NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - VMware Workspace ONE Boxer Email Client Version 23.11

Certificate Date:  2024.05.06

Validation Report Number:  CCEVS-VR-VID11441-2024

Product Type:    Application Software
   Email Client

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Extended Package for Email Clients v2.0
  Protection Profile for Application Software Version 1.4

CC Testing Lab:  Booz Allen Hamilton Common Criteria Testing Laboratory

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The TOE is the VMware Workspace ONE Boxer Email Client Version 23.11 application which is an enterprise email client for iOS, iPadOS and Android mobile devices. The Boxer application provides S/MIME email services and containerizes enterprise data from personal data that resides on the user’s mobile device.

Evaluated Configuration

In the evaluated configuration, the TOE is installed on either a mobile device running iOS 16 (VID11349), iPadOS 16 (VID11350), or Android 13 (VID11342). The mobile devices must be enrolled and managed by the VMware Workspace ONE Unified Endpoint Management (UEM) at the device level. When the TOE application is installed on the mobile device it is then enrolled as a managed application in UEM in order to obtain its configuration information.

Additionally, the TOE is configured to use ActiveSync to communicate with the Microsoft Exchange server over a TLS v1.2 trusted channel. The Exchange server resides in the operational environment and is for sending and receiving enterprise data such as email, calendar information and appointment data. Whether installed on an Android or iOS/iPadOS device, the application validates the certificates using OCSP. The OCSP responder is also considered part of the operational environment.

The following list identifies the components and applications in the environment that the TOE relies upon in order to function properly:



OCSP Responder

A server deployed within the Operational Environment which confirms the validity and revocation status of certificates.

VMware Workspace ONE Unified Endpoint Management (UEM) Server

The VMware Workspace ONE UEM server is used to manage the Boxer app (TOE) and its host mobile device. The UEM Server provides administrative access through its UEM Console.

Microsoft Exchange Server 2019

Exchange server for sending and receiving emails to and from the Operational Environment configured to use ActiveSync to communicate.

Mobile Device

The hardware that runs the OS in which the application is installed on.


The TOE was installed on a certified iOS 16 (VID11349) device, iPadOS 16 (VID11350), and certified Android 13 (VID11342) device. For testing, this evaluation used a Samsung Galaxy XCover6 Pro (Android), iPad Air 4th generation (Apple), and an iPhone 12 Pro (Apple).

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. VMware Workspace ONE Boxer Email Client Version 23.11 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 5. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the VMware Workspace ONE Boxer Email Client Version 23.11 Security Target V1.0, dated March 4, 2024. The evaluation underwent CCEVS Validator review. The evaluation was completed in May 2024. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR- VID11441-2024 prepared by CCEVS.

Environmental Strengths

Cryptographic Support

Depending on which OS the application is installed on, the TOE either invokes the underlying platform or implements its own cryptographic module to perform cryptographic services. All cryptographic mechanisms, whether platform or application provided, use DRBG functionality to support cryptographic operations. Cryptographic functionality includes encryption/decryption services, credential/key storage, key establishment, key destruction, hashing services, signature services, key-hashed message authentication, and key chaining using a password-based derivation function.

Cryptographic services for the application’s S/MIME functionality and TLS communications are provided by the underlying platform when the application is installed on a device running iOS/iPadOS. When installed on a device running the Android OS, the TOE invokes the underlying platform cryptographic libraries for TLS communications and implements an OpenSSL cryptographic module to perform the cryptographic functionality required to support S/MIME (CAVP certificate #A5072).

User Data Protection

The TOE uses S/MIME to digitally sign, verify, decrypt, and encrypt email messages. The TOE stores all application data in an encrypted Boxer database which is created on the mobile device during installation. The TOE’s host platforms (iOS, iPadOS, and Android) implement file-based encryption to securely store the data. The TOE restricts its network access and provides user awareness when it attempts to access hardware resources and sensitive data stored on the host platform. The TOE displays notification icons that show S/MIME status. Each status is shown as a different color so that the user can quickly identify any issues.

Identification and Authentication

The TOE relies on the OS to validate X.509.3 certificates for TLS communication. The TOE validates X.509v3 certificates for signing and encrypting emails for S/MIME.

Security Management

The TOE enforces the application’s enterprise policy set by the UEM administrator pushed out to the managed TOE device. The TOE does not use default passwords, and automatically installs and configures the application to protect itself and its data from unauthorized access while also implementing the recommended platform security mechanisms. Changing one’s own password from the application is the only management function that can be performed by the owner/user of the mobile device with the TOE installed.


The TOE does not transmit any personally identifiable information (PII) over the network unless voluntarily sent via free text email.

Protection of the TSF

The TOE does not support the installation of trusted or untrusted add-ons. The user is able to navigate the platform to check the version of the TOE and also check for updates to the application. All updates come from the Google Play Store (Android) or Apple App Store (iOS and iPadOS). The digital signature of the updates is verified by the mobile device platform prior to being installed. The TOE does not replace or modify its own binaries without user interaction. The TOE implements anti-exploitation features, such as stack-based overflow protection, is compatible with security features provided by the OS, and will only use documented APIs and libraries. 

Trusted Path/Channels

The TOE invokes the platform to provide the trusted communication channel between the TOE and the Exchange server. Communications are protected with TLS v1.2. Communication to the Exchange server uses ActiveSync to send and receive emails.

Vendor Information

VMware, Inc.
Vann Nguyen
1 (877) 486-9273
Site Map              Contact Us              Home