Microsoft Intune is a mobile device management system that includes MDM Server and Mobile Application Store (MAS) functionality. The Microsoft Company Portal app provides the MDM agent for Android devices.
","evaluation_configuration":"Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). Administrators can control how their organization’s mobile devices are used and also configure specific policies to control applications installed on the devices. There is only one Intune service (version) that is continuously offered with rolling feature enhancements which is located at the URL described in section 1.2 of the Security Target. Intune is part of Microsoft's Enterprise Mobility + Security (EMS) suite.
\r\nThe Microsoft Intune Company Portal is a mobile device management agent.
","security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which Microsoft Intune was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Rev. 5. The product, when configured as identified in the Operational and Administrative Guidance Microsoft Intune, satisfies all of the security functional requirements stated in the Microsoft Intune Security Target. The project underwent CCEVS Validator review. The evaluation was completed in December 2024. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
","environmental_strengths":"Microsoft Intune has the ability to generate, review, protect, and restrict access to audit and event logs as required by the MDM PP and MDM Agent PP-Module. Audit information generated by the system includes the date and time of the event, the user identity that caused the event to be generated, and other event specific data. Authorized administrators can review audit logs and have the ability to search and sort audit records securely via the Microsoft Intune Admin Center console or via the Graph API. In the context of this evaluation, the protection profile requirements cover generating audit events, which events should be audited, and providing secure storage for audit event entries.
\r\nMicrosoft Intune provides cryptographic functions that support encryption/decryption, cryptographic signatures, cryptographic hashing, cryptographic key agreement, and random number generation. The TOE additionally provides support for X.509 certificates including validation functions. Certificates are issued during device enrollment and are used for authentication and protection of both user and system data while in transit.
\r\nEach Microsoft Intune administrator must be identified and authenticated based on administrator-defined policy prior to performing any TSF-mediated functions. An interactive user invokes a trusted path to protect their identity and credentials. Microsoft Intune maintains databases of accounts including their identities, authentication information, group associations, and administrative privileges. Microsoft Intune provides the ability to use, store, and protect X.509 certificates that are used for mobile devices. Communications between the Mobile device and Intune are facilitated with authenticated TLS sessions.
\r\nMicrosoft Intune includes several functions to manage security policies on registered devices. Microsoft Intune MDM policy functions include the ability to define the minimum password length, the number of failed logon attempts, the duration of lockout, and password age. MDM Policy management is available to Intune administrators that have sufficient permissions or are members of an applicable role-based group as described in FMT_SMR.1. Successfully enrolled devices are issued an X.509 certificate that is used for identification and authentication.
\r\nMicrosoft Intune provides several features to ensure the protection of TOE security functions. Intune protects against unauthorized data disclosure and modification by requiring authenticated TLS sessions between registered devices and Intune. All Intune components employ self-testing features on start-up that ensure the integrity of executable code and any cryptographic functions.
\r\nMicrosoft Intune uses TLS and HTTPS to provide a trusted path for communications between Intune and remote administrators as well as registered devices. Trusted channels provided by Intune include the Microsoft Intune Admin Center for Administrator use via HTTPS, and a X.509 authenticated TLS channel for device enrollment and continual policy updates.
","features":[{"id":2007,"feature_name":"Asymmetric Key Generation"},{"id":2003,"feature_name":"Auditing"},{"id":2000,"feature_name":"Certificate Authentication"},{"id":1999,"feature_name":"Certificate Validation"},{"id":2009,"feature_name":"Cryptographic Hashing"},{"id":2008,"feature_name":"Cryptographic Key Establishment"},{"id":2010,"feature_name":"Cryptographic Signature Generation"},{"id":4001,"feature_name":"Cryptographic Signature Verification"},{"id":1998,"feature_name":"DRBG"},{"id":2006,"feature_name":"HTTPS Client"},{"id":2004,"feature_name":"Key Destruction"},{"id":2011,"feature_name":"Keyed-hash message authentication"},{"id":2005,"feature_name":"MDM-Agent"},{"id":1989,"feature_name":"Mobile Application Management"},{"id":1988,"feature_name":"Mobile Content Management"},{"id":1984,"feature_name":"Mobile Device Management"}]}