The BlackBerry Administration Service must be configured to disable a user from creating an activation password via BWDM.

From BlackBerry Enterprise Server (version 5.x), Part 2 Security Technical Implementation Guide

SV-25765r3_rule The BlackBerry Administration Service must be configured to disable a user from creating an activation password via BWDM.

Vulnerability discussion

The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized devices are provisioned as required. Users must be prohibited from performing the following administrative tasks using the BlackBerry Web Desktop Manager: -Specify an enterprise activation password for a BlackBerry device.-Specify a new device password and lock a device.-Delete all device data and deactivate a device.-Assign a new device to a user account.

Check content

Verify the BAS has been configured to disable users from performing administrative tasks on the BES. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution Topology >> BlackBerry Domain >> Component view. Click "BlackBerry Administration Service". Click "Edit component". On the "BlackBerry Web Desktop Manager Information" tab, verify "Allow users to perform self-service tasks" is set to "No". If not set as required, this is a finding.

Fix text

Configure the BlackBerry Administration Service to disable a user from performing administrative tasks on the BES.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.