Section 3.1 of PP_MDM_v4.0 states that the ST author must choose FPT_ITT.1(2) for a distributed TOE if the registration channel is between the TSF and the MDM agent that is included in the TOE.

The FPT_ITT.1(2) selections all require the TOE to support mutual authentication  and require claiming FIA_X509_EXT.1(1) for the connection. However, this is a registration channel for the MDM Agent as part of the enrollment process. The MDM Agent is not going to have its organizational X.509 certificate because this is something the MDM Agent receives as part of the enrollment process. Then after enrollment the MDM Agent will have its X.509 certificate to present for mutual authentication.

Under previous iterations of the MDM PP, the FTP_TRP.1(2) was used to claim the connection used between the MDM Agents and the MDM Server for enrollment because it did not require mutual authentication.

Figure 3 in Section 3.1 is replaced with the following:

In Appendix C, FCO_CPC_EXT.1.2 is updated as follows, with underlines indicating additions:

FCO_CPC_EXT.1.2  The TSF shall [selection: invoke platform-provided functionality, implement functionality] to
implement a registration process in which components establish and use a communications
channel that uses [selection:

• A channel that meets the secure channel requirements in [selection: FTP_ITC.1, FPT_ITT.1(1), FPT_ITT.1(2)] ,
• A channel that meets the secure registration channel requirements in [selection: FTP_TRP.1(2), FTP_TRP.1(3)],
• No channel

] for at least TSF data.

In Appendix C, under FCO_CPC_EXT.1.3, paragraphs 3 and 4 of the Application Note are modified as follows, with underlines indicating additions:

The channel selection (for the registration channel) in FCO_CPC_EXT.1.2 is essentially a
choice between the use of a normal secure channel that is equivalent to a channel used to
communicate with external IT entities (FTP_ITC.1) or existing TOE components
(FPT_ITT.1(1)/FPT_ITT.1(2)), or else a separate type of channel that is specific to registration
(FTP_TRP.1(2) or FTP_TRP.1(3)). If the TOE does not require a communications channel for registration (e.g.
because the registration is achieved entirely by configuration actions by an administrator at
each of the components) then the main selection in FCO_CPC_EXT.1.2 is completed with the
"No channel" option.

If the ST author selects the FTP_ITC.1 or FPT_ITT.1(1)/FPT_ITT.1(2) channel type in the main
selection in FCO_CPC_EXT.1.2 then the TSS identifies the relevant SFR iteration that specifies
the channel used. If the ST author selects the FTP_TRP.1(2) or FTP_TRP.1(3) channel type, then the TSS
(possibly with support from the operational guidance) describes details of the channel and the
mechanisms that it uses (and describes how the registration process ensures that the
channel can only be used by the intended joiner and gatekeeper). Note that the FTP_TRP.1(2) or FTP_TRP.1(3)
channel type may require support from security measures in the operational environment
(see the definition of FTP_TRP.1(2) or FTP_TRP.1(3) for details).

See issue description.