The Target of Evaluation (TOE) is Apple iPadOS 18: iPad, which is a series of Apple iPad mobile devices running the iPadOS 18 operating system, a Mobile Device Management (MDM) Agent, VPN client, and WLAN client components, which are included on the mobile devices.
The TOE operating system manages the device hardware, provides MDM Agent functionality, and provides the technologies required to implement native applications. It provides a built-in MDM framework application programmer interface (API), giving management features that may be utilized by external MDM solutions, allowing enterprises to use profiles to control some of the device settings.
\r\nThe TOE operating system provides a consistent set of capabilities allowing the supervision of enrolled devices. This includes the preparation of devices for deployment, the subsequent management of the devices, and the termination of management.
\r\nThe tested version of the TOE is iPadOS 18.3.1 with vulnerabilities patched up to iPadOS 18.7.3.
","evaluation_configuration":"Devices Covered by the Evaluation
\r\n| \r\n Processor \r\n | \r\n\r\n Device Name \r\n | \r\n\r\n Model Number \r\n | \r\n
| \r\n A13 Bionic \r\n | \r\n\r\n iPad 10.2-inch \r\n(9th Gen) \r\n | \r\n\r\n A2602 \r\n | \r\n
| \r\n A2603 \r\n | \r\n||
| \r\n A2604 \r\n | \r\n||
| \r\n A2605 \r\n | \r\n||
| \r\n A14 Bionic \r\n | \r\n\r\n iPad Air \r\n(4th Gen) \r\n | \r\n\r\n A2072 \r\n | \r\n
| \r\n A2316 \r\n | \r\n||
| \r\n A2324 \r\n | \r\n||
| \r\n A2325 \r\n | \r\n||
| \r\n iPad 10.9 inch \r\n(10th Gen) \r\n | \r\n\r\n A2696 \r\n | \r\n|
| \r\n A2757 \r\n | \r\n||
| \r\n A2777 \r\n | \r\n||
| \r\n A15 Bionic \r\n | \r\n\r\n iPad mini \r\n(6th Gen) \r\n | \r\n\r\n A2567 \r\n | \r\n
| \r\n A2568 \r\n | \r\n||
| \r\n A2569 \r\n | \r\n||
| \r\n A17 Pro \r\n | \r\n\r\n iPad mini \r\n(7th Gen) \r\n | \r\n\r\n A2995 \r\n | \r\n
| \r\n A2993 \r\n | \r\n||
| \r\n A2996 \r\n | \r\n||
| \r\n M1 \r\n | \r\n\r\n iPad Pro 11-inch \r\n(3rd Gen) \r\n | \r\n\r\n A2301 \r\n | \r\n
| \r\n A2377 \r\n | \r\n||
| \r\n A2459 \r\n | \r\n||
| \r\n A2460 \r\n | \r\n||
| \r\n iPad Pro 12.9-inch \r\n(5th Gen) \r\n | \r\n\r\n A2378 \r\n | \r\n|
| \r\n A2379 \r\n | \r\n||
| \r\n A2461 \r\n | \r\n||
| \r\n A2462 \r\n | \r\n||
| \r\n iPad Air \r\n(5th Gen) \r\n | \r\n\r\n A2588 \r\n | \r\n|
| \r\n A2589 \r\n | \r\n||
| \r\n A2591 \r\n | \r\n||
| \r\n M2 \r\n | \r\n\r\n iPad Pro 11-inch \r\n(4th Gen) \r\n | \r\n\r\n A2435 \r\n | \r\n
| \r\n A2759 \r\n | \r\n||
| \r\n A2761 \r\n | \r\n||
| \r\n A2762 \r\n | \r\n||
| \r\n iPad Pro 12.9-inch \r\n(6th Gen) \r\n | \r\n\r\n A2436 \r\n | \r\n|
| \r\n A2437 \r\n | \r\n||
| \r\n A2764 \r\n | \r\n||
| \r\n A2766 \r\n | \r\n||
| \r\n M4 \r\n | \r\n\r\n iPad Pro 13-inch (M4) \r\n | \r\n\r\n A2926 \r\n | \r\n
| \r\n A2925 \r\n | \r\n||
| \r\n A3007 \r\n | \r\n||
| \r\n iPad Pro 11-inch (M4) \r\n | \r\n\r\n A2837 \r\n | \r\n|
| \r\n A2836 \r\n | \r\n||
| \r\n A3006 \r\n | \r\n
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process. The criteria against which the Apple iPadOS 18: iPad TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 R5. The evaluation methodology used by the evaluation team to conduct the evaluation was the Common Methodology for Information Technology Security Evaluation, Version 3.1, R5 supplemented by that found in the Protection Profiles cited above. The product, when delivered and configured as specified in the Apple iOS 18: iPhone and Apple iPadOS 18: iPad Common Criteria Configuration Guide document, version 1.1, satisfies all the security functional requirements stated in the Apple iPadOS 18: iPad Security Target, version 1.1. The evaluation was completed in December 2025. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report number CCEVS-VR-VID11624-2025 prepared by CCEVS.
","environmental_strengths":"The TOE provides the ability for responses to be sent from the MDM Device Agent to the MDM Server. These responses are configurable by the organization.
\r\nThe TOE provides cryptographic services via the following cryptographic modules for the encryption of data at rest, for secure communication channels, and for use by applications. In addition, the TOE implements a number of cryptographic protocols that can be used to establish a trusted channel to other IT entities.
\r\nThe TOE protects user data in files using cryptographic functions, ensuring this data remains protected even if the device gets lost or is stolen. Critical data (like passcodes used by apps or application-defined cryptographic keys) can be stored in the keychain, which provides additional protection. Passcode protection and encryption ensure that data at rest remains protected even in the case of the device being lost or stolen.
\r\nThe TOE includes the Secure Enclave Processor (SEP), a separate CPU that executes a stand-alone operating system and has separate memory, provides protection for critical security data such as keys.
\r\nThe TOE protects data such that only the app that owns the data can access it.
\r\nThe TOE provides user authentication using a passcode or biometric (fingerprint or face) except for accessing Medical ID information, answering calls, making emergency calls, using the cameras, flashlight, control center or notification center, viewing widgets in Today View and search.
\r\nThe passcode can be configured for a minimum length, for dedicated passcode policies, and for a maximum lifetime. When entered, passcodes are obscured and the frequency of entering passcodes is limited as well as the number of consecutive failed attempts of entering the passcode.
\r\nThe TOE also enters a locked state after a (configurable) time of user inactivity and the user is required to either enter his passcode or use biometric authentication (fingerprint or face) to unlock the TOE
\r\nExternal entities connecting to the TOE via a secure protocol (e.g., Transport Layer Security (TLS), Extensible Authentication Protocol Transport Layer Security (EAP-TLS), IPsec) can be authenticated using X.509 certificates. The TOE also supports the usage of Post-quantum Preshared Keys in the IKEv2 protocol.
\r\nThe security functions listed in the Security Target can be managed either by the user or by an authorized administrator through a Mobile Device Management (MDM) system. The Security Target identifies the functions that can be managed and indicates if the management can be performed by the user, by the authorized administrator, or both.
\r\nThe TOE implements the following protection of TSF and TSF data:
\r\nThe TSF provides functions to lock the TOE upon request and after an administrator-configurable time of inactivity. Access to the TOE via a wireless network is controlled by user/administrator defined policy.
\r\nTrusted Path/Channels
\r\nThe TOE supports the use of the following cryptographic protocols that define a trusted channel between itself and another trusted IT product:
\r\n