NIAP Oversees Evaluations of Commercial IT Products for Use in National Security Systems
|
|
|
U.S. Government Approved Protection Profile - Protection Profile for Mobile Device Management Version 4.0
Short Name:
pp_mdm_v4.0
Technology Type:
Mobility
CC Version:
3.1
Date:
2019.04.25
Preceded By:
pp_mdm_v3.0
Conformance Claim:
None
Protection Profile
Protection Profile
Control Mapping
PP OVERVIEW
The MDM Server is software (an application, service, etc.) on a general-purpose platform, a network device, or cloud architecture executing in a trusted network environment. The MDM Server provides administration of the mobile device policies and reporting on mobile device behavior. The MDM Server is responsible for managing device enrollment, configuring and sending policies to the MDM Agents, collecting reports on device status, and sending commands to the Agents. The MDM Server may be standalone or distributed, where a distributed TOE is one that requires multiple distinct components to operate as a logical whole in order to fulfill the requirements of this PP.
The MDM Agent establishes a secure connection back to the MDM Server controlled by an enterprise administrator and configures the mobile device per the administrator's policies. The MDM Agent is addressed in the PP-Module for MDM Agent. If the MDM Agent is installed on a mobile device as an application developed by the MDM developer, it extends this PP and is included in the TOE. In this case, the TOE security functionality specified in this PP must be addressed by the MDM Agent in addition to the MDM Server. Otherwise, the MDM Agent is provided by the mobile device vendor and is out of scope of this PP; however, MDMs are required to indicate the mobile platforms supported by the MDM Server and must be tested against the native MDM agent of those platforms.
The Mobile Application Store (MAS) hosts applications for the enterprise, authenticates Agents, and securely transmits applications to enrolled mobile devices.The MAS functionality can be included as part of the MDM Server Software or can be logically distinct. If the MAS functionality is on a physically separate server, then the TOE is distributed with the MDM Server and MAS Server being separate components.
Assigned to the following Validated Products
Active Related Technical Decisions
-
0844 – Addition of Assurance Package for Flaw Remediation V1.0 Conformance Claim
References: Conformance Claims
-
0784 – Terminology Change in MDMPP: Extended to Functional Package
References: Common Criteria Terms, Conformance Claims, FIA_X509_EXT.2.1, FTP_ITC.1.1(1), FTP_TRP.1.1(1), FTP_TRP.1.3(1), FPT_ITT.1.1(1)
-
0754 – MDM Policy Authenticity
References: FMT_POL_EXT.1, FIA_CLI_EXT.1, FIA_TOK_EXT.1, FIA_X509_EXT.5
-
0650 – Conformance claim sections updated to allow for MOD_VPNC_V2.3 and 2.4
-
0641 – Alternative revocation checking for MDM
References: FIA_X509_EXT.1(1)
-
0629 – Audit Events for Startup and Shutdown
References: FAU_GEN.1.1(1)
-
0616 – MDM PP Use Case Mappings
-
0600 – Conformance claim sections updated to allow for MOD_VPNC_V2.3
-
0594 – Distributed TOE tests in FCO_CPC_EXT.1.3
References: FCO_CPC_EXT.1.3
-
0552 – SFR Rationale and Implicitly Satisfied SFRs
References: Section 6 and Appendix I
-
0479 – FMT_SMF.1(1) Reliance on MDF Evals
-
0462 – MDM Distributed TOE: Registration Channel Updates
References: Section 3.1; FCO_CPC_EXT.1
-
0461 – Security Audit for Distributed TOEs
References: Section 6.2.2, Bullet 2
-
0438 – TST and TUD on the MDM Agent
References: FPT_TST_EXT.1, FPT_TUD_EXT.1
Archived Related Technical Decisions
|