Compliant Product - VMware Workspace ONE Unified Endpoint Management Version 2209
Certificate Date: 2023.03.07CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11326-2023
Product Type: Mobility
Conformance Claim: Protection Profile Compliant
PP Identifier: PP-Module for MDM Agent Version 1.0
Protection Profile for Mobile Device Management Version 4.0
CC Testing Lab: Booz Allen Hamilton Common Criteria Testing Laboratory
Administrative Guide: VMware Workspace ONE Unified Endpoint Management Version 2209 Supplemental Administrative Guidance
Administrative Guide: Certificate Authority Integrations
Administrative Guide: Directory Services
Administrative Guide: Upgrade Guide
Administrative Guide: Integration with Apple Business Manager
Administrative Guide: Installing Workspace ONE UEM
Administrative Guide: Console Basics
VMware Workspace ONE Unified Endpoint Management Version 2209 is a Mobile Device Management product and is comprised of an MDM Server component (UEM Server) and one or more VMware Intelligent Hub Agent components (iOS Hub Agent and Android Hub Agent). In the evaluated configuration of the TOE, the UEM Server is deployed in an on-premises configuration. The UEM Server component provides a centralized enterprise level management capability for a collection of mobile devices running the iOS and Android Hub Agents. The UEM Server is also a Mobile Application Store (MAS) Server that allows managed devices to download apps from a trusted repository that resides within the organization managing the device. The management functionality includes management of Administrators and users, mobile device enrollment, mobile device status, mobile device compliance and policy management, and application management.
The TOE is VMware Workspace ONE Unified Endpoint Management Version 2209 which contains the following components, software versions and their purpose:
In its evaluated configuration, the TOE is configured to directly communicate with the following environment components:
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. VMware Workspace ONE Unified Endpoint Management Version 2209 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 5. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the VMware Workspace ONE Unified Endpoint Management Version 2209 Security Target Version 1.0. The evaluation underwent CCEVS Validator review. The evaluation was completed in March 2023. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR-VID 11326-2023 prepared by CCEVS.
The UEM Server component of the TOE creates audit records for auditable events related to administrative actions, configuration of the UEM Server itself, and server-initiated management activities that affect one or more managed mobile devices. The UEM Server’s MAS Server functionality also generates audit records when it experiences a failure to push or update an application on a managed mobile device. The audit records are stored in an SQL database and are transferred to a remote Syslog Server over a TLS encrypted trusted channel. Audit records can be viewed on the Admin Console.
The UEM Server can issue ‘compliance policies’ to managed mobile devices. Compliance policies are used to compare the configuration, status, or characteristics of a mobile device against a certain baseline and can be used to generate an alert to an Administrator if an anomaly is detected. The Administrator can also request on-demand connectivity status updates through the use of push notifications.
iOS and Android Hub agents’ audit records are created as long as the underlying mobile device is powered on. The iOS and Android Hub agents generate audit records for the activities it performs as a result of its interactions with the UEM Server or as a result of stored policy information. The iOS and Android Hub agents facilitate alerts by providing data to the UEM Server on a periodic basis. The UEM Server can then analyze this data (or the absence of data in the case of periodic reachability events) in order to determine if anomalous behavior is occurring.
The iOS and Android Hub agents mobile devices are registered with the UEM Server so they can be enrolled into management by the UEM Server. This requires an Administrator to enable communications between these TOE components by including the mobile device’s identifier in an allow list of devices that are allowed to enroll on the UEM Server. The enrollment process occurs over an HTTPS/TLS trusted channel that is handled by each TOE components’ underlying platform. An Administrator can disable the communications between an iOS or Android Hub agent and the UEM Server by performing a wipe of the Hub agent’s mobile device.
The UEM Server invokes the Windows Server 2019 platform for cryptographic services to establish TLS and HTTPS/TLS trusted channels and paths to ensure secure communications of data in transit. This includes the use of RSA and Elliptic Curve Cryptography (ECC) key establishment techniques. The MAS Server is integrated with the UEM Server, so it invokes the same cryptography services. The UEM Server also invokes the Windows Server 2019 platform to digitally sign policies sent to the Hub agents.
The iOS and Android Hub agents invoke their underlying mobile device platforms (Apple iOS 14, Apple iPadOS 14, and Android 11 respectively) for cryptographic services to also establish trusted communications. The iOS Hub agent invokes its underlying platform to verify the digital signatures of all policies received from the UEM Server. The Android Hub agent software contains an OpenSSL library for implementing the digital signature verification of all policies received from the UEM Server.
All cryptographic mechanisms use the TOE components’ platform provided DRBG functionality to support their cryptographic operations. Cryptographic functionality includes encryption/decryption services, credential/key storage, key establishment, key destruction, hashing services, signature services, and hashed message authentication.
The following table contains the CAVP algorithm certificates corresponding to the Android Hub agent’s digital signature verification cryptographic functionality which is implemented by its OpenSSL module.
Table 6: Cryptographic Algorithm Table for the Hub Agents
Identification and Authentication
The iOS and Android Hub agents register with the UEM Server so that their mobile device can be enrolled into management by the UEM Server. The mobile device user that is performing the enrollment must have a user account on the UEM Server to access the Self-Service Portal and authenticate to the TOE. During the enrollment process, the iOS and Android Hub agents record the UEM Server’s DNS name and full URL with hostname. The iOS and Android Hub agents also receive a unique certificate during enrollment that is used to establish an HTTPS trusted channel with the UEM Server.
Administrators (through the Admin Console) and users (through the Self-Service Portal) cannot access the UEM Server without being authenticated. Administrators and users can view the configured pre-authentication warning banner and query the UEM Server’s software version number prior to authentication.
The UEM Server interfaces with the underlying Windows Server 2019 platform to provide certificate validation services. Certificates are used for HTTPS/TLS authentication, code signing for software updates, code signing for integrity verification, and signing of MDM policies. The iOS and Android Hub agents rely on the underlying platform to perform all certificate validation services, except for policy signing on Android devices which is validated by the Android Hub agent’s implementation of OpenSSL.
The TSF provides separate administrative interfaces for Administrators and for mobile device users. Administrators use the Admin Console to manage users, policies, and devices, while MD users use the Self-Service Portal to perform actions related to their own devices. The mobile device user installs the TOE’s iOS or Android Hub agent on the mobile device which will communicate with the UEM Server to enroll in management. Once enrolled, the TOE will prevent user-directed unenrollment from management.
The UEM Server can be used to transmit specific commands to a managed device such as forcibly locking the device, initiating a wipe operation, or sending a push notification. The UEM Server can also define policies (known as profiles) that specify the configuration settings for a device. These configuration settings can include functionality such as configuration of the password policy and what settings are applied to Wi-Fi connections. The UEM Server transmits iOS policies either to the iOS Hub agent or iOS/iPadOS platform directly, depending on the functionality being configured. The UEM Server transmits Android policies to the Android Hub agent. The UEM Server invokes its underlying platform to sign all policy data using ECDSA with SHA-512. The underlying iOS/iPadOS mobile platform and Android Hub agent will validate the signed policies when they are received.
The UEM Server also includes the MAS Server functionality, which provides the ability to grant or deny access to specific applications stored on the MAS Server to devices or groups of devices. The MAS Server is accessed through the same Admin Console interface as the UEM Server, so the administrative roles defined for both components are the same.
The communications between the UEM Server and iOS and Android Hub agents are protected using HTTPS/TLS which is provided by the underlying platforms of the TOE components.
The UEM Server invokes its platform to verify the digital signatures of executables and .dlls using Microsoft’s Authenticode making use of X.509v3 certificates. In addition, the UEM Server’s platform uses FIPS validated cryptographic modules which perform their own integrity checks at startup.
The TOE components invoke their underlying platforms to update their software and the platforms will verify the digital signatures of the updates prior to installing them. The TOE components’ software contains third party libraries. The TOE components use only documented APIs from their underlying platforms.
The UEM Server displays a pre-authentication banner for the Admin Console and the Self-Service Portal. This can be customized by Administrators to fit the needs of the organization deploying the TOE.
The trusted communication channels between the UEM Server and the devices running the iOS and Android Hub agents, the Syslog Server, and the AD/LDAP Server make use of TLS or HTTPS/TLS, depending on the interface. The trusted communication channels are provided by the TOE components’ underlying platforms.
The UEM Server platform uses HTTPS/TLS to provide a trusted path between itself and remote Administrators through the Admin Console and mobile device users through the Self-Service Portal as well as during the enrollment of a mobile device.