Skip to content

The BlackBerry UEM server must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, or auditor.

An XCCDF Rule

Description

<VulnDiscussion>Having several administrative roles for the BlackBerry UEM server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations they may not understand or approve of, which can weaken overall security and increase the risk of compromise. - Server primary administrator: Responsible for server installation, initial configuration, and maintenance functions. Responsible for the setup and maintenance of security configuration administrator and auditor accounts. Responsible for the maintenance of applications in the MAS. - Security configuration administrator: Responsible for security configuration of the server, defining device user groups, setup and maintenance of device user group administrator accounts, and defining privileges of device user group administrators. - Device user group administrator: Responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. Responsible for defining which apps user groups or individual users have access to in the MAS. Can only perform administrative functions assigned by the security configuration administrator. - Auditor: Responsible for reviewing and maintaining server and mobile device audit logs. SFR ID: FMT_SMR.1.1(1)</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-224377r604136_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

On the BlackBerry UEM, do the following:

Using the procedures below:
- Assign at least one user to the UEM Security Administrator role. Few administrators should be assigned to this role. 
Note: UEM automatically restricts the following functions to only the Security Administrator: Full permissions to manage the BlackBerry Enterprise Solution. Create and edit roles.
- Define an "Auditor" role (see the VulDiscussion for role functions). Assign at least one user (UEM administrator) to the role. The role should include only the following UEM permissions: