The Omnissa WS1 UEM server must be configured to require a One-Time Password (OTP) or Short Message Service (SMS) two-factor authentication for local accounts.

Severity
Group ID
Group Title
Version
Rule ID
Date
STIG Version
mediumV-284284SRG-APP-000149-UEM-000083OMW1-00-004020SV-284284r1224027_rule2026-06-151

Description

DoW sites may implement one "break-glass" WS1 UEM local account for the purpose of server recovery. This account must use two-factor authentication to provide secure access control. At the current time, WS1 UEM only supports OTP or SMS based authentication as the second authentication factor.

ℹ️ Check

Authenticate to the Workspace ONE UEM console as an administrator. 1. Navigate to Accounts >> Administrators >> List View. 2. For each account with an "Admin Type" of "Basic", click the three vertical dots next to the account name and select "Edit". 3. Click "Next" three times to reach the "Settings" page. If "Two Factor Authentication" is not enabled, this is a finding. If the account has the "Read Only" role and is used for automation such as compliance scanning, this is not applicable to that account.

✔️ Fix

Authenticate to the Workspace ONE UEM console as an administrator. 1. Navigate to Accounts >> Administrators >> List View. 2. For each account with an "Admin Type" of "Basic", click the three vertical dots next to the account name and select "Edit". 3. Click "Next" three times to reach the "Settings" page. 4. Enable "Two Factor Authentication" and configure either email or SMS notification. 5. Click "Save". Note: The OTP code will be sent to the email or mobile phone configured on the previous pages. Ensure they are configured correctly. Note: The only authorized local account is the "break-glass" account.