The Omnissa WS1 UEM server must be configured to have at least one user in defined administrator roles.

Severity
Group ID
Group Title
Version
Rule ID
Date
STIG Version
mediumV-284358SRG-APP-000329-UEM-000202OMW1-00-013100SV-284358r1224101_rule2026-06-151

Description

Having several administrative roles for the UEM server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations of which they may not understand or approve, which can weaken overall security and increase the risk of compromise. Pre-Defined roles: System Administrator: Responsible for server installation, initial configuration, and maintenance functions. Responsible for the setup and maintenance of security configuration administrator and auditor accounts. Responsible for the maintenance of applications in the MAS. AirWatch Administrator: The AirWatch Administrator role allows comprehensive access to the Workspace ONE UEM environment. However, this access excludes the Administration tab under System Configuration, because that tab manages top-level UEM console settings. Device Manager: The Device Manager role grants users significant access to the UEM console. However, this role is not designed to configure most System Configurations. These configurations include Active Directory (AD)/Lightweight Directory Access Protocol (LDAP), Simple Mail Transfer Protocol (SMTP), device-UEM interface hubs such as the Omnissa Workspace ONE Intelligent Hub, and so on. For these tasks, use a top-tier role like the AirWatch Administrator or System Administrator. Read Only: The Read Only role provides access to most of the UEM console, but limits access to read-only status. Use this role to audit or record the settings in a Workspace ONE UEM environment. This role is not useful for system operators or administrators but is ideal for compliance auditors or scanners. Satisfies: FMT_SMR.1.1(1) Reference: PP-MDM-411058

ℹ️ Check

Authenticate to the Workspace ONE UEM console as an administrator. Navigate to Accounts >> Administrators >> Admin Roles. From the Roles page, locate the following predefined roles: - AirWatch Administrator. - Device Manager. - Read Only. If any role above does not have at least one member, this is a finding. If the "AirWatch Administrator" and "Device Manager" roles are not restricted to the smallest possible set of administrators following least privilege principles, this is a finding. If any of these predefined roles were removed in favor of org-defined roles, ensure that these new roles duplicate the functionality of the default roles, as described in the discussion. If they do not, this is a finding.

✔️ Fix

Authenticate to the Workspace ONE UEM console as an administrator. Navigate to Accounts >> Administrators >> Admin Roles. From the Roles page, locate the following predefined roles: - AirWatch Administrator. - Device Manager. - Read Only. Ensure that at least one user exists in each group or the org-defined replacement roles. Ensure that the "AirWatch Administrator" and "Device Manager" roles are restricted to the smallest possible set of administrators following least privilege principles.