|
Feature
|
Impact Analysis
|
|
Certificate pinning to prevent Man-in-the-middle attacks
|
While this is a new security feature, it only serves to potentially add to and not otherwise impact the claimed and evaluated security function related to TLS X509 requirements. This function is not enabled by default and requires explicit administrator action to enable. Using this new function in addition to the evaluated function does not impact the evaluated function and as such should not be disallowed in an evaluated configuration, although it has not been evaluated or tested by a third party and cannot be claimed as evaluated and caution should be exercised.
|
|
Certificate pinning options now available from Certificate Management page
|
This is the user interface for the preceding function and only serves to present an additional configuration option and as such does not impact any evaluated security claims.
|
|
Support for mutual authentication between Core and Sentry
|
Sentry is an optional, non-evaluated component. As such, adding additional security for its communication channel does not impact any evaluated security claims.
|
|
Support for IdP-based device registrations
|
DEP is an optional enrollment method in the evaluated configuration. This additional feature provides a method to introduce additional information and checks for iOS enrollment via DEP, but does not otherwise affect the enrollment method (that is really controlled by Apple) and does not impact any evaluated security claims.
|
|
Export to CSV Installed Apps (App Inventory) Search Results
|
This is an added feature to export search results in CSV form. This does not impact any evaluated security claims.
|
|
Weaker SSH algorithms removed from Core in favor of stronger ones
|
This change removed by default not-allowed algorithms for SSH, however, SSH was not included in scope of the evaluation and as such this does not impact any evaluated security claims.
|
|
New option to upload Certificate Authority chain for SCEP enrollment configurations
|
The evaluated TOE supports acting as a root CA or an intermediate CA. This change allows an explicit certificate chain to be configured when multiple options are available from a specific SCEP CA. However, device certificates are still issued from the configured CA certificate and the verification of those certificates is unchanged from the evaluation, so this does not impact any evaluated security claims.
|
|
Support for Entrust API version 11
|
Interoperation with Entrust was not a subject of the evaluation and as such this does not impact any evaluated security claims.
|
|
Support for bridging old and new client mutual authentication CA certificates
|
The process of changing a CA certificate was not a subject of the evaluation of the server. As such, this is a new optional feature that is not evaluated and does not have to be used and as such does not impact any evaluated security claims.
|
|
Core support for Splunk Heavy Forwarder mutual authentication
|
Splunk features were not a subject of the evaluation and as such this does not impact any evaluated security claims.
|
|
New customization options for the self-service user portal (SSP)
|
These new settings basically allow an administrator to suppress things on the user pages to customize that portal. This portal was not considered security relevant during the evaluation and is not related to any security claims and as such does not impact any evaluated security claims.
|
|
Support for Sentry-to-Core TFE mutual authentication
|
Sentry is an optional, non-evaluated component. As such, adding additional security for its communication channel does not impact any evaluated security claims.
|
|
Administrators can copy existing managed app configuration settings and download updates
|
This change affects the managed app administrator interface. It provides additional options to copy and edit app configurations, but does not serve to affect any evaluated security claims.
|
|
Support for Private DNS
|
This change serves to provide additional DNS configuration support that is not among the evaluated management claims and as such does not serve to affect any evaluated security claims.
|
|
Android File Transfer Configuration
|
This change serves to provide additional File Transfer support that is not among the evaluated management claims and as such does not serve to affect any evaluated security claims.
|
|
Android Bulk Enrollment
|
Enrollment tokens were not a subject of the evaluation so this change does not impact any evaluated security claims.
|
|
Support for pushing OS software to multiple devices
|
This change allows multiple devices to be selected for updates rather than a single device at a time. The same function is implemented iteratively for all devices and as such this does not affect the underlying evaluated function so this change does not impact any evaluated security claims.
|
|
Samsung Firmware E-FOTA decommissioned
|
This change is related to a feature that was not part of the evaluation and as such does not serve to affect any evaluated security claims.
|
|
Samsung Knox Dual Encryption (DualDAR)
|
This change is related to a feature that was not part of the evaluation and as such does not serve to affect any evaluated security claims.
|
|
Ability to set apps to the foreground in devices
|
This change is related to a feature that was not part of the evaluation and as such does not serve to affect any evaluated security claims.
|
|
Android: Support for Common Criteria (CC) mode extended to Android 11+ devices
|
This change is related to new feature support not originally in the evaluated devices and as such does not serve to affect any evaluated security claims. There was a specific change to add support for a Google API. Note that the evaluation only claims evaluated Samsung devices and iOS devices so this Google API is outside the scope of the evaluation.
|
|
End of support for Android 5.0 and Android 5.1
|
This change is related to devices that predate any claimed in the evaluation and as such does not serve to affect any evaluated security claims.
|
|
Google official device admin deprecation
|
This change is related to a feature that was not part of the evaluation and as such does not serve to affect any evaluated security claims.
|
|
Corporate wallpaper for Android devices
|
This change is related to a feature that was not a subject of the evaluation and as such does not serve to affect any evaluated security claims.
|
|
Account-driven Apple User Enrollment
|
This change is related to an optional enrollment method that was not included in the evaluation and as such does not serve to affect any evaluated security claims.
|
|
Unregistered devices can now redirect to Core from Office 365
|
This change is related to an optional enrollment method that was not addressed in the evaluation and as such does not serve to affect any evaluated security claims.
|
|
Enable app restrictions for all supported devices
|
This change is related to a feature that was not a subject of the evaluation and as such does not serve to affect any evaluated security claims.
|
|
Android Enterprise Enable Single App Kiosk added to pin a single app to device screen
|
This change is related to a feature that was not a subject of the evaluation and as such does not serve to affect any evaluated security claims.
|
|
Windows registration configurations enabled upon upgrade
|
Management of Windows devices was not included in the evaluation and as such this change does not serve to affect any evaluated security claims.
|
![[PDF]](/assets/images/icon_pdf.gif){kind=icon}
Validation Report