The Omnissa WS1 UEM server must be configured to use a directory service for centralized account management.

Severity
Group ID
Group Title
Version
Rule ID
Date
STIG Version
mediumV-284254SRG-APP-000023-UEM-000012OMW1-00-000600SV-284254r1223995_rule2026-06-151

Description

Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. A comprehensive application account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated or by disabling accounts located in noncentralized account stores such as multiple servers. This requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. The application must be configured to automatically provide account management functions and these functions must immediately enforce the organization's current account policy. The automated mechanisms may reside within the application itself or may be offered by the operating system or other infrastructure providing automated account management capabilities. Automated mechanisms may be comprised of differing technologies that when placed together contain an overall automated mechanism supporting an organization's automated account management requirements. Account management functions include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephonic notification to report atypical system account usage. Satisfies: SRG-APP-000023-UEM-000012, SRG-APP-000025-UEM-000014, SRG-APP-000148-UEM-000082, SRG-APP-000149-UEM-000083, SRG-APP-000319-UEM-000192, SRG-APP-000345-UEM-000218, SRG-APP-000400-UEM-000271, SRG-APP-000153-UEM-000087, SRG-APP-000157-UEM-000091, SRG-APP-000401-UEM-000272

ℹ️ Check

1. Verify directory service integration. a. Authenticate to the Workspace ONE UEM console as an administrator. b. Navigate to Groups & Settings >> All Settings >> System >> Enterprise Integration >> Directory Services. Select "Skip wizard and configure manually". c. Under the "Server" tab, verify directory service connection information. If no valid directory service is configured, this is a finding. In the bottom right, click "Test Connection". If the test is not successful, this is a finding. 2. Validate that device enrollment uses directory service authentication only. a. Navigate to Groups & Settings >> All Settings >> Devices and Users >> General >> Enrollment. b. Under the "Authentication" tab, find the "Authentication Modes" setting. If "Directory" is not the one and only checked box, this is a finding. 3. Validate there is only one "break-glass" local admin configured. a. Navigate to Accounts >> Administrators >> List View. b. Review account types under the "Admin Type" column. If any users have an "Admin Type" of "Basic", outside of a single "break-glass" admin, this is a finding. 4. Validate that all users are centrally managed by a directory service. a. Navigate to Accounts >> Users >> List View. b. Click "Layout" and select "Custom". c. Under the "Security Type" column, if any "Basic" accounts are listed, this is a finding.

✔️ Fix

1. Set up directory service integration. a. Authenticate to the Workspace ONE UEM console as an administrator. b. Navigate to Groups & Settings >> All Settings >> System >> Enterprise Integration >> Directory Services. Select "Skip wizard and configure manually". c. Under the "Server" tab, complete the directory service connection information. This will be site-specific. Consult Omnissa documentation for "Directory Services Setup" for details. d. Click "Save". 2. Require that device enrollment only uses directory service authentication. a. Navigate to Groups & Settings >> All Settings >> Devices and Users >> General >> Enrollment. b. Under the "Authentication" tab, find the "Authentication Modes" setting. c. Ensure that "Directory" is the one and only checked box. d. Click "Save". 3. Remove all admin accounts that are not the "break-glass" account. a. Navigate to Accounts >> Administrators >> List View. b. For each user with an "Admin Type" of "Basic" that is NOT the "break-glass" account, select the three vertical dots next to that user and then select "Delete". c. Click "Delete" when prompted to confirm. 4. Remove all users that are not centrally managed by a directory service. a. Navigate to Accounts >> Users >> List View. b. Click "Layout" and select "Custom". c. For each user with a "Security Type" of "Basic", select the checkbox next to the user. d. Click "More Actions", then click "Delete". e. To confirm, click "Save" when prompted.