Compliant Product - VMware AirWatch Mobile Device Management v9.1
Certificate Date: 24 February 2017CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID10733-2017
Product Type: Mobility
Conformance Claim: Protection Profile Compliant
PP Identifier: Extended Package for Mobile Device Management Agents Version 2.0
Protection Profile for Mobile Device Management Version 2.0
CC Testing Lab: Booz Allen Hamilton Common Criteria Testing Laboratory
The TOE is the VMware AirWatch Mobile Device Management version 9.1 comprising the VMware AirWatch MDM Server 9.1, and VMware AirWatch MDM Agent version 9.1. The MDM Server component provides a centralized enterprise level management capability for a collection of mobile devices running the VMware AirWatch MDM Agents. It also provides a Mobile Application Store (MAS) Server that allows managed devices to download apps from a trusted repository that resides within the organization managing the device. VMware AirWatch Mobile Device Management provides management of Administrators and users, mobile device enrollment, mobile device status, mobile device compliance and policy management, and application management. Administrators access the VMware AirWatch MDM Server through the Admin Console interface in order to manage users, policies, and devices. Users access the VMware AirWatch MDM Server through the Self-Service Portal, which allows them to perform administrative functions relating to their own devices.
The logical boundary of the TOE includes only the relevant security functionality that is defined by the claimed Protection Profiles. The logical boundary of the TOE includes its auditing, cryptography, I&A, management, self-protection, TOE access, and trusted path/channel functionality.
The TOE is comprised of two MDM Server components and an MDM Agent component. Two MDM Server components exist because the evaluated configuration of the TOE is to deploy it in an on-premises configuration, which requires a secondary instance of the MDM Server residing outside the organization’s firewall in a demilitarized zone (DMZ) where it is exposed to external network traffic from the internet.
The following lists components and applications in the environment that the TOE relies upon in order to function properly:
Windows Server 2012 R2 Active Directory / LDAP Server – Identity store that defines users for device enrollment and administrator accounts for access to the Admin Console.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. VMware AirWatch MDM was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the VMware AirWatch Mobile Device Management Security Target Version 1.0. The evaluation underwent CCEVS Validator review. The evaluation was completed in January 2017. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (CCEVS-VR-VID10733-2017, dated 24 February 2017) prepared by CCEVS.
The MDM Server component of the TOE creates audit records for configuration of the MDM Server itself as well as Server-initiated management activities that affect one or more managed mobile devices. The MDM Agent generates audit records for the activities it performs as a result of its interactions with the MDM Server or as a result of stored policy information. The audit records are stored locally in an SQL database and are transferred to a remote Syslog database over a TLS encrypted trusted channel. Audit records can be viewed on the Administrator Console.
The MDM Server can issue ‘compliance policies’ to managed mobile devices. Compliance policies are used to compare the configuration, status, or characteristics of a mobile device against a certain baseline and can be used to generate an alert to an Administrator if an anomaly is detected. The MDM Agent facilitates alerting by providing data to the MDM Server on a periodic basis. The Administrator can also request on-demand connectivity status updates through the use of push notifications.
The MDM Server and the MDM Server platform use cryptography provided by the cryptographic algorithms found in the CNG.sys (CMVP certificate #2356) and BCryptPrimitives.dll (CMVP certificate #2357) cryptographic modules for the Windows Server 2012 platform. The MDM Agent relies on the underlying mobile device platform to provide cryptographic services. The cryptography that was validated for iOS (CMVP certificates #2594 and #2827) is what is used by the MDM Agent. The VMware AirWatch MDM uses cryptography to establish TLS and TLS/HTTPS trusted channels and paths to ensure secure communications of data in transit.
Identification and Authentication
The MDM Agent registers with the MDM Server so that it can be enrolled into management by the MDM Server which requires authentication of the user to the MDM Server. Administrators (through the Admin Console) and users (through the Self-Service Portal) cannot access the MDM Server without being authenticated. can either be a basic username/password defined on the MDM Server or a centrally defined Active Directory/LDAP credential.
The MDM Server interfaces with the underlying Windows Server 2012 platform to provide certificate validation services via Microsoft Authenticode. The MDM Agent also relies on the underlying platform to perform certificate validation. Certificates are used for TLS/HTTPS authentication, code signing for software updates, code signing for integrity verification, and signing of MDM policies.
Administrators use the Admin Console to manage users, policies, and devices, while users use the Self-Service Portal to perform actions related to their own devices. Device enrollment can be initiated by either Administrators or by users. The MDM Server can be used to transmit specific commands to a managed device such as forcibly locking the device, initiating a wipe operation, or sending a push notification. The MDM Server can also define policies (known as profiles) that specify the configuration settings for a device. The MDM Agent is responsible for receiving policy updates and forwarding them to the underlying platform, depending on what function is being managed by the update. Additionally, the MDM Server includes the MAS Server functionality, which provides the ability to grant or deny access to specific applications stored on the MAS Server to devices or groups of devices.
Protection of the TSF
The communications between the MDM Server and MDM Agent as well as between multiple MDM Servers instances are protected using HTTPS. The TOE verifies the digital signatures of executables and .dlls using Microsoft’s Authenticode making use of X.509v3 certificates. In addition, the MDM Server uses FIPS validated cryptographic modules which perform their own integrity checks at startup. The TOE performs updates of its software and verifies the digital signatures of the updates prior to installing them.
The TOE displays a pre-authentication banner for the Admin Console and the Self-Service Portal. This can be customized by Administrators to fit the needs of the organization deploying the TOE.
The trusted communication channels between the MDM Server and the device running the MDM Agent, the syslog audit server, AD/LDAP authentication server and the SQL database server are trusted communications channels which make use of TLS or TLS/HTTPS as the protection mechanism, depending on the interface. The MDM Server platform uses TLS/HTTPS to provide a trusted path between itself and remote Administrators (through the Admin Console) and users (through the Self-Service Portal).