An Application Control Policy must be assigned to each application listed in any Application White List software configuration assigned to user accounts on the BES. Note: This check applies to BES 4.1.x only. On BES 5, an application control policy is automatically assigned when an application is selected for a software configuration.

From BlackBerry Enterprise Server (version 5.x), Part 2 Security Technical Implementation Guide

Part of Application Control Policy

SV-21092r3_rule An Application Control Policy must be assigned to each application listed in any Application White List software configuration assigned to user accounts on the BES. Note: This check applies to BES 4.1.x only. On BES 5, an application control policy is automatically assigned when an application is selected for a software configuration.

Vulnerability discussion

Applications must only have access to BlackBerry resources (e.g., microphone, address book, browser, email messages, etc.) they need for their function; otherwise, sensitive data could be exposed to unauthorized users or the BlackBerry system could be compromised.

Check content

Detailed Policy Requirements: An Application Control Policy must be set up on the BES for each application listed in an Application White List software configuration on the BES. For mandatory applications, the Application Control Policy should have the "Disposition" rule set to "Required". Check Procedures: Use the list of Application White List software configurations assigned to user accounts developed in Check WIR1310-01. Step 1: Determine the list of assigned Application Control Policies. For each Application White List software configuration assigned to a user, complete the following: - In the BlackBerry Manager, click "BlackBerry Domain" in the left pane. - Click "Software Configurations" tab. - In the Configuration Name list, double-click on one of the software configurations that was assigned to a BES User Group. - Expand the Application Software tree. - Determine if an Application Control Policy has been assigned to each application listed in the tree under the Application Software group. If an Application Control Policy has been assigned, note the name of the Application Control Policy. (Note: If an Application Control Policy has not been assigned to an application, this has the effect of denying the use of the application on site managed BlackBerry devices.) Step 2: Verify each Application Control Policy is configured as required. For each application listed under the Application Software group (for each software configuration), verify the Application Control Policy is compliant with the policy in Table C-4 of the BlackBerry STIG Overview. Use the following procedure to verify each Application Control Policy is configured correctly. - In the BlackBerry Manager, in the left pane, click "BlackBerry Domain". - On the "Software Configurations" tab, click "Manage Applications Policies". - For each Application Control Policy identified in Step 1, double click the policy to open it and verify it has been configured as required in Table C-4 of the BlackBerry STIG Overview. If any Application Control Policy is not configured as required, this is a finding. Identify the Application White List software configuration, Application Control Policy, and application in the VMS remarks. Remember to do the above steps for each Application White List software configuration. Findings comments in VMS should identify the Application White List software configuration and/or application not compliant.

Fix text

Set up the required Applications Control Policies.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer