NIAP: U.S. Government Approved Protection Profile - PP-Module for MDM Agent Version 1.0

NIAP Oversees Evaluations of Commercial IT Products for Use in National Security Systems
Questions?  We're here to help
  NIAP  »»  Protection Profiles  »»  Approved PPs  »»  Details  
U.S. Government Approved Protection Profile - PP-Module for MDM Agent Version 1.0

Short Name: mod_mdm_agent_v1.0

Technology Type: Mobility

CC Version: 3.1

Date: 2019.04.25

Preceded By: ep_mdm_agent_v3.0

Conformance Claim: None

Protection Profile

Protection Profile [PDF]

Supporting Docs [PDF]

Supporting Docs

PP Configuration for MDM-MDM_AGENT_V1.0 [PDF]

Control Mapping [PDF]

PP Configuration for MDF-MDM_AGENT-VPNC_V1.0  [PDF]

PP Configuration for MDF-MDMA-VPNC-BT_V1.0  [PDF]

PP Configuration for MDF-MDMA-VPNC-BT_V1.1  [PDF]

PP Configuration for MDF-BIO-BT-MDMA-VPNC-WLANC_V1.0  [PDF]

PP Configuration for MDF-BIO-MDMA-VPNC-WLANC_V1.0  [PDF]

PP Configuration for MDF-MDMA-VPNC-WLANC_V1.0  [PDF]

PP Configuration for MDF-BIO-BT-MDMA-WLANC_V1.0  [PDF]



The MDM system consists of two primary components: the MDM Server software and the MDM Agent. This PP-Module specifically addresses the MDM Agent. The MDM Agent establishes a secure connection back to the MDM Server, from which it receives policies to enforce on the mobile device. Optionally, the MDM Agent interacts with the Mobile Application Store (MAS) Server to download and install enterprise-hosted applications.

A compliant MDM Agent is installed on a mobile device as an application (supplied by the developer of the MDM Server software) or is part of the mobile device's OS.This PP-Module builds on either the MDF PP or the MDM PP. A TOE that claims conformance to this PP-Module must also claim conformance to one of those PPs as its Base-PP. A compliant TOE is obligated to implement the functionality required in the Base-PP along with the additional functionality defined in this PP-Module in order to mitigate the threats that are defined by this PP-Module.

This PP-Module shall build on the MDF PP if the TOE is a native part of a mobile operating system. The TOE for this PP-Module combined with the MDF PP is the mobile device itself plus the MDM Agent. If the MDM Agent is part of the mobile device’s OS, the MDM Agent may present multiple interfaces for configuring the mobile device, such as a local interface and a remote interface. Agents conforming to this PP-Module must at least offer an interface with a trusted channel that serves as one piece of an MDM system. Conformant MDM Agents may also offer other interfaces, and the configuration aspects of these additional interfaces are in scope of this PP-Module.

This PP-Module shall build on the MDM Server PP if the TOE is a third-party application that is provided with an MDM Server and installed on a mobile device by the user after acquiring the mobile device. The distributed TOE for this PP-Module combined with the MDM Server PP is the entire MDM environment, which includes both the MDM Server and the MDM Agent. Even though the mobile device itself is not part of the TOE, it is expected to be evaluated against the MDF PP so that its baseline security capabilities can be assumed to be present.

Assigned to the following Validated Products

Active Related Technical Decisions

Archived Related Technical Decision

Please forward any Protection Profile specific comments to the applicable Technical Rapid Response Team (TRRT).

Please forward any general questions to our Q&A tool.

Site Map              Contact Us              Home