The Target of Evaluation (TOE) is the BlackBerry Unified Endpoint Management (UEM) Server and Android Client version 12.
\r\nThe UEM Server provides centralized management of mobile devices and the UEM Android Client Agent (installed on each android device) enforces the policies of the Server on each android device.
\r\nThe BlackBerry UEM server, including the Core and UI security enforcing components, is implemented with a combination of Java and native code running on Windows Server 2016 with Java JRE 8.0. The UEM Server consists of a number of components. However, only the Core and UI components are included in the TOE for the purpose of evaluation. The other components are either disabled or play no role in any security enforcement.
\r\nThe UEM Server requires a SQL database to operate and can optionally be configured to utilize an LDAP server for user authentication as well as a SYSLOG server to export audit records. Some other components such as Exchange are not included in the scope of evaluation or are not security relevant – the BBR (BlackBerry router) and BlackBerry NOC are network routing components through which UEM Server – client communication travels. They are not security relevant for the purpose of this evaluation since the server-client channels are secured end to end between the TOE components and through the other components. Those other components cannot decrypt or otherwise access information in those secure channels, although they can disrupt or redirect them, like any other components on the Internet.
\r\nThe UEM Android Client is part of the TOE since Android does not have agents of its own. The UEM Server can manage mobile Android devices through interaction with an enrolled UEM Android Client and can alternately manage mobile iOS devices through interaction with the iOS agent developed and evaluated by Apple.
","evaluation_configuration":"The Target of Evaluation (TOE) is the BlackBerry Unified Endpoint Management (UEM) Server and Android Client version 12.
","security_evaluation_summary":"The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017.
\r\nThe product, when delivered and configured as identified in the BlackBerry UEM Administrative Guidance Document, UEM Version 12, April 2020, satisfies all of the security functional requirements stated in the BlackBerry UEM Server and Android Client Security Target, Version 0.6, 28 April 2020. The project underwent CCEVS Validator review. The evaluation was completed in April 2020. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11040-2020) prepared by CCEVS.
","environmental_strengths":"The logical boundaries of the UEM Server and Android Client are realized in the security functions that it implements. Each of these security functions is summarized below.
\r\nSecurity audit: The BlackBerry UEM server is designed to generate and export audit events. The audit events are stored in the SQL database and sent to the configured syslog servers as events occur. The BlackBerry UEM server can also generate alerts for specific events – these alerts are sent to administrators as e-mails. The BlackBerry UEM server supports TLS tunneling of syslog messages to protect exported audit records.
\r\nThe BlackBerry UEM Android client is also designed to generate and export audit events. It stores audit events in the platform audit logs which it can retrieve and send to its enrolled BlackBerry UEM server. The BlackBerry UEM server will forward the events to a configured syslog server as the events are received. The BlackBerry UEM Android client can also send required alerts directly to the BlackBerry UEM server which are received, logged as audit events, and treated as administrator alerts.
\r\nCryptographic support: The BlackBerry UEM server uses the Certicom Security Builder GSE-J Crypto Core Module (https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3391) for its cryptographic operations. The Certicom Security Builder GSE-J Crypto Core Module provides Cryptographic Algorithm Validation Program (CAVP) certified algorithms for a wide range of cryptographic functions including: asymmetric key generation and establishment, encryption/decryption, and cryptographic hashing and keyed-hash message authentication. These functions are supported with suitable random bit generation, initialization vector generation, secure key storage, and key and protected data destruction. The primitive cryptographic functions are used to implement security communication protocols (TLS and HTTPS) used for communication between the Server and Agent and between the Server and remote administrators.
\r\nThe UEM Android Client uses the cryptographic functions provided by the evaluated mobile devices.
\r\nIdentification and authentication: The BlackBerry UEM server require administrators to login prior to performing any security functions or accessing any services, such as creating an activation password. Similarly, mobile devices must authenticate with the server using an activation password prior to enrolling
\r\nBoth the BlackBerry UEM server and Android client use X.509 certificates in conjunction with TLS to both authenticate and secure remote connections.
\r\nSecurity management: The BlackBerry UEM server facilitates granular administrative access to functions based on roles: server primary administrators, security configuration administrators, device user administrators, auditor, and mobile device users. Administrators access the BlackBerry UEM server via a web-based interface. The BlackBerry UEM server also supports the definition of mobile device users, and upon enrollment each mobile device generates an X.509 certificate used to identify that enrolled device.
\r\nThe BlackBerry UEM server provides all the features necessary to manage its own security functions as well as to manage mobile device policies sent to enrolled mobile devices (via their clients).
\r\nThe BlackBerry UEM Android client provides the features necessary to securely communicate and enroll with the BlackBerry UEM server, apply policies received from the BlackBerry UEM server, and report the results of applying policies.
\r\nProtection of the TSF: The BlackBerry UEM server and Android client work together to ensure that all security related communication between those components is protected from disclosure and modification.
\r\nThe BlackBerry UEM server includes self-testing capabilities to ensure that they are functioning properly as well as to cryptographically verify that their executable images are not corrupted. The UEM server also includes secure update capabilities to ensure the integrity of any updates so that updates will not introduce malicious or other unexpected changes in the TOE.
\r\nTOE access: The BlackBerry UEM server has the capability to display an advisory banner when users attempt to login in order to manage the TOE.
\r\nTrusted path/channels: The BlackBerry UEM server uses TLS/HTTPS to secure communication channels between itself and remote administrators and mobile device users accessing the server via a web-based user interface. It also uses TLS to secure communication channels between itself, enrolled devices, its configured SQL database server, syslog servers, and optionally configured LDAP servers.
\r\nThe following is a summary of applicable secure channels:
\r\n