The Omnissa WS1 UEM server must be configured to require a One-Time Password (OTP) or Short Message Service (SMS) two-factor authentication for local accounts.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-284284 | SRG-APP-000149-UEM-000083 | OMW1-00-004020 | SV-284284r1224027_rule | 2026-06-15 | 1 |
Description
DoW sites may implement one "break-glass" WS1 UEM local account for the purpose of server recovery. This account must use two-factor authentication to provide secure access control. At the current time, WS1 UEM only supports OTP or SMS based authentication as the second authentication factor.
ℹ️ Check
Authenticate to the Workspace ONE UEM console as an administrator.
1. Navigate to Accounts >> Administrators >> List View.
2. For each account with an "Admin Type" of "Basic", click the three vertical dots next to the account name and select "Edit".
3. Click "Next" three times to reach the "Settings" page.
If "Two Factor Authentication" is not enabled, this is a finding.
If the account has the "Read Only" role and is used for automation such as compliance scanning, this is not applicable to that account.
✔️ Fix
Authenticate to the Workspace ONE UEM console as an administrator.
1. Navigate to Accounts >> Administrators >> List View.
2. For each account with an "Admin Type" of "Basic", click the three vertical dots next to the account name and select "Edit".
3. Click "Next" three times to reach the "Settings" page.
4. Enable "Two Factor Authentication" and configure either email or SMS notification.
5. Click "Save".
Note: The OTP code will be sent to the email or mobile phone configured on the previous pages. Ensure they are configured correctly.
Note: The only authorized local account is the "break-glass" account.