NIAP Oversees Evaluations of Commercial IT Products for Use in National Security Systems
Questions?  We're here to help
  NIAP  »»  Protection Profiles  »»  Archived PPs  »»  Details  
Archived U.S. Government Approved Protection Profile - Protection Profile for Mobile Device Management Version 3.0

Short Name: pp_mdm_v3.0

Technology Type: Mobility

CC Version: 3.1

Date: 2016.11.21

Transition End Date: 2017.05.21

Preceded By: pp_mdm_v2.0

Succeeded By: pp_mdm_v4.0

Sunset Date: 2019.10.25 [Sunset Icon]

Conformance Claim: None

Protection Profile [PDF]

DoD Annex [PDF]

Control Mapping [PDF]



The Mobile Device Management (MDM) system consists of two primary components: the MDM Server software and the MDM Agent. Optionally, the MDM system may consist of a separate Mobile Application Store (MAS) server.  The MDM system operational environment consists of the mobile device on which the MDM Agent resides, the platform on which the MDM Server runs, and an untrusted wireless network over which they communicate. 

The MDM Server is an application on a general-purpose platform or on a network device, executing in a trusted network environment. The MDM Server provides administration of the mobile device policies and reporting on mobile device behavior. The MDM Server is responsible for managing device enrollment, configuring and sending policies to the MDM Agents, collecting reports on device status, and sending commands to the Agents. The platform on which the MDM Server software runs is either a general-purpose platform or a network device.

The MDM Agent establishes a secure connection back to the MDM Server controlled by an enterprise administrator and configures the mobile device per the administrator’s policies. Optionally, the MDM Agent may interact with the MAS Server to download and install enterprise applications. The MDM Agent is addressed in the Extended Package (EP) for MDM Agents. If the MDM Agent is installed on a mobile device as an application developed by the MDM developer, the EP extends this Protection Profile (PP) and is included in the Target of Evaluation (TOE). In this case, the TOE security functionality specified in this PP must be addressed by the MDM Agent in addition to the MDM Server. Otherwise, the MDM Agent is provided by the mobile device vendor and is out of scope of this PP; however, MDMs are required to indicate the mobile platforms supported by the MDM Server and must be tested against the native MDM agent of those platforms.

The MAS Server is an application on a general-purpose platform or on a network device, executing in a trusted network environment. The MAS Server may be separate to or included in the MDM Server. The MAS server hosts applications for the enterprise, authenticates Agents, and securely transmits applications to enrolled mobile devices.

This U.S. Government Approved Protection Profile is not assigned to any Validated Products

Active Related Technical Decisions

Archived Related Technical Decisions

Please forward any Protection Profile specific comments to the applicable Technical Rapid Response Team (TRRT).

Please forward any general questions to our Q&A tool.

Site Map              Contact Us              Home