Compliant Product - VMware Workspace ONE Unified Endpoint Management Version 1907
Certificate Date: 2020.03.25CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11026-2020
Product Type: Mobility
Conformance Claim: Protection Profile Compliant
PP Identifier: PP-Module for MDM Agent Version 1.0
Protection Profile for Mobile Device Management Version 4.0
CC Testing Lab: Booz Allen Hamilton Common Criteria Testing Laboratory
VMware Workspace ONE Unified Endpoint Management Version 1907 is a Mobile Device Management product and is comprised of an MDM Server component (UEM Server) and one or more VMware Intelligent Hub Agent components (iOS Hub Agent and Android Hub Agent). In the evaluated configuration of the TOE, the UEM Server is deployed in an on-premises configuration. The UEM Server component provides a centralized enterprise level management capability for a collection of mobile devices running the iOS and Android Hub Agents. The UEM Server is also a Mobile Application Store (MAS) Server that allows managed devices to download apps from a trusted repository that resides within the organization managing the device. The management functionality includes management of Administrators and users, mobile device enrollment, mobile device status, mobile device compliance and policy management, and application management.
The TOE is VMware Workspace ONE Unified Endpoint Management Version 1907 which contains the following components, software versions and their purpose:
In its evaluated configuration, the TOE is configured to directly communicate with the following environment components:
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. VMware Workspace ONE Unified Endpoint Management Version 1907 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 5. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the VMware Workspace ONE Unified Endpoint Management Version 1907 Security Target Version 1.0. The evaluation underwent CCEVS Validator review. The evaluation was completed in March 2020. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR-VID11026-2020 prepared by CCEVS.
The UEM Server component of the TOE creates audit records for auditable events related to administrative actions, configuration of the UEM Server itself, and server-initiated management activities that affect one or more managed mobile devices. The UEM Server’s MAS Server functionality also generates audit records when it experiences a failure to push or update an application on a managed mobile device. Audit records can be viewed on the Admin Console.
The UEM Server can issue ‘compliance policies’ to managed mobile devices. Compliance policies are used to compare the configuration, status, or characteristics of a mobile device against a certain baseline and can be used to generate an alert to an Administrator if an anomaly is detected. The iOS and Android Hub Agents generate audit records and alerts for the activities it performs as a result of its interactions with the UEM Server or as a result of stored policy information.
The iOS and Android Hub Agents mobile devices are registered with the UEM Server so they can be enrolled into management by the UEM Server. This requires an Administrator to enable communications between these TOE components by including the mobile device’s identifier in a whitelist of devices that are allowed to enroll on the UEM Server. The enrollment process occurs over an HTTPS/TLS trusted channel that is handled by each TOE components’ underlying platform. An Administrator can disable the communications between an iOS or Android Hub Agent and the UEM Server by performing a wipe of the Hub Agent’s mobile device.
The UEM Server invokes the Windows Server 2016 platform for cryptographic services to establish TLS and HTTPS/TLS trusted channels and paths to ensure secure communications of data in transit. This includes the use of RSA and Elliptic Curve Diffie-Hellman (ECDH) key establishment techniques. The MAS Server is integrated with the UEM Server, so it invokes the same cryptography services. The UEM Server also invokes the Windows Server 2016 platform to digitally sign policies sent to the Hub Agents.
The iOS and Android Hub Agents invoke their underlying mobile device platforms (Apple iOS 12 and Android 9 respectively) for cryptographic services to also establish trusted communications. The iOS Hub Agent invokes its underlying platform to verify the digital signatures of the all policies received from the UEM Server. The Android Hub Agent software contains an OpenSSL library for implementing the digital signature verification of the all policies received from the UEM Server. The cryptographic implementation of Android Hub Agent’s OpenSSL has been validated (CAVP C1329) to ensure that the algorithms are appropriately strong for use with the digital signature verification.
Identification and Authentication
The iOS and Android Hub Agents register with the UEM Server so that their mobile device can be enrolled into management by the UEM Server. The mobile device user that is performing the enrollment must have a user account on the UEM Server to access the Self-Service Portal and authenticate to the TOE. During the enrollment process, the iOS and Android Hub Agents record the UEM Server’s DNS name and full URL with hostname. The iOS and Android Hub Agents also receive a unique certificate during enrollment that is used to establish an HTTPS trusted channel with the UEM Server.
Administrators (through the Admin Console) and users (through the Self-Service Portal) cannot access the UEM Server without being authenticated. Administrators and users can view the configured pre-authentication warning banner and query the UEM Server’s software version number prior to authentication.
The UEM Server interfaces with the underlying Windows Server 2016 platform to provide certificate validation services. Certificates are used for HTTPS/TLS authentication, code signing for software updates, code signing for integrity verification, and signing of MDM policies. The iOS and Android Hub Agents rely on the underlying platform to perform all certificate validation services, except for policy signing on Android devices which is validated by the Android Hub Agent’s implementation of OpenSSL
The TSF provides separate administrative interfaces for Administrators and for mobile device users. Administrators use the Admin Console to manage users, policies, and devices, while MD users use the Self-Service Portal to perform actions related to their own devices. The mobile device user installs the TOE’s iOS or Android Hub Agent on the mobile device which will communicate with the UEM Server to enroll in management. Once enrolled, the TOE will prevent user-directed unenrollment from management.
The UEM Server can be used to transmit specific commands to a managed device such as forcibly locking the device, initiating a wipe operation, or sending a push notification. The UEM Server can also define policies (known as profiles) that specify the configuration settings for a device. The UEM Server transmits iOS policies either to the iOS Hub Agent or iOS platform directly, depending on the functionality being configured. The UEM Server transmits Android policies to the Android Hub Agent. The UEM Server invokes its underlying platform to sign all policy data using ECDSA with SHA-512. The underlying iOS mobile platform and Android Hub Agent will validate the signed policies when they are received. The UEM Server also includes the MAS Server functionality, which provides the ability to grant or deny access to specific applications stored on the MAS Server to devices or groups of devices.
Protection of the TSF
The communications between the UEM Server and iOS and Android Hub Agents are protected using HTTPS/TLS which is provided by the underlying platforms of the TOE components.
The UEM Server invokes its platform to verify the digital signatures of executables and .dlls using Microsoft’s Authenticode making use of X.509v3 certificates. In addition, the UEM Server’s platform uses FIPS validated cryptographic modules which perform their own integrity checks at startup.
The TOE components invoke their underlying platforms to update their software and the platforms will verify the digital signatures of the updates prior to installing them. The TOE components software contain third party libraries. The TOE components use only documented APIs from their underlying platforms.
The UEM Server displays a pre-authentication banner for the Admin Console and the Self-Service Portal. This can be customized by Administrators to fit the needs of the organization deploying the TOE.
The trusted communication channels between the UEM Server and the devices running the iOS and Android Hub Agents, the Syslog Server, and the AD/LDAP Server make use of TLS or HTTPS/TLS, depending on the interface. The trusted communication channels are provided by the TOE components’ underlying platforms.
The UEM Server platform uses HTTPS/TLS to provide a trusted path between itself and remote Administrators through the Admin Console and mobile device users through the Self-Service Portal as well as during the enrollment of a mobile device.