CC Certificate 

Security Target 

Validation Report 

Assurance Activity 

Administrative Guide: VMware Workspace ONE Unified Endpoint Management Version 2209 Supplemental Administrative Guidance 

Administrative Guide: Certificate Authority Integrations 

Administrative Guide: Directory Services 

Administrative Guide: Upgrade Guide 

Administrative Guide: Integration with Apple Business Manager 

Administrative Guide: Installing Workspace ONE UEM 

Administrative Guide: Console Basics 

VMware Workspace ONE Unified Endpoint Management Version 2209 is a Mobile Device Management product and is comprised of an MDM Server component (UEM Server) and one or more VMware Intelligent Hub Agent components (iOS Hub Agent and Android Hub Agent). In the evaluated configuration of the TOE, the UEM Server is deployed in an on-premises configuration. The UEM Server component provides a centralized enterprise level management capability for a collection of mobile devices running the iOS and Android Hub Agents. The UEM Server is also a Mobile Application Store (MAS) Server that allows managed devices to download apps from a trusted repository that resides within the organization managing the device. The management functionality includes management of Administrators and users, mobile device enrollment, mobile device status, mobile device compliance and policy management, and application management.

The TOE is VMware Workspace ONE Unified Endpoint Management Version 2209 which contains the following components, software versions and their purpose:

• Workspace ONE Unified Endpoint Management 2209 (UEM Server): This satisfies the MDM Server Component of the TOE as it provides an enterprise-level management capability for a collection of mobile devices, including the administration of mobile device policies, reporting on device behavior, and sending commands to the iOS and Android Hub agent(s). This MDM Server Component also provides a Mobile Application Store (MAS) Server that allows managed devices to download apps from a trusted repository.
• Android Intelligent Hub Agent 22.09 (Android Hub Agent)      : This satisfies the MDM Agent Component of the TOE as it is a VMware-developed application installed on mobile devices running the Samsung Android 11 operating system and uses the Android platform to establish a secure connection back to the UEM Server for the Android Hub agent to provide status and policy information about the device.
• iOS Intelligent Hub Agent 22.11 (iOS Hub Agent): This satisfies the MDM Agent Component of the TOE as it is a VMware-developed application installed on mobile devices running either the Apple iOS 14 and/or Apple iPadOS 14 operating systems. The iOS Hub agent uses the iOS/iPadOS platforms to establish a secure connection back to the UEM Server for the iOS Hub agent and iOS/iPadOS platform to provide status and policy information about the device.

In its evaluated configuration, the TOE is configured to directly communicate with the following environment components:

• Active Directory / LDAP Server: Identity store that defines users for device enrollment and administrator accounts for access to the Admin Console. In the evaluated configuration, Windows Server 2019 (Version 1809) Active Directory/LDAP Server is used.
• Apple iOS 14 Mobile Device (VID11146): The MDM Agent Component of the TOE (Hub agent) is an application that is installed on Apple mobile devices running iOS 14 operating systems so that the TOE can provide management functionality to the device.
• Apple iPadOS 14 Mobile Device (VID11147): The MDM Agent Component of the TOE (Hub agent) is an application that is installed on Apple mobile devices running iPadOS 14 operating systems so that the TOE can provide management functionality to the device.
• Apple Push Notification Service (APNS) / Apple DEP: APNS is an iOS/iPadOS platform push notification service that enables the UEM Server to notify iOS Hub agents and the iOS/iPadOS platform to connect directly to the UEM Server to retrieve data (e.g. policies). Apple DEP is an online service that automates the enrollment of iOS devices into the TOE in the evaluated configuration.
• Certification Authority (CA) Server: The MDM Server Component and Android Hub agent of the TOE connect to the CA Server during device enrollment so that the TOE can provide each device with a unique certificate generated by the CA Server. In the evaluated configuration, Windows Server 2019 (Version 1809) Active Directory Certificate Services is used.
• Firebase Cloud Messaging Service (FCM): FCM is an Android platform push notification service that enables the UEM Server to notify Android Hub agents to connect directly to the UEM Server to retrieve data (e.g. policies).
• Samsung Android 11 Mobile Device (VID 11160): The MDM Agent Component of the TOE (Hub agent) is an application that is installed on mobile devices running Android 11 operating systems so that the TOE can provide management functionality to the device.
• SQL database: The TOE’s RDBMS database used to store configuration settings and device data. In the evaluated configuration, Microsoft SQL Server 2019 is used.
• Syslog Server: The MDM Server Component of the TOE connects to the Syslog Server to persistently store audit data for the UEM Server’s own operation as well as the audit data collected from the Hub agent that it manages.
• Windows Server 2019 (Version 1809): This is the OS that the UEM Server is installed on.
• Workstation: Any general-purpose computer that is used by an administrator to manage the TOE via the Admin Console and a user to manage their device via the Self-Service Portal. For the TOE to be accessed remotely, the workstation is required to have a browser to access the TOE’s GUI based interfaces.

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. VMware Workspace ONE Unified Endpoint Management Version 2209 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 5. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the VMware Workspace ONE Unified Endpoint Management Version 2209 Security Target Version 1.0. The evaluation underwent CCEVS Validator review. The evaluation was completed in March 2023. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR-VID 11326-2023 prepared by CCEVS.

Security Audit

The UEM Server component of the TOE creates audit records for auditable events related to administrative actions, configuration of the UEM Server itself, and server-initiated management activities that affect one or more managed mobile devices. The UEM Server’s MAS Server functionality also generates audit records when it experiences a failure to push or update an application on a managed mobile device. The audit records are stored in an SQL database and are transferred to a remote Syslog Server over a TLS encrypted trusted channel. Audit records can be viewed on the Admin Console.

The UEM Server can issue ‘compliance policies’ to managed mobile devices. Compliance policies are used to compare the configuration, status, or characteristics of a mobile device against a certain baseline and can be used to generate an alert to an Administrator if an anomaly is detected. The Administrator can also request on-demand connectivity status updates through the use of push notifications.

iOS and Android Hub agents’ audit records are created as long as the underlying mobile device is powered on. The iOS and Android Hub agents generate audit records for the activities it performs as a result of its interactions with the UEM Server or as a result of stored policy information. The iOS and Android Hub agents facilitate alerts by providing data to the UEM Server on a periodic basis. The UEM Server can then analyze this data (or the absence of data in the case of periodic reachability events) in order to determine if anomalous behavior is occurring.

Communication

The iOS and Android Hub agents mobile devices are registered with the UEM Server so they can be enrolled into management by the UEM Server. This requires an Administrator to enable communications between these TOE components by including the mobile device’s identifier in an allow list of devices that are allowed to enroll on the UEM Server. The enrollment process occurs over an HTTPS/TLS trusted channel that is handled by each TOE components’ underlying platform. An Administrator can disable the communications between an iOS or Android Hub agent and the UEM Server by performing a wipe of the Hub agent’s mobile device.

Cryptographic Support

The UEM Server invokes the Windows Server 2019 platform for cryptographic services to establish TLS and HTTPS/TLS trusted channels and paths to ensure secure communications of data in transit. This includes the use of RSA and Elliptic Curve Cryptography (ECC) key establishment techniques. The MAS Server is integrated with the UEM Server, so it invokes the same cryptography services. The UEM Server also invokes the Windows Server 2019 platform to digitally sign policies sent to the Hub agents.

The iOS and Android Hub agents invoke their underlying mobile device platforms (Apple iOS 14, Apple iPadOS 14, and Android 11 respectively) for cryptographic services to also establish trusted communications. The iOS Hub agent invokes its underlying platform to verify the digital signatures of all policies received from the UEM Server. The Android Hub agent software contains an OpenSSL library for implementing the digital signature verification of all policies received from the UEM Server.

All cryptographic mechanisms use the TOE components’ platform provided DRBG functionality to support their cryptographic operations. Cryptographic functionality includes encryption/decryption services, credential/key storage, key establishment, key destruction, hashing services, signature services, and hashed message authentication.

The following table contains the CAVP algorithm certificates corresponding to the Android Hub agent’s digital signature verification cryptographic functionality which is implemented by its OpenSSL module.

Table 6: Cryptographic Algorithm Table for the Hub Agents

Identification and Authentication

The iOS and Android Hub agents register with the UEM Server so that their mobile device can be enrolled into management by the UEM Server. The mobile device user that is performing the enrollment must have a user account on the UEM Server to access the Self-Service Portal and authenticate to the TOE. During the enrollment process, the iOS and Android Hub agents record the UEM Server’s DNS name and full URL with hostname. The iOS and Android Hub agents also receive a unique certificate during enrollment that is used to establish an HTTPS trusted channel with the UEM Server.

Administrators (through the Admin Console) and users (through the Self-Service Portal) cannot access the UEM Server without being authenticated. Administrators and users can view the configured pre-authentication warning banner and query the UEM Server’s software version number prior to authentication.

The UEM Server interfaces with the underlying Windows Server 2019 platform to provide certificate validation services. Certificates are used for HTTPS/TLS authentication, code signing for software updates, code signing for integrity verification, and signing of MDM policies. The iOS and Android Hub agents rely on the underlying platform to perform all certificate validation services, except for policy signing on Android devices which is validated by the Android Hub agent’s implementation of OpenSSL.

Security Management

The TSF provides separate administrative interfaces for Administrators and for mobile device users. Administrators use the Admin Console to manage users, policies, and devices, while MD users use the Self-Service Portal to perform actions related to their own devices. The mobile device user installs the TOE’s iOS or Android Hub agent on the mobile device which will communicate with the UEM Server to enroll in management. Once enrolled, the TOE will prevent user-directed unenrollment from management.

The UEM Server can be used to transmit specific commands to a managed device such as forcibly locking the device, initiating a wipe operation, or sending a push notification. The UEM Server can also define policies (known as profiles) that specify the configuration settings for a device. These configuration settings can include functionality such as configuration of the password policy and what settings are applied to Wi-Fi connections. The UEM Server transmits iOS policies either to the iOS Hub agent or iOS/iPadOS platform directly, depending on the functionality being configured. The UEM Server transmits Android policies to the Android Hub agent. The UEM Server invokes its underlying platform to sign all policy data using ECDSA with SHA-512. The underlying iOS/iPadOS mobile platform and Android Hub agent will validate the signed policies when they are received.

The UEM Server also includes the MAS Server functionality, which provides the ability to grant or deny access to specific applications stored on the MAS Server to devices or groups of devices. The MAS Server is accessed through the same Admin Console interface as the UEM Server, so the administrative roles defined for both components are the same.

Protection of the TSF

The communications between the UEM Server and iOS and Android Hub agents are protected using HTTPS/TLS which is provided by the underlying platforms of the TOE components.

The UEM Server invokes its platform to verify the digital signatures of executables and .dlls using Microsoft’s Authenticode making use of X.509v3 certificates. In addition, the UEM Server’s platform uses FIPS validated cryptographic modules which perform their own integrity checks at startup.

The TOE components invoke their underlying platforms to update their software and the platforms will verify the digital signatures of the updates prior to installing them. The TOE components’ software contains third party libraries. The TOE components use only documented APIs from their underlying platforms.

TOE Access

The UEM Server displays a pre-authentication banner for the Admin Console and the Self-Service Portal. This can be customized by Administrators to fit the needs of the organization deploying the TOE.

Trusted Path/Channels

The trusted communication channels between the UEM Server and the devices running the iOS and Android Hub agents, the Syslog Server, and the AD/LDAP Server make use of TLS or HTTPS/TLS, depending on the interface. The trusted communication channels are provided by the TOE components’ underlying platforms.

The UEM Server platform uses HTTPS/TLS to provide a trusted path between itself and remote Administrators through the Admin Console and mobile device users through the Self-Service Portal as well as during the enrollment of a mobile device.

Vendor Information