NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - MobileIron Platform version 10

Certificate Date:  2019.02.22

Validation Report Number:  CCEVS-VR-VID10934-2019

Product Type:    Mobility

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Extended Package for Mobile Device Management Agents Version 3.0
  Protection Profile for Mobile Device Management Version 3.0

CC Testing Lab:  Gossamer Security Solutions

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The TOE is the MobileIron Platform composed of the following components:

·         MobileIron Core, Version

·         MobileIron Client – Mobile@Work for Android, Version

The TOE is an MDM solution where the claimed security functions are implemented in a central MDM server – MobileIron Core (deployed as a physical appliance or a VM) and associated MDM Agents – Mobile@Work for Android devices.

The MobileIron Core server also supports enrollment and the subsequent management of Apple iPad and iPhone Mobile Devices with iOS 11.2, however, there are no security functions claimed for the iOS device agent itself.  The iOS MDM agent has already been evaluated on Apple iPad and iPhone Mobile Devices with iOS 11.2 (NIAP VID 10851).

MobileIron Core integrates with backend enterprise IT systems and enables IT to define security and management policies for mobile apps, content and devices independent of the operating system. MobileIron Core enables mobile device (including both Android and iOS mobile devices), application, and content management.

·         Mobile device management capabilities are the primary focus of this evaluation and enable IT to securely manage mobile devices across mobile operating systems and provide secure corporate email, automatic device configuration, certificate-based security, and selective wiping of enterprise data from both corporate-owned as well as user-owned devices.

·         Mobile application management capabilities are a secondary focus of this evaluation and help IT manage the entire application lifecycle, from making the applications available in the enterprise app storefront, facilitating deployment of applications to mobile devices, and retiring applications as necessary. Note that this capability is referred to as MAS – Mobile Application Store.

·         Mobile content management functions are included in the MobileIron Platform, but no claims are made about those capabilities in the Security Target.

MobileIron Client– also known as Mobile@Work for Android – is an app downloaded by end users onto their mobile devices. It configures the device to function in an enterprise environment by enforcing the configuration and security policies set by the IT department. Once installed, it creates a secure MobileIron container to protect enterprise data and applications.

·         The MobileIron Client works with MobileIron Core to configure corporate email, Wi-Fi, VPN, and security certificates and to create a clear separation between personal and business information. This allows IT to selectively wipe only the enterprise data on the device if the user leaves or if the device falls out of compliance or is lost.

·         The MobileIron Client also enables additional enterprise device controls that are not subject to security claims and hence are outside the scope of this evaluation.

Evaluated Configuration

The TOE is the MobileIron Platform composed of the following components:

·         MobileIron Core, Version

·         MobileIron Client – Mobile@Work for Android, Version

MobileIron Core:

MobileIron Core is a server based on a CentOS 7.4 Linux operating system (OS) with Apache 2.4 that runs on an Intel x64 architecture server platform.  MobileIron supports the MobileIron Core operating on one physical server appliance that they distribute (Mobile Iron M2600) as well as virtual deployments in VMWare ESXi (5.1, 5.5, or 6.0) and Microsoft Hyper-V (Server 2008 R2 or Server 2012 R2).

The MobileIron M2600 appliances are based on Intel Xeon E5 CPUs and utilize Intel network adapters (Quad I350 GbE) along with SATA disk drives and 128 GB of DRAM.

MobileIron Core can optionally be configured to utilize an external LDAP server via a secure TLS channel to authenticate users.

MobileIron Client:

MobileIron Client consists of apps deployed on Android mobile devices.

NIAP requires that MDM agents must be installed on NIAP-evaluated mobile devices in order to be evaluated using the MDMAEP20. At present there are a number of evaluated Samsung Galaxy mobile Android devices ranging from Android version 7 to 8 that can be used with the Android version of the MobileIron Client.

·         (NIAP VID 10898, Samsung Galaxy Devices on Android 8: Samsung Galaxy S8, S8+, S8 Active, Note 8, S9 and S9+.

·         (NIAP VID 10849, Samsung Galaxy Devices on Android 7.1: Samsung Galaxy Note8 and Tab Active 2.

·         (NIAP VID 10809, Samsung Galaxy Devices with Android 7: Samsung Galaxy S6, S6 Active, S6 Edge, S6 Edge+, Note 5, S7, S7 Active, S7 Edge, S8, S8 Active, S8+, and Tab S3.

MobileIron Core can manage devices with the iOS MDM agent developed and evaluated by Apple Inc. – that agent has been evaluated on Apple iPad and iPhone Mobile Devices with iOS 11.2 (NIAP VID 10851).

Security Evaluation Summary

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance.  The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4, September 2012. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 4, July 2012.    The product, when delivered and configured as identified in the MobileIron Core and Android and iOS Client Mobile Device Management Protection Profile Guide, Version 1.1, January 10, 2019 document, satisfies all of the security functional requirements stated in the MobileIron Platform (MDMPP30/MDMAEP30) Security Target, Version 0.8, 01/04/2019.  The project underwent CCEVS Validator review.  The evaluation was completed in February 2019.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

Environmental Strengths

The logical boundaries of the TOE are realized in the security functions that it implements. Each of these security functions is summarized below.

Security audit:

The MDM Server can generate and store audit records for security-relevant events as they occur. These events are stored and protected by the MDM Server and can be reviewed by an authorized administrator. The MDM Server can be configured to export the audit records in either in CSV (comma separated values) format, text format, or a compressed archive format utilizing TLS for protection of the records on the network. The MDM Server also supports the ability to query information about MDM agents and export MDM configuration information.

The MDM Agent can generate audit records for security-relevant events and includes the ability to indicate (i.e., respond) when it has been enrolled and when policies are successfully applied to the MDM Agent. The MDM Server can be configured to alert an administrator based on its configuration. For example, it can be configured to alert the administrator when a policy update fails or an MDM Agent has been enrolled.

Cryptographic support:

The MDM Server and MDM Agent both include and/or utilize cryptographic modules with certified algorithms for a wide range of cryptographic functions including: asymmetric key generation and establishment, encryption/decryption, cryptographic hashing and keyed-hash message authentication. These functions are supported with suitable random bit generation, initialization vector generation, secure key storage, and key and protected data destruction.

The primitive cryptographic functions are used to implement security communication protocols: TLS and HTTPS used for communication between the MDM Server and MDM Agent and between the MDM Server and remote administrators.

Identification and authentication:

The MDM Server requires mobile device users (MD users) and administrators to be authenticated prior to allowing any security-related functions to be performed. This includes MD users enrolling their device in the MDM Server using a corresponding MDM Agent as well as an administrator logging on to manage the MDM Server configuration, MDM policies for mobile devices, etc.

In addition, both the MDM Server and MDM Agent utilize X.509 certificates, including certificate validation checking, in conjunction with TLS to secure communications between the MDM Server and MDM Agents as well as between the MDM Server and administrators using a web-based user interface for remote administrative access.

Security management:

The MDM Server is designed to include at least two distinct user roles: administrator and mobile device user (MD user). The former interacts directly with the MDM Server while the latter is the user of a mobile device hosting an MDM Agent. The MDM Server further supports the fine-grain assignment of role (access to management function) to defined users allowing the definition of multiple user and administrator roles with different capabilities and responsibilities.

The MDM Server provides all the function necessary to manage its own security functions as well as to manage mobile device policies that are sent to MDM Agents. In addition, the MDM Server ensures that security management functions are limited to authorized administrators while allowing MD users to perform only necessary functions such as enrolling in the MDM Server.

The MDM Agents provide the functions necessary to securely communicate with and enroll in a MDM Server, implement policies received from an enrolled MDM Server, and report the results of applying policies.

Protection of the TSF:

The MDM Server and MDM Agent work together to ensure that all security related communication between those components is protected from disclosure and modification.

Both the MDM Server and MDM Agent include self-testing capabilities to ensure that they are functioning properly. The MDM Server also has the ability to cryptographically verify during start-up that its executable image has not been corrupted.

The MDM Server also includes mechanisms (i.e., verification of the digital signature of each new image) so that the TOE itself can be updated while ensuring that the updates will not introduce malicious or other unexpected changes in the TOE.

TOE access:

The MDM Server has the capability to display an advisory banner when users attempt to login in order to manage the TOE using the web-based and command-line based user interfaces.

Trusted path/channels:

The MDM Server uses TLS/HTTPS to secure communication channels between itself and remote administrators accessing the TOE via a web-based user interface.

The MDM Server can optionally be configured to use TLS to communicate with an LDAP server for user authentication.

It also uses TLS to secure communication channels between itself and mobile device users (MD users). In this latter case, the protected communication channel is established between the MDM Server and applicable MDM Agent on the user’s mobile device.

Vendor Information

Timothy Jackson
Site Map              Contact Us              Home