The MDM-Agent PP-Module needs to be updated to support a use case where policy authenticity is not normally handled by certificates.

This TD is effective 24 August 2023 and supersedes TD 491.

MOD_MDM_AGENT_V1.0 is updated as follows, with green highlight and underline indicating additions, and red highlight and strikethroughs indicating deletions:

FMT_POL_EXT.2 is updated as follows:

FMT_POL_EXT.2.1

The MDM Agent shall only accept policies and policy updates that are digitally signed by a private key certificate that has been authorized for policy updates by the MDM Server.

Application Note: The intent of this requirement is to cryptographically tie the policies to the enterprise that mandated the policy, not to protect the policies in transit (as they are already protected by FPT_ITT.1(2) in the MDM Base-PP or FTP_ITC_EXT.1(2) (MDF as Base-PP)). This is especially critical for users who connect to multiple enterprises.

Policies must be digitally signed by the enterprise using the algorithms in FCS_COP.1(3).

The signing private key is associated with a certificate or raw public key used by the agent to verify the signature on the policy.

FMT_POL_EXT.2.2

The MDM Agent shall not install policies if the signature check fails policy-signing certificate is deemed invalid.

The Application Note for FCS_STG_EXT.4 is updated as follows:

Application Note: This requirement ensures that persistent secrets (credentials, secret keys, authentication tokens) and private keys are stored securely when not in use by the mobile platform. 

FMT_SMF_EXT.4 is updated as follows:

FMT_SMF_EXT.4.1

The MDM Agent shall be capable of interacting with the platform to perform the following functions:

?      [selection: Import the certificates to be used for authentication of MDM Agent communications, import the server public key],

?      [selection: administrator-provided management functions in MDF PP, administrator-provided device management functions in MDM PP]

?      [selection: [assignment: additional functions], no additional functions].

The Supporting Document for MOD_MDM_AGENT_V1.0 is updated as follows:

The TSS Evaluation Activity for FCS_STG_EXT.4 is updated as follows:

The evaluator will verify that the TSS lists each persistent secret (credential, secret keys, authentication tokens) and private key needed to meet the requirements in the ST. For each of these items, the evaluator will confirm that the TSS lists for what purpose it is used, and, for each platform listed as supported in the ST, how it is stored. The evaluator shall verify that the Agent calls a platform-provided API to store persistent secrets and private keys.

Test 2 of FMT_SMF_EXT.4 is updated as follows:

?      Test 2: [conditional: if “import the certificates to be used for authentication of MDM Agent communications” is selected in FMT_SMF_EXT.4.1] The evaluator shall configure the MDM Agent authentication certificate in accordance with the configuration guidance. The evaluator shall verify that the MDM Agent uses this certificate in performing the tests for FPT_ITT.1(2) (MDM as Base-PP) or FTP_ITC_EXT.1(2) (MDF as Base-PP).

These changes (along with TD 754) will allow for the use of server-generated raw key pairs without certificates to be used for signing policies to be sent to the client (similar to SSH). This would follow with the current requirements in that policies are signed by the server when delivered to the client device, but would eliminate the need for a certificate authority and related infrastructure and checks.