From BlackBerry UEM 12.7 Security Technical Implementation Guide
Part of PP-MDM-314002
Associated with: CCI-000366 CCI-002226 CCI-002227
A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MDM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the BlackBerry UEM 12.7 server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos).
SFR ID: FIA
Review the BlackBerry UEM 12.7 server configuration settings, and verify the server is configured to leverage the MDM Platform user accounts and groups for BlackBerry UEM 12.7 server user identification and authentication. On the BlackBerry UEM 12.7, do the following: 1. Navigate to the BlackBerry UEM 12.7 console. 2. Verify the BlackBerry UEM 12.7 does not prompt for additional authentication before opening the UEM console. If the BlackBerry UEM 12.7 server prompts for additional authentication before opening the UEM console, this is a finding.
On the BlackBerry UEM 12.7, do the following:
Configure constrained delegation for the Microsoft Active Directory account to support single sign-on:
1. Log in to the BlackBerry UEM 12.7 host server and use the Windows Server ADSI Edit tool to add the following SPNs for BES12 to the Microsoft Active Directory account:
Lavender hyperlinks in small type off to the right (of CSS
id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header
Powered by sagemincer