the email or mobile phone configured on the previous pages. Ensure they are configured correctly. 
 
Note: The only authorized local account is the "break-glass" account.</fixtext><fix id="F-88753r1211903_fix" /><check system="C-88848r1211902_chk"><check-content-ref href="Omnissa_WS1_UEM_Server_STIG.xml" name="M" /><check-content>Authenticate to the Workspace ONE UEM console as an administrator. 
 
1. Navigate to Accounts &gt;&gt; Administrators &gt;&gt; List View. 
2. For each account with an "Admin Type" of "Basic", click the three vertical dots next to the account name and select "Edit".   
3. Click "Next" three times to reach the "Settings" page. 
 
If "Two Factor Authentication" is not enabled, this is a finding. 
 
If the account has the "Read Only" role and is used for automation such as compliance scanning, this is not applicable to that account.</check-content></check></Rule></Group><Group id="V-284305"><title>SRG-APP-000358-UEM-000228</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-284305r1224048_rule" weight="10.0" severity="medium"><version>OMW1-00-006500</version><title>The Omnissa WS1 UEM server must be configured to transfer Omnissa WS1 UEM server logs to another server for storage, analysis, and reporting. 

Note: Omnissa WS1 UEM server logs include logs of UEM events and logs transferred to the Omnissa WS1 UEM server by UEM agents of managed devices.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration. 
 
Off-loading is a common process in information systems with limited audit storage capacity. 
 
Note: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices.  
 
Satisfies: FMT_SMF.1.1(2) c.8, FAU_STG_EXT.1.1(1)  
Reference: PP-MDM-411054

Satisfies: SRG-APP-000358-UEM-000228, SRG-APP-000089-UEM-000050, SRG-APP-000125-UEM-000074, SRG-APP-000275-UEM-000157, SRG-APP-000515-UEM-000390, SRG-APP-000291-UEM-000165, SRG-APP-000292-UEM-000166, SRG-APP-000293-UEM-000167, SRG-APP-000294-UEM-000168, SRG-APP-000320-UEM-000193&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Omnissa WS1 UEM Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Omnissa WS1 UEM Server</dc:subject><dc:identifier>5751</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001851</ident><ident system="http://cyber.mil/cci">CCI-000169</ident><ident system="http://cyber.mil/cci">CCI-001348</ident><ident system="http://cyber.mil/cci">CCI-001294</ident><ident system="http://cyber.mil/cci">CCI-000015</ident><fixtext fixref="F-88774r1211906_fix">Configure the Workspace ONE UEM server to transfer Workspace ONE UEM server logs to another server for storage, analysis, and reporting. 
 
On the MDM console, do the following:

1. Authenticate to the Workspace ONE UEM console as the administrator. 
2. Navigate to Groups &amp; Settings &gt;&gt; All Settings &gt;&gt; System &gt;&gt; Enterprise Integration &gt;&gt; Syslog. 
3. Set "Syslog Integration" to "ENABLED". 
4. Configure syslog server hostname, protocol, port, syslog facility, message tag, message content according to organizational standards. 
5. Click "SAVE". 
6. Verify changes save successfully and Workspace ONE UEM server can transfer audit logs to the new syslog server.</fixtext><fix id="F-88774r1211906_fix" /><check system="C-88869r1211905_chk"><check-content-ref href="Omnissa_WS1_UEM_Server_STIG.xml" name="M" /><check-content>Review the Workspace ONE UEM server configuration settings and verify the server is configured to transfer Workspace ONE UEM server logs to another server for storage, analysis, and reporting. 
 
On the MDM console, do the following:
 
1. Authenticate to the Workspace ONE UEM console as the administrator. 
2. Navigate to Groups &amp; Settings &gt;&gt; All Settings &gt;&gt; System &gt;&gt; Enterprise Integration &gt;&gt; Syslog. 
3. If "Syslog Integration" is set to "DISABLED", this is a finding. 
4. Examine the syslog configuration (server hostname, protocol, port, syslog facility, message tag, message content) for conformance with operational standards.  
 
If any are not set according to the standards, this is a finding. 
 
Note: Workspace ONE UEM server logs include logs of MDM events and logs transferred to the Workspace ONE UEM server by MDM agents of managed devices.</check-content></check></Rule></Group><Group id="V-284306"><title>SRG-APP-000374-UEM-000244</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-284306r1224049_rule" weight="10.0" severity="medium"><version>OMW1-00-006600</version><title>The Omnissa WS1 UEM server must be configured to record time stamps for audit records in Coordinated Universal Time (UTC).</title><description>&lt;VulnDiscussion&gt;If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. 
 
Time stamps generated by the application include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC.  
 
Satisfies: FAU_GEN.1.2(1)
Satisfies: SRG-APP-000374-UEM-000244, SRG-APP-000375-UEM-000245&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Omnissa WS1 UEM Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Omnissa WS1 UEM Server</dc:subject><dc:identifier>5751</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001890</ident><ident system="http://cyber.mil/cci">CCI-001889</ident><fixtext fixref="F-88775r1211961_fix">Authenticate to the Workspace ONE UEM console as an administrator. 
 
Navigate to Groups &amp; Settings &gt;&gt; All Settings &gt;&gt; System &gt;&gt; Enterprise Integration &gt;&gt; Syslog. 
 
Next to "Syslog Format" select "RFC-5424 Format" from the drop-down menu. Click "Save".</fixtext><fix id="F-88775r1211961_fix" /><check system="C-88870r1211908_chk"><check-content-ref href="Omnissa_WS1_UEM_Server_STIG.xml" name="M" /><check-content>Authenticate to the Workspace ONE UEM console as an administrator. 
 
Navigate to Groups &amp; Settings &gt;&gt; All Settings &gt;&gt; System &gt;&gt; Enterprise Integration &gt;&gt; Syslog. 
 
If "Syslog Format" is not set to "RFC-5424 Format", this is a finding.</check-content></check></Rule></Group><Group id="V-284320"><title>SRG-APP-000472-UEM-000347</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-284320r1224063_rule" weight="10.0" severity="medium"><version>OMW1-00-008200</version><title>The Omnissa WS1 UEM server must be configured with the periodicity of the following commands to the agent of six hours or less: 

- Query connectivity status.
- Query the current version of the managed device firmware/software. 
- Query the current version of installed mobile applications. 
- Read audit logs kept by the managed device.</title><description>&lt;VulnDiscussion&gt;Without verification, security functions may not operate correctly and this failure may go unnoticed.  
 
Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. 
 
This requirement applies to applications performing security functions and the applications performing security function verification/testing.  
 
Satisfies: FAU_NET_EXT.1.1, FMT_SMF.1.1(2) c.3  
Reference: PP-MDM-411057&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Omnissa WS1 UEM Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Omnissa WS1 UEM Server</dc:subject><dc:identifier>5751</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002696</ident><fixtext fixref="F-88789r1211964_fix">Configure the Workspace ONE UEM server with a periodicity for reachable events of six hours or less for the following commands to the agent: 

- Query connectivity status. 
- Query the current version of the MD firmware/software.
- Query the current version of installed mobile applications. 
 
On the MDM console, do the following: 

1. Authenticate to the Workspace ONE UEM console as the administrator. 
2. Navigate to Groups &amp; Settings &gt;&gt; All Settings. 
3. Under the "Devices &amp; Users" heading: 
 
For Android, choose Android &gt;&gt; Intelligent Hub Settings. 

a. To modify any settings, click "Override". 
b. Under the "General" heading, set "Heartbeat Interval" using the drop-down, if necessary. This setting handles querying of connectivity status and current version of mobile device firmware/software. 
c. Under the "Application List" heading, set the "Application List Interval", as necessary, to the appropriate number of minutes. There is no control for periodicity of reading audit logs. They are sent to the server automatically. 
 
For iOS, choose Apple &gt;&gt; MDM Sample Schedule. 

a. To modify any settings, click "Override". 
b. Set "Device Information Sample", as necessary, to the appropriate number of hours. This will control periodicity of both querying connectivity and querying the current version of mobile device firmware/software. 

Querying of installed mobile applications is controlled by both "Application List Sample" and "Managed App List Sample" fields. "Application List Sample" requests all the apps on the device (managed and unmanaged), whereas "Managed App List Sample" only returns MDM installed apps. Both samples return app versions. 

There is no control for periodicity of reading audit logs. They are sent to the server automatically. 
 
Note: If this procedure is not seen on the console, the CSP is managing the setting. Contact the CSP to implement the required setting.</fixtext><fix id="F-88789r1211964_fix" /><check system="C-88884r1211963_chk"><check-content-ref href="Omnissa_WS1_UEM_Server_STIG.xml" name="M" /><check-content>Review the Workspace ONE UEM server for a periodicity for reachable events of six hours or less for the following commands to the agent:  

- Query connectivity status.
- Query the current version of the mobile device firmware/software.
- Query the current version of installed mobile applications. 

On the MDM console, do the following:
 
1. Authenticate to the Workspace ONE UEM console as the administrator. 
2. Navigate to Groups &amp; Settings &gt;&gt; All Settings. 
3. Under the "Devices &amp; Users" heading: 
 
For Android, choose Android &gt;&gt; Intelligent Hub Settings.

a. Under the "General" heading, if "Heartbeat Interval" is set to more than six hours, this is a finding. This setting handles querying of connectivity status and current version of mobile device firmware/software. 
b. Under the "Application List" heading, if the "Application List Interval" is set to more than 360 minutes, this is a finding. This setting handles querying for the current version of installed mobile applications. 
 
For iOS choose Apple &gt;&gt; MDM Sample Schedule.

a. If "Device Information Sample" is set to more than six hours, this is a finding. This setting handles querying of connectivity status and current version of mobile device firmware/software. 
b. If "Application List Sample" and "Managed App List Sample" are set to more than six hours, this is a finding. This setting handles querying for the current version of installed mobile applications. 
 
Note: If this procedure is not seen on the console, the Cloud Service Provider (CSP) is managing the setting. Contact the CSP to review the required setting.</check-content></check></Rule></Group><Group id="V-284349"><title>SRG-APP-000164-UEM-000094</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-284349r1224092_rule" weight="10.0" severity="medium"><version>OMW1-00-011400</version><title>The Omnissa WS1 UEM server must enforce a minimum 15-character password length.</title><description>&lt;VulnDiscussion&gt;The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. 
 
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.  
 
Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.  
 
Satisfies: FMT_SMF.1(2)b  
Reference: PP-MDM-431018&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Omnissa WS1 UEM Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Omnissa WS1 UEM Server</dc:subject><dc:identifier>5751</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004066</ident><fixtext fixref="F-88818r1211915_fix">Authenticate to the Workspace ONE UEM console as an administrator. 
 
Navigate to Groups &amp; Settings &gt;&gt; All Settings &gt;&gt; Admin &gt;&gt; Console Security &gt;&gt; Passwords. 
 
Configure "Minimum Password Length" to "15". 
 
Note: If this procedure is not seen on the console, the CSP is managing the setting. Contact the CSP to implement the required setting.</fixtext><fix id="F-88818r1211915_fix" /><check system="C-88913r1211914_chk"><check-content-ref href="Omnissa_WS1_UEM_Server_STIG.xml" name="M" /><check-content>Authenticate to the Workspace ONE UEM console as an administrator. 
 
Navigate to Groups &amp; Settings &gt;&gt; All Settings &gt;&gt; Admin &gt;&gt; Console Security &gt;&gt; Passwords. 
 
If "Minimum Password Length" is not set to "15", this is a finding. 
 
Note: If this procedure is not seen on the console, the Cloud Service Provider (CSP) is managing the setting. Contact the CSP to review the required setting.</check-content></check></Rule></Group><Group id="V-284350"><title>SRG-APP-000165-UEM-000095</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-284350r1224093_rule" weight="10.0" severity="medium"><version>OMW1-00-011500</version><title>The Omnissa WS1 UEM server must prohibit password reuse for a minimum of five generations.</title><description>&lt;VulnDiscussion&gt;Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.  
 
To meet password policy requirements, passwords need to be changed at specific policy-based intervals.  
 
If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.  
 
Satisfies: FMT_SMF.1(2)b  
Reference: PP-MDM-431025&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Omnissa WS1 UEM Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Omnissa WS1 UEM Server</dc:subject><dc:identifier>5751</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004061</ident><fixtext fixref="F-88819r1211918_fix">Authenticate to the Workspace ONE UEM console as an administrator. 
 
1. Navigate to Groups &amp; Settings &gt;&gt; All Settings &gt;&gt; Admin &gt;&gt; Console Security &gt;&gt; Passwords. 
2. Configure "Enforced password history" to "5 passwords remembered". 
3. Click "Save". 
 
Note: If this procedure is not seen on the console, the CSP is managing the setting. Contact the CSP to implement the required setting.</fixtext><fix id="F-88819r1211918_fix" /><check system="C-88914r1211917_chk"><check-content-ref href="Omnissa_WS1_UEM_Server_STIG.xml" name="M" /><check-content>Authenticate to the Workspace ONE UEM console as an administrator. 
 
Navigate to Groups &amp; Settings &gt;&gt; All Settings &gt;&gt; Admin &gt;&gt; Console Security &gt;&gt; Passwords. 
 
If "Enforced password history" is not set to "5 passwords remembered", this is a finding. 
 
Note: If this procedure is not seen on the console, the Cloud Service Provider (CSP) is managing the setting. Contact the CSP to review the required setting.</check-content></check></Rule></Group><Group id="V-284351"><title>SRG-APP-000166-UEM-000096</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-284351r1224094_rule" weight="10.0" severity="medium"><version>OMW1-00-011600</version><title>The Omnissa WS1 UEM server must enforce password complexity by requiring at least one uppercase character to be used.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. 
 
Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.  
 
Satisfies: FMT_SMF.1(2)b  
Reference: PP-MDM-431020

Satisfies: SRG-APP-000166-UEM-000096, SRG-APP-000167-UEM-000097, SRG-APP-000168-UEM-000098, SRG-APP-000169-UEM-000099&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Omnissa WS1 UEM Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Omnissa WS1 UEM Server</dc:subject><dc:identifier>5751</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004066</ident><fixtext fixref="F-88820r1211966_fix">Authenticate to the Workspace ONE UEM console as an administrator. 
 
1. Navigate to Groups &amp; Settings &gt;&gt; All Settings &gt;&gt; Admin &gt;&gt; Console Security &gt;&gt; Passwords. 
2. Configure "Password complexity level" to "Mixed case, alphabetic, numeric and special characters". 
3. Click "Save". 
 
Note: If this procedure is not seen on the console, the CSP is managing the setting. Contact the CSP to implement the required setting.</fixtext><fix id="F-88820r1211966_fix" /><check system="C-88915r1211920_chk"><check-content-ref href="Omnissa_WS1_UEM_Server_STIG.xml" name="M" /><check-content>Authenticate to the Workspace ONE UEM console as an administrator. 
 
Navigate to Groups &amp; Settings &gt;&gt; All Settings &gt;&gt; Admin &gt;&gt; Console Security &gt;&gt; Passwords. 
 
If "Password complexity level" is not set to "Mixed case, alphabetic, numeric and special characters", this is a finding. 
 
Note: If this procedure is not seen on the console, the Cloud Service Provider (CSP) is managing the setting. Contact the CSP to review the required setting.</check-content></check></Rule></Group><Group id="V-284354"><title>SRG-APP-000174-UEM-000104</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-284354r1224097_rule" weight="10.0" severity="medium"><version>OMW1-00-012200</version><title>The Omnissa WS1 UEM server must enforce a 60-day maximum password lifetime restriction.</title><description>&lt;VulnDiscussion&gt;Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals.  
 
One method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised.  
 
This requirement does not include emergency administration accounts, which are meant for access to the application in case of failure. These accounts are not required to have maximum password lifetime restrictions.  
 
Satisfies: FMT_SMF.1(2)b  
Reference: PP-MDM-431024&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Omnissa WS1 UEM Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Omnissa WS1 UEM Server</dc:subject><dc:identifier>5751</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004066</ident><fixtext fixref="F-88823r1211924_fix">Authenticate to the Workspace ONE UEM console as an administrator. 
 
1. Navigate to Groups &amp; Settings &gt;&gt; All Settings &gt;&gt; Admin &gt;&gt; Console Security &gt;&gt; Passwords. 
2. Configure "Password Expiration Period (days)" to "60" or less. 
3. Click "Save". 
 
Note: If this procedure is not seen on the console, the CSP is managing the setting. Contact the CSP to implement the required setting.</fixtext><fix id="F-88823r1211924_fix" /><check system="C-88918r1211923_chk"><check-content-ref href="Omnissa_WS1_UEM_Server_STIG.xml" name="M" /><check-content>Authenticate to the Workspace ONE UEM console as an administrator. 
 
Navigate to Groups &amp; Settings &gt;&gt; All Settings &gt;&gt; Admin &gt;&gt; Console Security &gt;&gt; Passwords. 
 
If "Password Expiration Period (days)" is not set to "60" (or less), this is a finding. 
 
Note: If this procedure is not seen on the console, the Cloud Service Provider (CSP) is managing the setting. Contact the CSP to review the required setting.</check-content></check></Rule></Group><Group id="V-284358"><title>SRG-APP-000329-UEM-000202</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-284358r1224101_rule" weight="10.0" severity="medium"><version>OMW1-00-013100</version><title>The Omnissa WS1 UEM server must be configured to have at least one user in defined administrator roles.</title><description>&lt;VulnDiscussion&gt;Having several administrative roles for the UEM server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations of which they may not understand or approve, which can weaken overall security and increase the risk of compromise. 
 
Pre-Defined roles: 

System Administrator: Responsible for server installation, initial configuration, and maintenance functions. Responsible for the setup and maintenance of security configuration administrator and auditor accounts. Responsible for the maintenance of applications in the MAS. 
 
AirWatch Administrator: The AirWatch Administrator role allows comprehensive access to the Workspace ONE UEM environment. However, this access excludes the Administration tab under System Configuration, because that tab manages top-level UEM console settings. 
 
Device Manager: The Device Manager role grants users significant access to the UEM console. However, this role is not designed to configure most System Configurations. These configurations include Active Directory (AD)/Lightweight Directory Access Protocol (LDAP), Simple Mail Transfer Protocol (SMTP), device-UEM interface hubs such as the Omnissa Workspace ONE Intelligent Hub, and so on. For these tasks, use a top-tier role like the AirWatch Administrator or System Administrator. 
 
Read Only: The Read Only role provides access to most of the UEM console, but limits access to read-only status. Use this role to audit or record the settings in a Workspace ONE UEM environment. This role is not useful for system operators or administrators but is ideal for compliance auditors or scanners.
 
Satisfies: FMT_SMR.1.1(1)  
Reference: PP-MDM-411058&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Omnissa WS1 UEM Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Omnissa WS1 UEM Server</dc:subject><dc:identifier>5751</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-88827r1211927_fix">Authenticate to the Workspace ONE UEM console as an administrator. 
 
Navigate to Accounts &gt;&gt; Administrators &gt;&gt; Admin Roles. 
 
From the Roles page, locate the following predefined roles: 
 
- AirWatch Administrator. 
- Device Manager.
- Read Only.
 
Ensure that at least one user exists in each group or the org-defined replacement roles. 
 
Ensure that the "AirWatch Administrator" and "Device Manager" roles are restricted to the smallest possible set of administrators following least privilege principles.</fixtext><fix id="F-88827r1211927_fix" /><check system="C-88922r1211926_chk"><check-content-ref href="Omnissa_WS1_UEM_Server_STIG.xml" name="M" /><check-content>Authenticate to the Workspace ONE UEM console as an administrator. 
 
Navigate to Accounts &gt;&gt; Administrators &gt;&gt; Admin Roles. 
 
From the Roles page, locate the following predefined roles: 
 
- AirWatch Administrator.
- Device Manager. 
- Read Only.
 
If any role above does not have at least one member, this is a finding. 
 
If the "AirWatch Administrator" and "Device Manager" roles are not restricted to the smallest possible set of administrators following least privilege principles, this is a finding. 
 
If any of these predefined roles were removed in favor of org-defined roles, ensure that these new roles duplicate the functionality of the default roles, as described in the discussion. If they do not, this is a finding.</check-content></check></Rule></Group></Benchmark>