NIAP: Compliant Product
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - VMware Workspace ONE Unified Endpoint Management Version 1907

Certificate Date:  2020.03.25

Validation Report Number:  CCEVS-VR-VID11026-2020

Product Type:    Mobility

Conformance Claim:  Protection Profile Compliant

PP Identifier:    PP-Module for MDM Agent Version 1.0
  Protection Profile for Mobile Device Management Version 4.0

CC Testing Lab:  Booz Allen Hamilton Common Criteria Testing Laboratory


CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]


Product Description

VMware Workspace ONE Unified Endpoint Management Version 1907 is a Mobile Device Management product and is comprised of an MDM Server component (UEM Server) and one or more VMware Intelligent Hub Agent components (iOS Hub Agent and Android Hub Agent). In the evaluated configuration of the TOE, the UEM Server is deployed in an on-premises configuration. The UEM Server component provides a centralized enterprise level management capability for a collection of mobile devices running the iOS and Android Hub Agents. The UEM Server is also a Mobile Application Store (MAS) Server that allows managed devices to download apps from a trusted repository that resides within the organization managing the device. The management functionality includes management of Administrators and users, mobile device enrollment, mobile device status, mobile device compliance and policy management, and application management.


Evaluated Configuration

The TOE is VMware Workspace ONE Unified Endpoint Management Version 1907 which contains the following components, software versions and their purpose:

  • Workspace ONE Unified Endpoint Management 1907 (UEM Server): This satisfies the MDM Server Component of the TOE as it provides an enterprise-level management capability for a collection of mobile devices, including the administration of mobile device policies, reporting on device behavior, and sending commands to the iOS and Android Hub Agent(s). This MDM Server Component also provides a Mobile Application Store (MAS) Server that allows managed devices to download apps from a trusted repository.
  • Android Intelligent Hub Agent 19.08 (Android Hub Agent) : This satisfies the MDM Agent Component of the TOE as it is a VMware-developed application installed on mobile devices running the Samsung Android 9 operating system and uses the Android platform to establish a secure connection back to the UEM Server for the Android Hub Agent can provide status and policy information about the device.
  • iOS Intelligent Hub Agent 19.09 (iOS Hub Agent): This satisfies the MDM Agent Component of the TOE as it is a VMware-developed application installed on mobile devices running the Apple iOS 12 operating system and uses the iOS platform to establish a secure connection back to the UEM Server for the iOS Hub Agent and iOS platform to provide status and policy information about the device.

In its evaluated configuration, the TOE is configured to directly communicate with the following environment components:

  • Active Directory / LDAP Server: Identity store that defines users for device enrollment and administrator accounts for access to the Admin Console. In the evaluated configuration, Windows Server 2016 (Version 1803) Active Directory/LDAP Server is used.
  • Apple iOS 12 Mobile Device (VID10937): The MDM Agent Component of the TOE (Hub Agent) is an application that is installed on Apple mobile devices running iOS 12 operating systems so that the TOE can provide management functionality to the device.
  • Apple Push Notification Service (APNS) / Apple DEP: APNS is an iOS platform push notification service that enables the UEM Server to notify iOS Hub Agents and the iOS platform to connect directly to the UEM Server to retrieve data (e.g. policies). Apple DEP is an online service that automates the enrollment of iOS devices into the TOE in the evaluated configuration.
  • Certification Authority (CA) Server: The MDM Server Component and Android Hub Agent of the TOE connect to the CA Server during device enrollment so that the TOE can provide each device with a unique certificate generated by the CA Server. In the evaluated configuration, Windows Server 2016 (Version 1803) Active Directory Certificate Services is used.
  • Firebase Cloud Messaging Service (FCM): FCM is an Android platform push notification service that enables the UEM Server to notify Android Hub Agents to connect directly to the UEM Server to retrieve data (e.g. policies).
  • Samsung Android 9 Mobile Device (VID 10979): The MDM Agent Component of the TOE (Hub Agent) is an application that is installed on mobile devices running Android 9 operating systems so that the TOE can provide management functionality to the device.
  • SQL database: The TOE’s RDBMS database used to store configuration settings and device data. In the evaluated configuration, Microsoft SQL Server 2012 Enterprise is used.
  • Syslog Server: The MDM Server Component of the TOE connects to the Syslog Server to persistently store audit data for the UEM Server’s own operation as well as the audit data collected from the Hub Agent that it manages.
  • Windows Server 2016 (Version 1803): This is the OS that the UEM Server is installed on.
  • Workstation: Any general-purpose computer that is used by an administrator to manage the TOE via the Admin Console and a user to manage their device via the Self-Service Portal. For the TOE to be accessed remotely, the workstation is required to have a browser to access the TOE’s GUI based interfaces.

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. VMware Workspace ONE Unified Endpoint Management Version 1907 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 5. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the VMware Workspace ONE Unified Endpoint Management Version 1907 Security Target Version 1.0. The evaluation underwent CCEVS Validator review. The evaluation was completed in March 2020. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR-VID11026-2020 prepared by CCEVS.


Environmental Strengths

Security Audit

The UEM Server component of the TOE creates audit records for auditable events related to administrative actions, configuration of the UEM Server itself, and server-initiated management activities that affect one or more managed mobile devices. The UEM Server’s MAS Server functionality also generates audit records when it experiences a failure to push or update an application on a managed mobile device. Audit records can be viewed on the Admin Console.

The UEM Server can issue ‘compliance policies’ to managed mobile devices. Compliance policies are used to compare the configuration, status, or characteristics of a mobile device against a certain baseline and can be used to generate an alert to an Administrator if an anomaly is detected. The iOS and Android Hub Agents generate audit records and alerts for the activities it performs as a result of its interactions with the UEM Server or as a result of stored policy information.

Communication

The iOS and Android Hub Agents mobile devices are registered with the UEM Server so they can be enrolled into management by the UEM Server. This requires an Administrator to enable communications between these TOE components by including the mobile device’s identifier in a whitelist of devices that are allowed to enroll on the UEM Server. The enrollment process occurs over an HTTPS/TLS trusted channel that is handled by each TOE components’ underlying platform. An Administrator can disable the communications between an iOS or Android Hub Agent and the UEM Server by performing a wipe of the Hub Agent’s mobile device.

Cryptographic Support

The UEM Server invokes the Windows Server 2016 platform for cryptographic services to establish TLS and HTTPS/TLS trusted channels and paths to ensure secure communications of data in transit. This includes the use of RSA and Elliptic Curve Diffie-Hellman (ECDH) key establishment techniques. The MAS Server is integrated with the UEM Server, so it invokes the same cryptography services. The UEM Server also invokes the Windows Server 2016 platform to digitally sign policies sent to the Hub Agents.

The iOS and Android Hub Agents invoke their underlying mobile device platforms (Apple iOS 12 and Android 9 respectively) for cryptographic services to also establish trusted communications. The iOS Hub Agent invokes its underlying platform to verify the digital signatures of the all policies received from the UEM Server. The Android Hub Agent software contains an OpenSSL library for implementing the digital signature verification of the all policies received from the UEM Server. The cryptographic implementation of Android Hub Agent’s OpenSSL has been validated (CAVP C1329) to ensure that the algorithms are appropriately strong for use with the digital signature verification.

Identification and Authentication

The iOS and Android Hub Agents register with the UEM Server so that their mobile device can be enrolled into management by the UEM Server. The mobile device user that is performing the enrollment must have a user account on the UEM Server to access the Self-Service Portal and authenticate to the TOE. During the enrollment process, the iOS and Android Hub Agents record the UEM Server’s DNS name and full URL with hostname. The iOS and Android Hub Agents also receive a unique certificate during enrollment that is used to establish an HTTPS trusted channel with the UEM Server.

Administrators (through the Admin Console) and users (through the Self-Service Portal) cannot access the UEM Server without being authenticated. Administrators and users can view the configured pre-authentication warning banner and query the UEM Server’s software version number prior to authentication.

The UEM Server interfaces with the underlying Windows Server 2016 platform to provide certificate validation services. Certificates are used for HTTPS/TLS authentication, code signing for software updates, code signing for integrity verification, and signing of MDM policies. The iOS and Android Hub Agents rely on the underlying platform to perform all certificate validation services, except for policy signing on Android devices which is validated by the Android Hub Agent’s implementation of OpenSSL

Security Management

The TSF provides separate administrative interfaces for Administrators and for mobile device users. Administrators use the Admin Console to manage users, policies, and devices, while MD users use the Self-Service Portal to perform actions related to their own devices. The mobile device user installs the TOE’s iOS or Android Hub Agent on the mobile device which will communicate with the UEM Server to enroll in management. Once enrolled, the TOE will prevent user-directed unenrollment from management.

The UEM Server can be used to transmit specific commands to a managed device such as forcibly locking the device, initiating a wipe operation, or sending a push notification. The UEM Server can also define policies (known as profiles) that specify the configuration settings for a device. The UEM Server transmits iOS policies either to the iOS Hub Agent or iOS platform directly, depending on the functionality being configured. The UEM Server transmits Android policies to the Android Hub Agent. The UEM Server invokes its underlying platform to sign all policy data using ECDSA with SHA-512. The underlying iOS mobile platform and Android Hub Agent will validate the signed policies when they are received. The UEM Server also includes the MAS Server functionality, which provides the ability to grant or deny access to specific applications stored on the MAS Server to devices or groups of devices.

Protection of the TSF

The communications between the UEM Server and iOS and Android Hub Agents are protected using HTTPS/TLS which is provided by the underlying platforms of the TOE components.

The UEM Server invokes its platform to verify the digital signatures of executables and .dlls using Microsoft’s Authenticode making use of X.509v3 certificates. In addition, the UEM Server’s platform uses FIPS validated cryptographic modules which perform their own integrity checks at startup.

The TOE components invoke their underlying platforms to update their software and the platforms will verify the digital signatures of the updates prior to installing them. The TOE components software contain third party libraries. The TOE components use only documented APIs from their underlying platforms.

TOE Access

The UEM Server displays a pre-authentication banner for the Admin Console and the Self-Service Portal. This can be customized by Administrators to fit the needs of the organization deploying the TOE.

Trusted Path/Channels

The trusted communication channels between the UEM Server and the devices running the iOS and Android Hub Agents, the Syslog Server, and the AD/LDAP Server make use of TLS or HTTPS/TLS, depending on the interface. The trusted communication channels are provided by the TOE components’ underlying platforms.

The UEM Server platform uses HTTPS/TLS to provide a trusted path between itself and remote Administrators through the Admin Console and mobile device users through the Self-Service Portal as well as during the enrollment of a mobile device.

 


Vendor Information


VMware
Gary Sturdivant
650-427-1911
650-427-5001
sturdivantg@vmware.com

https://www.vmware.com
Site Map              Contact Us              Home