NIAP: Compliant Product
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - MobileIron Platform 11

Certificate Date:  2021.09.01

Validation Report Number:  CCEVS-VR-VID11196-2021

Product Type:    Mobility

Conformance Claim:  Protection Profile Compliant

PP Identifier:    PP-Module for MDM Agent Version 1.0
  Functional Package for TLS Version 1.1
  Protection Profile for Mobile Device Management Version 4.0

CC Testing Lab:  Gossamer Security Solutions

Maintenance Release:
CC Certificate [PDF] Security Target [PDF] * Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]


* This is the Security Target (ST) associated with the latest Maintenance Release.  To view previous STs for this TOE, click here.

Product Description

The TOE is the MobileIron Platform composed of the following components:

·       MobileIron Core, Version 11

·       MobileIron Client – Mobile@Work for Android, Version 11

The TOE is an MDM solution where the claimed security functions are implemented in a central MDM server – MobileIron Core - and distributed MDM agents – MobileIron Client.

MobileIron Core (http://www.mobileiron.com/en/products/core) integrates with backend enterprise IT systems and enables IT to define security and management policies for mobile apps, content and devices independent of the operating system.  MobileIron Core enables mobile devices (including both Android and iOS mobile devices), application, and content management.

·       Mobile device management capabilities are the primary focus of this evaluation and enable IT to securely manage mobile devices across mobile operating systems and provide secure corporate email, automatic device configuration, certificate-based security, and selective wiping of enterprise data from both corporate-owned as well as user-owned devices.

·       Mobile application management capabilities are a secondary focus of this evaluation and help IT manage the entire application lifecycle, from making the applications available in the enterprise app storefront, facilitating deployment of applications to mobile devices, and retiring applications as necessary.

MobileIron Client– also known as Mobile@Work for Android – is an app downloaded by end users onto their mobile devices. It configures the device to function in an enterprise environment by enforcing the configuration and security policies set by the IT department. Once installed, it creates a secure MobileIron container to protect enterprise data and applications.

·       The MobileIron Client works with MobileIron Core to configure corporate email, Wi-Fi, VPN, and security certificates and to create a clear separation between personal and business information. This allows IT to selectively wipe only the enterprise data on the device if the user leaves or if the device falls out of compliance or is lost.

Note that MobileIron distributes a Mobile@Work for iOS application, however, given restrictions on the associated Apple iOS mobile devices it is incapable of implementing the required MDM agent security functions.  Rather, Mobile@Work for iOS is an optional component and serves only to direct the built-in iOS MDM agent to the MobileIron Core MDM server for enrollment.  As such, this component does not implement any security functions.  Mobile@Work for iOS is not required to enroll an iOS device with the MobileIron Core MDM server – the Safari browser built into iOS devices can be used to enroll with the MobileIron Core MDM server with no other application support.


Evaluated Configuration

The TOE is the MobileIron Platform composed of the following components:

·       MobileIron Core, Version 11

·       MobileIron Client – Mobile@Work for Android, Version 11

MobileIron Core:

MobileIron Core is a server based on a CentOS 7.6 Linux operating system (OS) with Apache 2.4 (or later) that runs on an Intel x64 architecture server platform.  MobileIron supports the MobileIron Core operating as virtual deployments in VMWare ESXi (6.5, 6.7 or 7.0).

MobileIron Core can optionally be configured to utilize an external LDAP server via a secure TLS channel to authenticate users.

MobileIron Client:

MobileIron Client consists of apps deployed on Android mobile devices. NIAP requires that MDM agents must be installed on NIAP-evaluated mobile devices in order to be evaluated using the MOD-MDMA10. At present there are a number of evaluated Samsung Galaxy mobile Android devices ranging from Android version 10 and 11 that can be used with the Android version of the MDM Agent.

·       (NIAP VID 11042, https://www.niap-ccevs.org/Product/Compliant.cfm?PID=11042) Samsung Galaxy Devices on Android 10: Samsung Galaxy S20

·       (NIAP VID 11109, https://www.niap-ccevs.org/Product/Compliant.cfm?PID=11109) Samsung Galaxy Devices on Android 10: Samsung Galaxy A71

·       (NIAP VID 11160, https://www.niap-ccevs.org/Product/Compliant.cfm?PID=11160) Samsung Galaxy Devices on Android 11

MobileIron Core can manage devices with the iOS MDM agent developed and evaluated by Apple Inc. – that agent has been evaluated on Apple iPad and iPhone Mobile Devices with iOS 13 (NIAP VID 11036).


Security Evaluation Summary

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance.  The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target.  The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017.  The product, when delivered and configured as identified in the MobileIron Core and Android and iOS Client Mobile Device Management Protection Profile Guide 11, August 2021 document, satisfies all of the security functional requirements stated in the MobileIron Platform 11 Security Target, Version 0.6, August 31, 2021.  The project underwent CCEVS Validator review.  The evaluation was completed in September 2021.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11196-2021) prepared by CCEVS.


Environmental Strengths

The logical boundaries of the MobileIron Platform are realized in the security functions that it implements. Each of these security functions is summarized below.

Security audit:

The MDM Server can generate and store audit records for security-relevant events as they occur. These events are stored and protected by the MDM Server and can be reviewed by an authorized administrator. The MDM Server can be configured to export the audit records in either in CSV (comma separated values) format, text format, or a compressed archive format utilizing TLS for protection of the records on the network. The MDM Server also supports the ability to query information about MDM agents and export MDM configuration information.

The MDM Agent can generate audit records for security-relevant events and includes the ability to indicate (i.e., respond) when it has been enrolled and when policies are successfully applied to the MDM Agent. The MDM Server can be configured to alert an administrator based on its configuration. For example, it can be configured to alert the administrator when a policy update fails or an MDM Agent has been enrolled.

Cryptographic support:

The MDM Server and MDM Agent both include and/or utilize cryptographic modules with certified algorithms for a wide range of cryptographic functions including: asymmetric key generation and establishment, encryption/decryption, cryptographic hashing and keyed-hash message authentication. These functions are supported with suitable random bit generation, initialization vector generation, secure key storage, and key and protected data destruction.

The primitive cryptographic functions are used to implement security communication protocols: TLS and HTTPS used for communication between the MDM Server and MDM Agent and between the MDM Server and remote administrators.

Identification and authentication:

The MDM Server requires mobile device users (MD users) and administrators to be authenticated prior to allowing any security-related functions to be performed. This includes MD users enrolling their device in the MDM Server using a corresponding MDM Agent as well as an administrator logging on to manage the MDM Server configuration, MDM policies for mobile devices, etc.

In addition, both the MDM Server and MDM Agent utilize X.509 certificates, including certificate validation checking, in conjunction with TLS to secure communications between the MDM Server and MDM Agents as well as between the MDM Server and administrators using a web-based user interface for remote administrative access.

Security management:

The MDM Server is designed to include at least two distinct user roles: administrator and mobile device user (MD user). The former interacts directly with the MDM Server while the latter is the user of a mobile device hosting an MDM Agent. The MDM Server further supports the fine-grain assignment of role (access to management function) to defined users allowing the definition of multiple user and administrator roles with different capabilities and responsibilities.

The MDM Server provides all the function necessary to manage its own security functions as well as to manage mobile device policies that are sent to MDM Agents. In addition, the MDM Server ensures that security management functions are limited to authorized administrators while allowing MD users to perform only necessary functions such as enrolling in the MDM Server.

The MDM Agents provide the functions necessary to securely communicate with and enroll in a MDM Server, implement policies received from an enrolled MDM Server, and report the results of applying policies.

Protection of the TSF:

The MDM Server and MDM Agent work together to ensure that all security related communication between those components is protected from disclosure and modification.

Both the MDM Server and MDM Agent include self-testing capabilities to ensure that they are functioning properly. The MDM Server also has the ability to cryptographically verify during start-up that its executable image has not been corrupted.

The MDM Server also includes mechanisms (i.e., verification of the digital signature of each new image) so that the TOE itself can be updated while ensuring that the updates will not introduce malicious or other unexpected changes in the TOE.

TOE access:

The MDM Server has the capability to display an advisory banner when users attempt to login in order to manage the TOE using the web-based and command-line based user interfaces.

Trusted path/channels:

The MDM Server uses TLS/HTTPS to secure communication channels between itself and remote administrators accessing the TOE via a web-based user interface.

The MDM Server can optionally be configured to use TLS to communicate with an LDAP server for user authentication.

It also uses TLS to secure communication channels between itself and mobile device users (MD users). In this latter case, the protected communication channel is established between the MDM Server and applicable MDM Agent on the user’s mobile device.

In addition, the MDM Server implements a restricted shell (CLISH) that is accessible via SSH to provide access to low level management functions.


Vendor Information


MobileIron, an Ivanti Company
Glen Beasley
415-439-9840
glen.beasley@ivanti.com

www.mobileiron.com
Site Map              Contact Us              Home