PP-Module for MDM Agents - GitHub Pages · 1.3.1 TOE Boundary Figure 1 shows a high-level example...
Transcript of PP-Module for MDM Agents - GitHub Pages · 1.3.1 TOE Boundary Figure 1 shows a high-level example...
PP-ModuleforMDMAgents
Version:1.02019-04-25
NationalInformationAssurancePartnership
RevisionHistory
Version Date Comment
1.0 2013-10-21
InitialRelease
1.1 2014-02-07
Typographicalchangesandclarificationstofront-matter
2.0 2014-12-31
SeparationofMDMAgentSFRs.Updatedcryptography,protocol,X.509requirements.AddedobjectiverequirementforAgentauditstorage.Newrequirementforunenrollmentprevention.InitialReleaseofMDMAgentEP.
3.0 2016-11-21
UpdatestoalignwithTechnicalDecisions.AddedrequirementstosupportBYODusecase.
4.0 2019-03-01
ConverttoPP-Module.
Contents
1 Introduction1.1 Overview1.2 Terms1.2.1 CommonCriteriaTerms1.2.2 TechnicalTerms
1.3 CompliantTargetsofEvaluation1.3.1 TOEBoundary
1.4 UseCases2 ConformanceClaims3 SecurityProblemDescription3.1 Threats3.2 Assumptions3.3 OrganizationalSecurityPolicies
4 SecurityObjectives4.1 SecurityObjectivesfortheTOE4.2 SecurityObjectivesfortheOperationalEnvironment4.3 SecurityObjectivesRationale
5 SecurityRequirements5.1 MDFPPSecurityFunctionalRequirementsDirection5.1.1 ModifiedSFRs5.1.2 AdditionalSFRs5.1.2.1 CryptographicSupport(FCS)5.1.2.2 TrustedPath/Channels(FTP)
5.2 MDMPPSecurityFunctionalRequirementsDirection5.2.1 ModifiedSFRs5.2.2 AdditionalSFRs5.2.2.1 CryptographicSupport(FCS)
5.3 TOESecurityFunctionalRequirements5.3.1 SecurityAudit(FAU)5.3.2 IdentificationandAuthentication(FIA)5.3.3 SecurityManagement(FMT)
5.4 TOESecurityFunctionalRequirementsRationale6 ConsistencyRationale6.1 MobileDeviceFundamentalsProtectionProfile6.1.1 ConsistencyofTOEType6.1.2 ConsistencyofSecurityProblemDefinition6.1.3 ConsistencyofObjectives6.1.4 ConsistencyofRequirements
6.2 MobileDeviceManagementProtectionProfile6.2.1 ConsistencyofTOEType6.2.2 ConsistencyofSecurityProblemDefinition6.2.3 ConsistencyofObjectives6.2.4 ConsistencyofRequirements
AppendixA- OptionalSFRsAppendixB- Selection-basedSFRsAppendixC- ObjectiveSFRsAppendixD- ExtendedComponentDefinitionsD.1 BackgroundandScopeD.2 ExtendedComponentDefinitions
AppendixE- UseCaseTemplates
AppendixF- BibliographyAppendixG- Acronyms
1Introduction
1.1OverviewThescopeoftheMDMAgentPP-ModuleistodescribethesecurityfunctionalityofaMobileDeviceManagement(MDM)Agentintermsof[CC]andtodefinefunctionalandassurancerequirementsforsuchproducts.ThisPP-ModuleisintendedforusewiththefollowingBase-PPs:
MobileDeviceManagement(MDM)ProtectionProfile,Version4.0MobileDeviceFundamentals(MDF)ProtectionProfile,Version3.1
TheseBase-PPsarevalidbecauseaMDMAgentiseithera3rdpartyapplicationmanufacturedbytheMDMServervendororisanativeapplicationdeployedonamobiledevice.
1.2TermsThefollowingsectionslistCommonCriteriaandtechnologytermsusedinthisdocument.
1.2.1CommonCriteriaTerms
Assurance GroundsforconfidencethataTOEmeetstheSFRs[CC].
BaseProtectionProfile(Base-PP)
ProtectionProfileusedtobuildaPP-Configuration.
CommonCriteria(CC)
CommonCriteriaforInformationTechnologySecurityEvaluation(InternationalStandardISO/IEC15408).
CommonCriteriaTestingLaboratory
WithinthecontextoftheCommonCriteriaEvaluationandValidationScheme(CCEVS),anITsecurityevaluationfacility,accreditedbytheNationalVoluntaryLaboratoryAccreditationProgram(NVLAP)andapprovedbytheNIAPValidationBodytoconductCommonCriteria-basedevaluations.
CommonEvaluationMethodology(CEM)
CommonEvaluationMethodologyforInformationTechnologySecurityEvaluation.
DistributedTOE
ATOEcomposedofmultiplecomponentsoperatingasalogicalwhole.
OperationalEnvironment(OE)
HardwareandsoftwarethatareoutsidetheTOEboundarythatsupporttheTOEfunctionalityandsecuritypolicy.
ProtectionProfile(PP)
Animplementation-independentsetofsecurityrequirementsforacategoryofproducts.
ProtectionProfileConfiguration(PP-Configuration)
AcomprehensivesetofsecurityrequirementsforaproducttypethatconsistsofatleastoneBase-PPandatleastonePP-Module.
ProtectionProfileModule(PP-Module)
Animplementation-independentstatementofsecurityneedsforaTOEtypecomplementarytooneormoreBaseProtectionProfiles.
SecurityAssuranceRequirement(SAR)
ArequirementtoassurethesecurityoftheTOE.
SecurityFunctionalRequirement(SFR)
ArequirementforsecurityenforcementbytheTOE.
SecurityTarget(ST)
Asetofimplementation-dependentsecurityrequirementsforaspecificproduct.
TOESecurityFunctionality(TSF)
Thesecurityfunctionalityoftheproductunderevaluation.
TOESummarySpecification(TSS)
AdescriptionofhowaTOEsatisfiestheSFRsinanST.
TargetofEvaluation(TOE)
Theproductunderevaluation.
1.2.2TechnicalTerms
Administrator Thepersonwhoisresponsibleformanagementactivities,includingsettingthepolicythatisappliedbytheenterpriseonthemobiledevice.
EnrolledState
ThestateinwhichamobiledeviceismanagedbyapolicyfromanMDM.
MobileApplicationStore(MAS)
MobileApplicationStore
MobileDeviceManagement(MDM)
MobileDeviceManagement
MobileDeviceUser
Thepersonwhousesandisheldresponsibleforamobiledevice.
OperatingSystem
Softwarewhichrunsatthehighestprivilegelevelandcandirectlycontrolhardwareresources.Modernmobiledevicestypicallyhaveatleasttwoprimaryoperatingsystems:onewhichrunsonthecellularbasebandprocessorandonewhichrunsontheapplicationprocessor.Theplatformoftheapplicationprocessorhandlesmostuserinteractionandprovidestheexecutionenvironmentforapps.Theplatformofthecellularbasebandprocessorhandlescommunicationswiththecellularnetworkandmaycontrolotherperipherals.ThetermOS,withoutcontext,maybeassumedtorefertotheplatformoftheapplication
UnenrolledState
ThestateinwhichamobiledeviceisnotmanagedbyanMDMsystem.
User SeeMobileDeviceUser.
1.3CompliantTargetsofEvaluationTheMDMsystemconsistsoftwoprimarycomponents:theMDMServersoftwareandtheMDMAgent.ThisPP-ModulespecificallyaddressestheMDMAgent.TheMDMAgentestablishesasecureconnectionbacktotheMDMServer,fromwhichitreceivespoliciestoenforceonthemobiledevice.Optionally,theMDMAgentinteractswiththeMobileApplicationStore(MAS)Servertodownloadandinstallenterprise-hostedapplications.
AcompliantMDMAgentisinstalledonamobiledeviceasanapplication(suppliedbythedeveloperoftheMDMServersoftware)orispartofthemobiledevice'sOS.ThisPP-ModulebuildsoneithertheMDFPPortheMDMPP.ATOEthatclaimsconformancetothisPP-ModulemustalsoclaimconformancetooneofthosePPsasitsBase-PP.AcompliantTOEisobligatedtoimplementthefunctionalityrequiredintheBase-PPalongwiththeadditionalfunctionalitydefinedinthisPP-ModuleinordertomitigatethethreatsthataredefinedbythisPP-Module.
ThisPP-ModuleshallbuildontheMDFPPiftheTOEisanativepartofamobileoperatingsystem.TheTOEforthisPP-ModulecombinedwiththeMDFPPisthemobiledeviceitselfplustheMDMAgent.IftheMDMAgentispartofthemobiledevice’sOS,theMDMAgentmaypresentmultipleinterfacesforconfiguringthemobiledevice,suchasalocalinterfaceandaremoteinterface.AgentsconformingtothisPP-ModulemustatleastofferaninterfacewithatrustedchannelthatservesasonepieceofanMDMsystem.ConformantMDMAgentsmayalsoofferotherinterfaces,andtheconfigurationaspectsoftheseadditionalinterfacesareinscopeofthisPP-Module.
ThisPP-ModuleshallbuildontheMDMServerPPiftheTOEisathird-partyapplicationthatisprovidedwithanMDMServerandinstalledonamobiledevicebytheuserafteracquiringthemobiledevice.ThedistributedTOEforthisPP-ModulecombinedwiththeMDMServerPPistheentireMDMenvironment,whichincludesboththeMDMServerandtheMDMAgent.EventhoughthemobiledeviceitselfisnotpartoftheTOE,itisexpectedtobeevaluatedagainsttheMDFPPsothatitsbaselinesecuritycapabilitiescanbe
assumedtobepresent.
1.3.1TOEBoundaryFigure1showsahigh-levelexampleofthePP-ModuleTOEboundaryanditsOperationalEnvironment.Asstatedabove,theMDMAgentmayeitherbeprovidedaspartofthemobiledeviceitself(showninred)ordistributedasathird-partyapplicationfromthedeveloperoftheMDMServersoftware(showninblue).
Figure1:MDMAgentOperatingEnvironment
TheMDMAgentmustcloselyinteractwithorbepartofthemobiledevice’splatforminordertoestablishpoliciesandtoperformqueriesaboutdevicestatus.Themobiledevice,inturn,hasitsownsecurityrequirementsspecifiedintheMDFPP.
1.4UseCasesThisPP-Moduledefines4usecases:
[USECASE1]Enterprise-owneddeviceforgeneral-purposeenterpriseuseAnEnterprise-owneddeviceforgeneral-purposebusinessuseiscommonlycalledCorporatelyOwned,PersonallyEnabled(COPE).ThisusecaseentailsasignificantdegreeofEnterprisecontroloverconfigurationandsoftwareinventory.EnterpriseadministratorsuseanMDMproducttoestablishpoliciesonthemobiledevicespriortouserissuance.UsersmayuseInternetconnectivitytobrowsetheweboraccesscorporatemailorrunEnterpriseapplications,butthisconnectivitymaybeundersignificantcontroloftheEnterprise.Theusermayalsobeexpectedtostoredataanduseapplicationsforpersonal,non-enterpriseuse.TheEnterpriseadministratorusestheMDMproducttodeploysecuritypoliciesandquerymobiledevicestatus.TheMDMmayissuecommandsforremediationactions.
[USECASE2]Enterprise-owneddeviceforspecialized,high-securityuseAnEnterprise-owneddevicewithintentionallylimitednetworkconnectivity,tightlycontrolledconfiguration,andlimitedsoftwareinventoryisappropriateforspecialized,high-securityusecases.Asintheprevioususecase,theMDMproductisusedtoestablishsuchpoliciesonmobiledevicespriortoissuancetousers.Thedevicemaynotbepermittedconnectivitytoanyexternalperipherals.ItmayonlybeabletocommunicateviaitsWi-FiorcellularradioswiththeEnterprise-runnetwork,whichmaynotevenpermitconnectivitytotheInternet.Useofthedevicemayrequirecompliancewithusagepoliciesthataremorerestrictivethanthoseinanygeneral-purposeusecase,yetmaymitigateriskstohighlysensitiveinformation.Basedupontheoperationenvironmentandtheacceptableriskleveloftheenterprise,thosesecurityfunctionalrequirementsoutlinedinSection5SecurityRequirementsofthisProtectionProfilealongwiththeselectionsintheUseCase2templatedefinedinAppendixE-UseCaseTemplatesaresufficientforthehigh-securityusecase.
[USECASE3]PersonallyowneddeviceforpersonalandenterpriseuseApersonallyowneddevice,whichisused,forbothpersonalactivitiesandenterprisedataiscommonlycalledBringYourOwnDevice(BYOD).Thedevicemaybeprovisionedforaccesstoenterpriseresourcesaftersignificantpersonalusagehasoccurred.Unlikeintheenterprise-ownedcases,theenterpriseislimitedinwhatsecuritypoliciesitcanenforcebecausetheuserpurchasedthedeviceprimarilyforpersonaluseandisunlikelytoacceptpoliciesthatlimitthefunctionalityofthedevice.
However,becausetheEnterpriseallowstheuserfull(ornearlyfull)accesstotheEnterprisenetwork,theEnterprisewillrequirecertainsecuritypolicies,forexampleapasswordorscreenlockpolicy,andhealthreporting,suchastheintegrityofthemobiledevicesystemsoftware,beforeallowingaccess.TheadministratoroftheMDMcanestablishremediationactions,suchaswipeoftheEnterprisedata,fornon-compliantdevices.Thesecontrolscouldpotentiallybeenforcedbyaseparationmechanismbuilt-intothedeviceitselftodistinguishbetweenenterpriseandpersonalactivities,orbyathird-partyapplicationthatprovidesaccesstoenterpriseresourcesandleveragessecuritycapabilitiesprovidedbythemobiledevice.BasedupontheOperationalEnvironmentandtheacceptableriskleveloftheenterprise,thosesecurityfunctionalrequirementsoutlinedinSection5SecurityRequirementsofthisProtectionProfilealongwiththeselectionsintheUseCase3templatedefinedinAppendixE-UseCaseTemplatesaresufficientforthesecureimplementationofthisBYODusecase.
[USECASE4]PersonallyowneddeviceforpersonalandlimitedenterpriseuseApersonallyowneddevicemayalsobegivenaccesstolimitedenterpriseservicessuchasenterpriseemail.Becausetheuserdoesnothavefullaccesstotheenterpriseorenterprisedata,theenterprisemaynotneedtoenforceanysecuritypoliciesonthedevice.However,theenterprisemaywantsecureemail
andwebbrowsingwithassurancethattheservicesbeingprovidedtothoseclientsbythemobiledevicearenotcompromised.BasedupontheOperationalEnvironmentandtheacceptableriskleveloftheenterprise,thosesecurityfunctionalrequirementsoutlinedinSection5SecurityRequirementsofthisPParesufficientforthesecureimplementationofthisBYODusecase.
2ConformanceClaimsThisPP-ModuleinheritsexactconformanceasrequiredfromthespecifiedBase-PPandasdefinedintheCCandCEMaddendaforExactConformance,Selection-BasedSFRs,andOptionalSFRs(datedMay2017).
ThefollowingPPsandPP-ModulesareallowedtobespecifiedinaPP-ConfigurationwiththisPP-Module.PP-ModuleforVPNClient,Version2.1
ThisPP-ModuleisconformanttoParts2(extended)and3(conformant)ofCommonCriteriaVersion3.1,Release5[CC].
ThisPP-ModuleisTLSPackageVersion1.1Conformant.
3SecurityProblemDescription
3.1ThreatsThefollowingthreatsarespecifictoMDMAgents,andrepresentsanadditiontothoseidentifiedintheBase-PPs.
T.MALICIOUS_APPSFILLIN
T.BACKUPAnattackermaytrytotargetbackupsofdataorcredentialsandexfiltratedata.Sincethebackupisstoredoneitherapersonalcomputerorenduser’sbackuprepository,it’snotlikelytheenterprisewoulddetectcompromise.
T.NETWORK_ATTACKFILLIN
T.NETWORK_EAVESDROPFILLIN
T.PHYSICAL_ACCESSFILLIN
3.2AssumptionsTheseassumptionsaremadeontheOperationalEnvironmentinordertobeabletoensurethatthesecurityfunctionalityspecifiedinthePP-ModulecanbeprovidedbytheTOE.IftheTOEisplacedinanOperationalEnvironmentthatdoesnotmeettheseassumptions,theTOEmaynolongerbeabletoprovideallofitssecurityfunctionality.
A.CONNECTIVITYTheTOEreliesonnetworkconnectivitytocarryoutitsmanagementactivities.TheTOEwillrobustlyhandleinstanceswhenconnectivityisunavailableorunreliable.
A.MOBILE_DEVICE_PLATFORMTheMDMAgentreliesuponmobileplatformandhardwareevaluatedagainsttheMDFPPandassuredtoprovidepolicyenforcementaswellascryptographicservicesanddataprotection.ThemobileplatformprovidestrustedupdatesandsoftwareintegrityverificationoftheMDMAgent.
A.PROPER_ADMINOneormorecompetent,trustedpersonnelwhoarenotcareless,willfullynegligent,orhostile,areassignedandauthorizedastheTOEAdministrators,anddosousingandabidingbyguidancedocumentation.
A.PROPER_USERMobiledeviceusersarenotwillfullynegligentorhostile,andusethedevicewithincomplianceofareasonableEnterprisesecuritypolicy.
3.3OrganizationalSecurityPoliciesP.ACCOUNTABILITY
PersonneloperatingtheTOEshallbeaccountablefortheiractionswithintheTOE.
P.ADMINTheconfigurationofthemobiledevicesecurityfunctionsmustadheretotheEnterprisesecuritypolicy.
P.DEVICE_ENROLLAmobiledevicemustbeenrolledforaspecificuserbytheadministratoroftheMDMpriortobeingusedintheEnterprisenetworkbytheuser.
P.NOTIFYThemobileusermustimmediatelynotifytheadministratorifamobiledeviceislostorstolensothattheadministratormayapplyremediationactionsviatheMDMsystem.
4SecurityObjectives
4.1SecurityObjectivesfortheTOEO.ACCOUNTABILITY
TheTOEmustprovideloggingfacilities,whichrecordmanagementactionsundertakenbyitsadministrators.
O.APPLY_POLICYTheTOEmustfacilitateconfigurationandenforcementofenterprisesecuritypoliciesonmobiledevicesviainteractionwiththemobileOSandtheMDMServer.Thiswillincludetheinitialenrollmentofthedeviceintomanagement,throughitsentirelifecycle,includingpolicyupdatesanditspossibleunenrollmentfrommanagementservices.
O.DATA_PROTECTION_TRANSITDataexchangedbetweentheMDMServerandtheMDMAgentmustbeprotectedfrombeingmonitored,accessed,oraltered.
O.STORAGEToaddresstheissueoflossofconfidentialityofuserdataintheeventoflossofamobiledevice(T.PHYSICAL),conformantTOEswilluseplatformprovidekeystorage.TheTOEisexpectedtoprotectitspersistentsecretsandprivatekeys.
4.2SecurityObjectivesfortheOperationalEnvironmentTheOperationalEnvironmentoftheTOEimplementstechnicalandproceduralmeasurestoassisttheTOEincorrectlyprovidingitssecurityfunctionality(whichisdefinedbythesecurityobjectivesfortheTOE).ThesecurityobjectivesfortheOperationalEnvironmentconsistofasetofstatementsdescribingthegoalsthattheOperationalEnvironmentshouldachieve.ThissectiondefinesthesecurityobjectivesthataretobeaddressedbytheITdomainorbynon-technicalorproceduralmeans.TheassumptionsidentifiedinSection3areincorporatedassecurityobjectivesfortheenvironment.
OE.DATA_PROPER_ADMINTOEAdministratorsaretrustedtofollowandapplyalladministratorguidanceinatrustedmanner.
OE.DATA_PROPER_USERUsersofthemobiledevicearetrainedtosecurelyusethemobiledeviceandapplyallguidanceinatrustedmanner.
OE.IT_ENTERPRISETheEnterpriseITinfrastructureprovidessecurityforanetworkthatisavailabletotheTOEandmobiledevicesthatpreventsunauthorizedaccess.
OE.MOBILE_DEVICE_PLATFORMTheMDMAgentreliesuponthetrustworthymobileplatformandhardwaretoprovidepolicyenforcementaswellascryptographicservicesanddataprotection.ThemobileplatformprovidestrustedupdatesandsoftwareintegrityverificationoftheMDMAgent.
OE.WIRELESS_NETWORKAwirelessnetworkwillbeavailabletothemobiledevices.
4.3SecurityObjectivesRationaleThissectiondescribeshowtheassumptions,threats,andorganizationsecuritypoliciesmaptothesecurityobjectives.
Threat,Assumption,orOSP SecurityObjectives Rationale
T.MALICIOUS_APPS O.DATA_PROTECTION_TRANSIT ThethreatT.MALICIOUS_APPSiscounteredbyO.DATA_PROTECTION_TRANSITasthisprovidesthecapabilitytoprotectapploading/updatesagainstmaliciousinsertionfromthenetwork.
O.APPLY_POLICY ThethreatT.MALICIOUS_APPSiscounteredbyO.APPLY_POLICYasthisprovidespolicypreventingloadingofunapprovedappsintotheTOE.
T.BACKUP O.DATA_PROTECTION_TRANSIT ThethreatT.BACKUPiscountered
byO.DATA_PROTECTION_TRANSITasthisprovidesthecapabilitytocommunicateusingone(ormore)standardprotocolsasameanstomaintaintheconfidentialityofdatathataretransmittedbetweentheAgentandotherentities.
O.APPLY_POLICY ThethreatT.BACKUPiscounteredbyO.APPLY_POLICYasthisprovidespolicytoenforcethatbackupsbestoredonlyinsecure,protectedlocations.
T.NETWORK_ATTACK O.DATA_PROTECTION_TRANSIT ThethreatT.NETWORK_ATTACKiscounteredbyO.DATA_PROTECTION_TRANSITasthisprovidesthecapabilitytocommunicateusingone(ormore)standardprotocolsasameanstomaintaintheconfidentialityofdatathataretransmittedbetweentheAgentandotherentities.
O.APPLY_POLICY ThethreatT.NETWORK_ATTACKiscounteredbyO.APPLY_POLICYasthisprovidesasecureconfigurationoftheAgenttoprotectdatathatitprocesses.
OE.IT_ENTERPRISE ThethreatT.NETWORK_ATTACKiscounteredbyOE.IT_ENTERPRISEbyreducingthenetworkexposureofthemobiledevice.
T.NETWORK_EAVESDROP O.DATA_PROTECTION_TRANSIT ThethreatT.NETWORK_EAVESDROPiscounteredbyO.DATA_PROTECTION_TRANSITasthisprovidesthecapabilitytocommunicateusingone(ormore)standardprotocolsasameanstomaintaintheconfidentialityofdatathataretransmittedbetweentheAgentandotherentities.
O.APPLY_POLICY ThethreatT.NETWORK_EAVESDROPiscounteredbyO.APPLY_POLICYasthisprovidesasecureconfigurationoftheAgenttoprotectdatathatitprocesses.
OE.IT_ENTERPRISE ThethreatT.NETWORK_EAVESDROPiscounteredbyOE.IT_ENTERPRISEbyreducingthenetworkexposureofthemobiledevice.
T.PHYSICAL_ACCESS O.ACCOUNTABILITY ThethreatT.PHYSICAL_ACCESSiscounteredbyO.ACCOUNTABILITYasthisprovidesthecapabilitytologattemptsbyunauthorizedpersonneltoaccessdata,andtologanyaccesstothedataorthedevice,aswellaschangestothedeviceduringthetimewhenitisnotunderthecontrolofanauthorizeduser.
O.APPLY_POLICY ThethreatT.PHYSICAL_ACCESSiscounteredbyO.APPLY_POLICYasthisprovidesasecureconfigurationoftheAgenttoprotectdatathatitprocesses.
O.STORAGE ThethreatT.PHYSICAL_ACCESSis
counteredbyO.STORAGEasthisprovidesthecapabilitytoencryptalluserandenterprisedataandauthenticationkeystoensuretheconfidentialityofdatathatitstores.
A.CONNECTIVITY OE.WIRELESS_NETWORK TheOperationalEnvironmentobjectiveOE.WIRELESS_NETWORKisrealizedthroughA.CONNECTIVITY.
A.MOBILE_DEVICE_PLATFORM OE.MOBILE_DEVICE_PLATFORM TheOperationalEnvironmentobjectiveOE.MOBILE_DEVICE_PLATFORMisrealizedthroughA.MOBILE_DEVICE_PLATFORM.
A.PROPER_ADMIN OE.DATA_PROPER_ADMIN TheOperationalEnvironmentobjectiveOE.DATA_PROPER_ADMINisrealizedthroughA.PROPER_ADMIN.
A.PROPER_USER OE.DATA_PROPER_USER TheOperationalEnvironmentobjectiveOE.DATA_PROPER_USERisrealizedthroughA.PROPER_USER.
P.ACCOUNTABILITY O.ACCOUNTABILITY O.ACCOUNTABILITYprovidesloggingofpersonnelactionsinordertoprovideaccountabilityofallpersonnelactionswithintheTOE.
P.ADMIN O.APPLY_POLICY TheTOEadherestotheEnterprisesecuritypolicythroughtheapplicationofO.APPLY_POLICY.
P.DEVICE_ENROLL O.APPLY_POLICY TheTOEenrollsmobiledevicesforspecificuserswithpolicythroughtheapplicationofO.APPLY_POLICY.
P.NOTIFY O.APPLY_POLICY TheTOEprovidesthecapabilityfortheadministratortoapplyremediationactionsviatheMDMsystemthroughpolicy,whichisappliedthroughO.APPLY_POLICY.
5SecurityRequirementsThischapterdescribesthesecurityrequirementswhichhavetobefulfilledbytheproductunderevaluation.ThoserequirementscomprisefunctionalcomponentsfromPart2andassurancecomponentsfromPart3of[CC].Thefollowingconventionsareusedforthecompletionofoperations:
Refinementoperation(denotedbyboldtextorstrikethroughtext):isusedtoadddetailstoarequirement(includingreplacinganassignmentwithamorerestrictiveselection)ortoremovepartoftherequirementthatismadeirrelevantthroughthecompletionofanotheroperation,andthusfurtherrestrictsarequirement.Selection(denotedbyitalicizedtext):isusedtoselectoneormoreoptionsprovidedbythe[CC]instatingarequirement.Assignmentoperation(denotedbyitalicizedtext):isusedtoassignaspecificvaluetoanunspecifiedparameter,suchasthelengthofapassword.Showingthevalueinsquarebracketsindicatesassignment.Iterationoperation:isindicatedbyappendingtheSFRnamewithaslashanduniqueidentifiersuggestingthepurposeoftheoperation,e.g."/EXAMPLE1."
5.1MDFPPSecurityFunctionalRequirementsDirectionInaPP-ConfigurationthatincludesMDFPP,theTOEisexpectedtorelyonsomeofthesecurityfunctionsimplementedbytheMobileDeviceasawholeandevaluatedagainsttheMDFPP.ThefollowingsectionsdescribeanymodificationsthattheSTauthormustmaketotheSFRsdefinedintheMDFPPinadditiontowhatismandatedbySection5.3TOESecurityFunctionalRequirements.
5.1.1ModifiedSFRsThisPP-ModuledoesnotmodifyanySFRsdefinedbytheMDFPP.
5.1.2AdditionalSFRsThissectiondefinesadditionalSFRsthatmustbeaddedtotheTOEboundaryinordertoimplementthefunctionalityinanyPP-ConfigurationwheretheMDFPPisclaimedastheBase-PP.
5.1.2.1CryptographicSupport(FCS)
FCS_STG_EXT.4CryptographicKeyStorageFCS_STG_EXT.4.1
TheMDMAgentshallusetheplatformprovidedkeystorageforallpersistentsecretandprivatekeys.
ApplicationNote:Thisrequirementensuresthatpersistentsecrets(credentials,secretkeys)andprivatekeysarestoredsecurelywhennotinusebythemobileplatform.
5.1.2.2TrustedPath/Channels(FTP)
FTP_ITC_EXT.1/TRUSTCHANTrustedChannelCommunicationFTP_ITC_EXT.1.1/TRUSTCHAN
Refinement:TheTSFshalluse[selection:mutuallyauthenticatedTLSclientasdefinedinthePackageforTransportLayerSecurity,mutuallyauthenticatedDTLSclientasdefinedinthePackageforTransportLayerSecurity,HTTPS
]toprovideacommunicationchannelbetweenitselfandanothertrustedITproductthatislogicallydistinctfromothercommunicationchannels,providesassuredidentificationofitsendpoints,protectschanneldatafromdisclosure,anddetectsmodificationofthechanneldata.
ApplicationNote:TheintentofthisrequirementistoprotectthecommunicationschannelbetweenMDMServerandAgent,postenrollment.FTP_TRP.1(2)istoprotectthecommunicationschannelbetweenMDMServerandAgentduringenrollment.
Thisrequirementistoensurethatthetransmissionofanyauditlogs,mobiledeviceinformationdata(softwareversion,hardwaremodel,andapplicationversions),andconfigurationdatacollectedbytheMDMAgentandsentfromtheMDMAgenttotheMDMServer,whencommanded,oratconfigurableintervals,
isproperlyprotected.ThistrustedchannelalsoprotectsanycommandsandpoliciessentbytheMDMServertotheMDMAgent.EithertheMDMAgentortheMDMServerisabletoinitiatetheconnection.
ThisrequirementisiteratedfromtheMDFPPtoindicatetheprotocolsthattheMDMAgentcanuseforatrustedchannel.ThemobiledeviceisrequiredtoperformthemandatedcryptographicprotocolsasintheBase-PPforcommunicationchannelsmandatedintheMDFPP.TheSTauthormustselectoneofTLS,DTLS,orHTTPSinordertoestablishandmaintainatrustedchannelbetweentheMDMAgentandtheMDMServer.OnlyTLS,DTLS,orHTTPSareacceptableforthistrustedchannel.
SincethisrequirementisonlyforthecasewhenthePP-ModulebuildsonMDFPPandinthiscaseitisexpectedthattheMDMAgentwillbeanativepartofthemobileoperatingsystem,itisexpectedthattheMDMAgentwillutilizethemobiledevice'simplementationoftheselectedprotocols.HTTPS(FCS_HTTPS_EXT.1)andTLS(FCS_TLSC_EXT.1)arealreadymandatoryforaMDFST.If"TLS"or"DTLS"isselectedthefollowingselectionsfromtheTLSFunctionalPackagemustbemade:
FCS_TLS_EXT.1:eitherTLSorDTLSisselecteddependingontheselectionmadeinFTP_ITC_EXT.1.1clientmustbeselected
FCS_TLSC_EXT.1.1:TheciphersuitesselectedmustcorrespondwiththealgorithmsandhashfunctionsallowedinFCS_COP.1fromtheMDFPP.mutualauthenticationmustbeselected
Protocol,RBG,Certificatevalidation,algorithm,andsimilarservicesmaybemetwithplatformprovidedservices.
FTP_ITC_EXT.1.2/TRUSTCHANRefinement:TheTSFshallpermittheTSFandtheMDMServerand[selection:MASServer,nootherITentities]toinitiatecommunicationviathetrustedchannel.
ApplicationNote:Forallotherusecases,themobiledeviceinitiatesthecommunication;however,forMDMAgents,theMDMServermayalsoinitiatecommunication.
FTP_ITC_EXT.1.3/TRUSTCHANRefinement:TheTSFshallinitiatecommunicationviathetrustedchannelforallcommunicationbetweentheMDMAgentandtheMDMServerand[selection:allcommunicationbetweentheMASServerandtheMDMAgent,noothercommunication]
ApplicationNote:ThiselementisiteratedfromtheMDFPP;itisexpectedthatthemobiledevicewillinitiatethetrustedchannelbetweentheMDMAgentandtheMDMServerforadministrativecommunicationandmayinitiateothertrustedchannelstoothertrustedITentitiesforotheruses.
FTP_TRP.1/TRUSTPATHTrustedPath(forEnrollment)FTP_TRP.1.1/TRUSTPATH
Refinement:TheTSFshalluse[selection:TLSclientasdefinedinthePackageforTransportLayerSecurity,HTTPS
]toprovideatrustedcommunicationpathbetweenitselfandanothertrustedITproductthatislogicallydistinctfromothercommunicationpathsandprovidesassuredidentificationofitsendpointsandprotectionofthecommunicateddatafromdisclosureanddetectionofmodificationofthecommunicateddatafrom[modification,disclosure].
FTP_TRP.1.2/TRUSTPATHRefinement:TheTSFshallpermitMDuserstoinitiatecommunicationviathetrustedpath.
FTP_TRP.1.3/TRUSTPATHRefinement:TheTSFshallrequiretheuseofthetrustedpathfor[[allMDuseractions]].
ApplicationNote:ThisrequirementensuresthatauthorizedMDusersinitiateallcommunicationwiththeTOEviaatrustedpath,andthatallcommunicationswiththeTOEbyMDusersisperformedoverthispath.Thepurposeofthis
connectionisforenrollmentbytheMDuser.
TheSTauthorchoosesthemechanismormechanismssupportedbytheTOE.Thedatapassedinthistrustedcommunicationchannelareencryptedasdefinedbytheprotocolselected.
SincethisrequirementisonlyforthecasewhenthePP-ModulebuildsonMDFPPandinthiscaseitisexpectedthattheMDMAgentwillbeanativepartofthemobileoperatingsystem,itisexpectedthattheMDMAgentwillutilizethemobiledevice'simplementationoftheselectedprotocols.HTTPS(FCS_HTTPS_EXT.1)andTLS(FCS_TLSC_EXT.1)arealreadymandatoryforaMDFST.If"TLS"or"DTLS"isselectedthefollowingselectionsfromtheTLSFunctionalPackagemustbemade:
FCS_TLS_EXT.1:TLSmustbeselectedclientmustbeselected
FCS_TLSC_EXT.1.1:TheciphersuitesselectedmustcorrespondwiththealgorithmsandhashfunctionsallowedinFCS_COP.1fromtheMDFPP.
5.2MDMPPSecurityFunctionalRequirementsDirectionInaPP-ConfigurationthatincludesMDMPP,theTOEisexpectedtorelyonsomeofthesecurityfunctionsimplementedbytheMDMServerasawholeandevaluatedagainsttheMDMPP.ThefollowingsectionsdescribeanymodificationsthattheSTauthormustmaketotheSFRsdefinedintheMDMPPinadditiontowhatismandatedbySection5.3TOESecurityFunctionalRequirements.
5.2.1ModifiedSFRsThisPP-ModuledoesnotmodifyanySFRsdefinedbytheMDMPP.
5.2.2AdditionalSFRsThissectiondefinesadditionalSFRsthatmustbeaddedtotheTOEboundaryinordertoimplementthefunctionalityinanyPP-ConfigurationwheretheMDMPPisclaimedastheBase-PP.
5.2.2.1CryptographicSupport(FCS)
FCS_STG_EXT.1/KEYSTOCryptographicKeyStorageFCS_STG_EXT.1.1/KEYSTO
Refinement:TheMDMAgentshallusethe[platform-providedkeystorage]forallpersistentsecretandprivatekeys.
ApplicationNote:Thisrequirementensuresthatpersistentsecrets(credentials,secretkeys)andprivatekeysarestoredsecurelywhennotinusebythemobileplatform.
5.3TOESecurityFunctionalRequirementsThefollowingsectiondescribestheSFRsthatmustbesatisfiedbyanyTOEthatclaimsconformancetothisPP-Module.TheseSFRsmustbeclaimedregardlessofwhichPP-ConfigurationisusedtodefinetheTOE.
5.3.1SecurityAudit(FAU)
FAU_ALT_EXT.2AgentAlertsFAU_ALT_EXT.2.1
TheMDMAgentshallprovideanalertviathetrustedchanneltotheMDMServerintheeventofanyofthefollowingauditevents:
successfulapplicationofpoliciestoamobiledevice,[selection:receiving,generating]periodicreachabilityevents,[selection:
changeinenrollmentstate,failuretoinstallanapplicationfromtheMASServer,failuretoupdateanapplicationfromtheMASServer,[assignment:otherevents],nootherevents
].
ApplicationNote:ThetrustedchannelisdefinedinFPT_ITT.1(2)oftheBase-PPifAgentextendsMDMServerandFTP_ITC_EXT.1ifAgentextendsMDFPP.“Alert”inthisrequirementcouldbeassimpleasanauditrecordoranotification.Ifanyprioralertsexistinthequeue,perFAU_ALT_EXT.2.2,thosealertsmustbesentwhenthetrustedchannelisavailable.
ThisrequirementistoensurethattheMDMAgentmustnotifytheMDMServerwheneveroneoftheeventslistedaboveoccurs.Lackofreceiptofasuccessfulpolicyinstallationindicatesthefailureofthepolicyinstallation.
TheperiodicreachabilityeventsensurethateithertheMDMAgentrespondstoMDMServerpollstodeterminedevicenetworkreachability,ortheMDMAgentcanbeconfiguredtoregularlynotifytheServerthatitisreachable.TheSTauthormustselect“receiving”inthefirstcaseand“generating”inthesecond.ThecorrespondingrequirementfortheMDMServerisFAU_NET_EXT.1intheMDMPP.
TheSTauthormusteitherassignfurthereventsorselectthe“nootherevents”option.NotethatalertsmaytaketimetoreachtheMDMServer,ornotarrive,duetopoorconnectivity.
FAU_ALT_EXT.2.2TheMDMAgentshallqueuealertsifthetrustedchannelisnotavailable.
ApplicationNote:Ifthetrustedchannelisnotavailable,alertsmustbequeued.Whenthetrustedchannelbecomesavailable,thequeuedalertsmustbesent.
FAU_GEN.1/AUDITGENAuditDataGenerationFAU_GEN.1.1/AUDITGEN
Refinement:TheMDMAgentshall[selection:invokeplatform-providedfunctionality,implementfunctionality]togenerateanMDMAgentauditrecordofthefollowingauditableevents:
a. StartupandshutdownoftheMDMAgent;b. Allauditableeventsfor[notspecified]levelofaudit;andc. [MDMpolicyupdated,anymodificationcommandedbytheMDMServer,
specificallydefinedauditableeventslistedinTable1,and[selection:[assignment:otherevents],nootherevents]].
ApplicationNote:ThisrequirementoutlinestheinformationtobeincludedintheMDMAgent’sauditrecords.TheSTauthorcanincludeotherauditableeventsdirectlyintheAuditableEventstableinFAU_GEN.1.1(2);theyarenotlimitedtothelistpresented.
MDMpolicyupdatemustminimallyindicatethatanupdatetopolicyoccurred.Theeventrecordneednotcontainthedifferencesbetweenthepriorpolicyandthenewpolicy;optionally,thespecificchange(s)topolicythatwereincludedinthatupdatemaybedetailed.Allupdatestopolicyshouldtriggerthisalert.ModificationscommandedbytheMDMServerarethosecommandslistedinFMT_SMF.1.1.
TheselectionfortheFMT_UNR_EXT.1auditableeventintheAuditableEventstablecorrespondstotheselectioninFMT_UNR_EXT.1.If“applyremediationactions”isselectedinFMT_UNR_EXT.1,thentheSTauthorselects“attempttounenroll”inFAU_GEN.1.1(2)AuditableEventstableforFMT_UNR_EXT.1;otherwise,"none"isselected.
Table1AuditableEvents
Requirement AuditableEvents AdditionalAuditRecordContents
FAU_ALT_EXT.2 Success/failureofsendingalert. Noadditionalinformation.
FAU_GEN.1 None. N/A
FAU_SEL.1 Allmodificationstotheauditconfigurationthatoccurwhiletheauditcollectionfunctionsare
Noadditionalinformation.
operating.
FCS_STG_EXT.4/FCS_STG_EXT.1(2)
None.
FCS_TLSC_EXT.1 FailuretoestablishaTLSsession. Reasonforfailure.
Failuretoverifypresentedidentifier.
Presentedidentifierandreferenceidentifier.
Establishment/terminationofaTLSsession.
Non-TOEendpointofconnection.
FIA_ENR_EXT.2 Enrollmentinmanagement. ReferenceidentifierofMDMServer.
FMT_POL_EXT.2 Failureofpolicyvalidation. Reasonforfailureofvalidation.
FMT_SMF_EXT.4 Outcome(Success/failure)offunction.
Noadditionalinformation.
FMT_UNR_EXT.1.1 [selection:Attempttounenroll,none]
Noadditionalinformation.
FTP_ITC_EXT.1(2) Initiationandterminationoftrustedchannel.
Trustedchannelprotocol.Non-TOEendpointofconnection.
FAU_GEN.1.2/AUDITGENRefinement:The[selection:TSF,TOEplatform]shallrecordwithineachMDMAgentauditrecordatleastthefollowinginformation:
a. Dateandtimeoftheevent,typeofevent,subjectidentity,(ifrelevant)theoutcome(successorfailure)oftheevent,andadditionalinformationinTable1;and
b. Foreachauditeventtype,basedontheauditableeventdefinitionsofthefunctionalcomponentsincludedinthePP-Module/ST,[assignment:otherauditrelevantinformation].
ApplicationNote:AllauditsmustcontainatleasttheinformationmentionedinFAU_GEN.1.2(2),butmaycontainmoreinformationwhichcanbeassigned.TheSTauthormustidentifyintheTSSwhichinformationoftheauditrecordthatisperformedbytheMDMAgentandthatwhichisperformedbytheMDMAgent’splatform.
FAU_SEL.1/EVENTSELSecurityAuditEventSelectionFAU_SEL.1.1/EVENTSEL
Refinement:TheTSFshall[selection:invokeplatform-providedfunctionality,implementfunctionality]toselectthesetofeventstobeauditedfromthesetofallauditableeventsbasedonthefollowingattributes:
a. [eventtype]b. [successofauditablesecurityevents,failureofauditablesecurityevents,
[assignment:otherattributes]].
ApplicationNote:Theintentofthisrequirementistoidentifyallcriteriathatcanbeselectedtotriggeranauditevent.FortheSTauthor,theassignmentisusedtolistanyadditionalcriteriaor“nootherattributes”.ThisselectionmaybeconfiguredbytheMDMServer.
5.3.2IdentificationandAuthentication(FIA)
FIA_ENR_EXT.2AgentEnrollmentofMobileDeviceintoManagementFIA_ENR_EXT.2.1
TheMDMAgentshallrecordthereferenceidentifieroftheMDMServerduringtheenrollmentprocess.
ApplicationNote:ThereferenceidentifieroftheMDMServermaybethe
DistinguishedName,DomainName,and/ortheIPaddressoftheMDMServer.ThisrequirementallowsthespecificationoftheinformationtobetobeusedtoestablishanetworkconnectionandthereferenceidentifierforauthenticatingthetrustedchannelbetweentheMDMServerandMDMAgent.
5.3.3SecurityManagement(FMT)
FMT_POL_EXT.2AgentTrustedPolicyUpdateFMT_POL_EXT.2.1
TheMDMAgentshallonlyacceptpoliciesandpolicyupdatesthataredigitallysignedbyacertificatethathasbeenauthorizedforpolicyupdatesbytheMDMServer.
ApplicationNote:Theintentofthisrequirementistocryptographicallytiethepoliciestotheenterprisethatmandatedthepolicy,nottoprotectthepoliciesintransit(astheyarealreadyprotectedbyFPT_ITT.1(2)oftheBase-PP).Thisisespeciallycriticalforuserswhoconnecttomultipleenterprises.
PoliciesmustbedigitallysignedbytheenterpriseusingthealgorithmsinFCS_COP.1(3).
FMT_POL_EXT.2.2TheMDMAgentshallnotinstallpoliciesifthepolicy-signingcertificateisdeemedinvalid.
FMT_SMF_EXT.4SpecificationofManagementFunctionsFMT_SMF_EXT.4.1
TheMDMAgentshallbecapableofinteractingwiththeplatformtoperformthefollowingfunctions:
ImportthecertificatestobeusedforauthenticationofMDMAgentcommunications,[selection:administrator-providedmanagementfunctionsinMDFPP,administrator-provideddevicemanagementfunctionsinMDMPP][selection:[assignment:additionalfunctions],noadditionalfunctions].
ApplicationNote:ThisrequirementcapturesalltheconfigurationfunctionalityintheMDMAgenttoconfiguretheunderlyingmobiledevicewiththeconfigurationpoliciessentfromtheMDMServertotheAgent.TheSTauthorselectstheBase-PP(MDFPPorMDMPP)asthesourceofthemanagementfunctions.
Theadministrator-providedmanagementfunctionsinMDFPParespecifiedinColumn4ofTable5inMDFPPandinFPT_TUD_EXT.1(forversionqueries).Theadministrator-provideddevicemanagementfunctionsinMDMPParespecifiedinFMT_SMF.1.1(1);thefunctionsintheselectionofFMT_SMF.1.1(1)intheMDMPParerequiredtocorrespondtothefunctionsavailableontheplatformssupportedbytheMDMAgent.
TheSTauthorcanaddmorecommandsandconfigurationpoliciesbycompletingtheassignmentstatement;themobiledevicemustsupporttheseadditionalcommandsorconfigurationpolicies.
TheagentmustconfiguretheplatformbasedonthecommandsandconfigurationpoliciesreceivedfromtheMDMServer.TheSTauthormustnotclaimanyfunctionalitynotprovidedbythesupportedmobiledevice(s).AllselectionsandassignmentsperformedbytheSTauthorinthisrequirementshouldmatchtheselectionsandassignmentsofthevalidatedmobiledeviceST.
FMT_SMF_EXT.4.2TheMDMAgentshallbecapableofperformingthefollowingfunctions:
EnrollinmanagementConfigurewhetheruserscanunenrollfrommanagement[selection:configureperiodicityofreachabilityevents,[assignment:othermanagementfunctions],nootherfunctions].
ApplicationNote:ThisrequirementcapturesalloftheconfigurationintheMDMAgentforconfigurationofitself.
IftheMDMAgentisapartofthemobiledevice,enrollmentisasinglefunctionbothoftheAgentandofthemobiledevice(FMT_SMF_EXT.4.1).
IftheMDMAgentisanapplicationdevelopedseparatelyfromthemobiledevice,theMDMAgentperformsthefunction“enrollthemobiledeviceinmanagement”(perFMT_SMF_EXT.4.1)byregisteringitselftothemobiledeviceasadeviceadministrator.TheAgentitselfisenrolledinmanagementbyconfiguringtheMDMServertowhichtheAgentanswers.
IftheMDMAgentdoesnotsupportunenrollmentprevention,remediationactionsshouldbeapplieduponunenrollment(perFMT_UNR_EXT.1).
IftheAgentgeneratesperiodicreachabilityeventsinFAU_ALT_EXT.2.1andtheperiodicityoftheseeventsisconfigurable,“configureperiodicityofreachabilityevents”mustbeselected.
FMT_UNR_EXT.1UserUnenrollmentPreventionFMT_UNR_EXT.1.1
TheMDMAgentshallprovideamechanismtoenforcethefollowingbehavioruponanattempttounenrollthemobiledevicefrommanagement:[selection:preventtheunenrollmentfromoccurring,applyremediationactions].
ApplicationNote:Unenrollingistheactionoftransitioningfromtheenrolledstatetotheunenrolledstate.Ifpreventingtheuserfromunenrollingisconfigurable,administratorsconfigurewhetherusersareallowedtounenrollthroughtheMDMServer.
Forthoseconfigurationswhereunenrollmentisallowed,forexampleaBYODusage,theMDFPPdescribesremediationactionsperformeduponunenrollment,suchaswipingenterprisedata,inFMT_SMF_EXT.2.1;however,theMDMAgentislimitedtothoseactionssupportedbythemobiledeviceonwhichtheAgentisoperating.
5.4TOESecurityFunctionalRequirementsRationaleThefollowingrationaleprovidesjustificationforeachsecurityobjectivefortheTOE,showingthattheSFRsaresuitabletomeetandachievethesecurityobjectives:
OBJECTIVE ADDRESSEDBY RATIONALE
O.ACCOUNTABILITY FAU_ALT_EXT.2,FAU_GEN.1(2),FAU_SEL.1(2) FILLIN
O.APPLY_POLICY FAU_STG_EXT.3(objective),FIA_ENR_EXT.2,FMT_POL_EXT.2,FMT_SMF_EXT.4,FMT_UNR_EXT.1
FILLIN
O.DATA_PROTECTION_TRANSIT FCS_DTLSS_EXT.1(fromTLSPackage),FCS_DTLSC_EXT.1(fromTLSPackage),FCS_TLSC_EXT.1(fromTLSPackage),FCS_TLSC_EXT.2(fromTLSPackage),FCS_TLSS_EXT.1(fromTLSPackage),FCS_TLSS_EXT.2(fromTLSPackage),FPT_NET_EXT.1(objective),FTP_ITC_EXT.1(2)(ifMDFisBase-PP),FTP_TRP.1(2)(ifMDFisBase-PP)
FILLIN
O.STORAGE FCS_STG_EXT.1(2)(ifMDMisBase-PP),FCS_STG_EXT.4(ifMDFisBase-PP)
FILLIN
6ConsistencyRationale
6.1MobileDeviceFundamentalsProtectionProfile
6.1.1ConsistencyofTOETypeWhenthisPP-ModuleisusedtoextendtheMDFPP,theTOEtypefortheoverallTOEisstillamobiledevice.TheTOEboundaryissimplyextendedtoincludetheMDMAgentapplicationthatrunsonthemobiledevice.
6.1.2ConsistencyofSecurityProblemDefinitionThethreatsdefinedbythisPP-Module(seesection3.1)supplementthosedefinedintheMDFPPasfollows:
PP-ModuleThreat ConsistencyRationale
6.1.3ConsistencyofObjectivesTheobjectivesfortheTOEsareconsistentwiththeMDFPPbasedonthefollowingrationale:
PP-ModuleTOE
ObjectiveConsistencyRationale
ThisobjectiveextendstheBase-PP’sO.COMMSobjectivebyensuringthatthecommunicationsrelatedtoMDMAgentsfunctionalityaresecuredinthesamemannerasothersensitivedatatransmittedto/fromthemobiledevice.
ThisobjectiveextendstheBase-PP’sO.STORAGEobjectivebyensuringthatthemobiledevice’sdata-at-restprotectionmechanismscanalsobeusedtosecuretheMDMAgentandrelateddata.
TheobjectivesfortheTOE'sOperationalEnvironmentareconsistentwiththeMDFPPbasedonthefollowingrationale:
PP-ModuleOperationalEnvironmentObjective ConsistencyRationale
6.1.4ConsistencyofRequirementsThisPP-ModuleidentifiesseveralSFRsfromtheMDFPPthatareneededtosupportMDMAgentsfunctionality.ThisisconsideredtobeconsistentbecausethefunctionalityprovidedbytheMDFisbeingusedforitsintendedpurpose.ThePP-ModuleidentifiesnewSFRsthatareusedentirelytoprovidefunctionalityforMDMAgents.TherationaleforwhythisdoesnotconflictwiththeclaimsdefinedbytheMDFPPareasfollows:
PP-ModuleRequirement ConsistencyRationale
ModifiedSFRs
ThisPP-ModuledoesnotmodifyanyrequirementswhentheMDFPPisthebase.
AdditionalSFRs
FCS_STG_EXT.4 ThisSFRrequirestheMDMAgenttousefunctionalitydefinedbytheBase-PPinFCS_CKM_EXT.1.
FTP_ITC_EXT.1/TRUSTCHAN TheBase-PPdefinesFTP_ITC_EXT.1todefinethesecureprotocolsusedfortrustedchannelcommunications.ThisPP-ModuleiteratestheSFRtospecifyasubsetoftheseprotocolsthatmaybeusedforMDMAgentcommunicationsinparticular.
FTP_TRP.1/TRUSTPATH ThisSFRusesthetrustedchannelprotocolsdefinedbytheBase-PPinFTP_ITC_EXT.1tofacilitateatrustedpaththattheMDMAgentcanusetoenrollthemobiledeviceitrunsonintomanagement.EventhoughtheBase-
PPdoesnotdefineFTP_TRP.1,therequirementwasgivenaniterationlabelforconsistencywiththeMDMServerrequirementofthesamename.
MandatorySFRs
FAU_ALT_EXT.2
FAU_GEN.1/AUDITGEN
FAU_SEL.1/EVENTSEL
FIA_ENR_EXT.2
FMT_POL_EXT.2
FMT_SMF_EXT.4
FMT_UNR_EXT.1
OptionalSFRs
ThisPP-Moduledoesnotdefineanyoptionalrequirements.
Selection-basedSFRs
ThisPP-Moduledoesnotdefineanyselection-basedrequirements.
ObjectiveSFRs
FAU_STG_EXT.3
FPT_NET_EXT.1
6.2MobileDeviceManagementProtectionProfile
6.2.1ConsistencyofTOETypeWhenthisPP-ModuleisusedtoextendtheMDMPP,theTOEtypefortheoverallTOEisstillmobiledevicemanagement.TheTOEboundaryissimplyextendedtoincludetheMDMAgent(s)thatresideonindividualmobiledevicesandsupportthemanagementfunctionalitythattheMDMServercomponentimplements.
6.2.2ConsistencyofSecurityProblemDefinitionThethreatsdefinedbythisPP-Module(seesection3.1)supplementthosedefinedintheMDMPPasfollows:
PP-ModuleThreat ConsistencyRationale
6.2.3ConsistencyofObjectivesTheobjectivesfortheTOEsareconsistentwiththeMDMPPbasedonthefollowingrationale:
PP-ModuleTOE
ObjectiveConsistencyRationale
ThisobjectiveextendstheBase-PP’sO.COMMSobjectivebyensuringthatthecommunicationsrelatedtoMDMAgentsfunctionalityaresecuredinthesamemannerasothersensitivedatatransmittedto/fromthemobiledevice.
ThisobjectiveextendstheBase-PP’sO.STORAGEobjectivebyensuringthatthemobiledevice’sdata-at-restprotectionmechanismscanalsobeusedtosecuretheMDMAgentandrelateddata.
TheobjectivesfortheTOE'sOperationalEnvironmentareconsistentwiththeMDMPPbasedonthefollowingrationale:
PP-ModuleOperationalEnvironmentObjective ConsistencyRationale
6.2.4ConsistencyofRequirementsThisPP-ModuleidentifiesseveralSFRsfromtheMDMPPthatareneededtosupportMDMAgentsfunctionality.ThisisconsideredtobeconsistentbecausethefunctionalityprovidedbytheMDMisbeingusedforitsintendedpurpose.ThePP-ModuleidentifiesnewSFRsthatareusedentirelytoprovidefunctionalityforMDMAgents.TherationaleforwhythisdoesnotconflictwiththeclaimsdefinedbytheMDMPPareasfollows:
PP-ModuleRequirement ConsistencyRationale
ModifiedSFRs
ThisPP-ModuledoesnotmodifyanyrequirementswhentheMDMPPisthebase.
AdditionalSFRs
FCS_STG_EXT.1/KEYSTO TheBase-PPrequirestheTOEtodefineamethodofkeystorage.ThisPP-ModuleiteratesittospecifytheuseofplatformkeystorageforMDMAgents.
MandatorySFRs
FAU_ALT_EXT.2
FAU_GEN.1/AUDITGEN
FAU_SEL.1/EVENTSEL
FIA_ENR_EXT.2
FMT_POL_EXT.2
FMT_SMF_EXT.4
FMT_UNR_EXT.1
OptionalSFRs
ThisPP-Moduledoesnotdefineanyoptionalrequirements.
Selection-basedSFRs
ThisPP-Moduledoesnotdefineanyselection-basedrequirements.
ObjectiveSFRs
FAU_STG_EXT.3
FPT_NET_EXT.1
AppendixA-OptionalSFRsThisPP-ModuledoesnotdefineanyoptionalSFRs.
AppendixB-Selection-basedSFRsThisPP-Moduledoesnotdefineanyselection-basedSFRs.
AppendixC-ObjectiveSFRsThissectionisreservedforrequirementsthatarenotcurrentlyprescribedbythisPP-ModulebutareexpectedtobeincludedinfutureversionsofthePP-Module.Vendorsplanningonhavingevaluationsperformedagainstfutureproductsareencouragedtoplanfortheseobjectiverequirementstobemet.
FAU_STG_EXT.3SecurityAuditEventStorageFAU_STG_EXT.3.1
TheMDMAgentshallstoreMDMauditrecordsintheplatform-providedauditstorage.
ApplicationNote:FAU_STG_EXT.3shouldonlybeincludedintheSTforMDMAgentplatforms(i.e.,mobiledevices)thatconformtoMDFPPversion3orlater.
FPT_NET_EXT.1NetworkReachabilityFPT_NET_EXT.1.1
TheTSFshalldetectwhenaconfigurable[selection:positiveintegerofmissedreachabilityeventsoccur,timelimitisexceeded]relatedtothelastsuccessfulconnectionwiththeserverhasbeenreached.
ApplicationNote:ThisrequirementistoenabletheAgenttodetermineifithasbeenoutofconnectivitywiththeServerfortoolong.TheconfigurationofthenumberofallowedmissedreachabilityeventsortimelimitsincelastsuccessfulconnectionwiththeserverishandledinServerconfigurationpolicyoftheAgent(thefirstselectionoffunction56inFMT_SMF.1.1(1)withintheMDMPP).IfthefirstselectionofFMT_SMF.1.1(1)function56isincludedintheST,thenFPT_NET_EXT.1.1mustbeincludedintheST.
IftheAgenthasbeenoutofconnectivitywiththeserverfortoolongthantheremediationactionsspecifiedinthesecondselectionoffunction56mustoccur.ForexampleiftheAgenthasnotsyncedwiththeserverintheallowedamountoftimethattheAgentmustwipethedevicewithoutrequiringacommandfromtheServer.
AppendixD-ExtendedComponentDefinitionsThisappendixcontainsthedefinitionsfortheextendedrequirementsthatareusedinthePP-ModuleincludingthoseusedinAppendicesAthroughC.
D.1BackgroundandScopeThisappendixprovidesadefinitionforalloftheextendedcomponentsintroducedinthisPP-Module.Thesecomponentsareidentifiedinthefollowingtable:
FunctionalClass FunctionalComponents
CryptographicSupport(FCS) FCS_STG_EXTTrustedChannel
SecurityAudit(FAU) FAU_ALT_EXTMDMAlerts
IdentificationandAuthentication(FIA) FIA_ENR_EXTEnrollment
SecurityManagement(FMT) FMT_POL_EXTTrustedPolicyUpdateFMT_SMF_EXTSpecificationofManagementFunctions(Agent)FMT_UNR_EXTUnenrollment
SecurityAudit(FAU) FAU_STG_EXTProtectedAuditEventStorage
ProtectionoftheTSF(FPT) FPT_NET_EXTNetworkReachability
D.2ExtendedComponentDefinitions
FCS_STG_EXTTrustedChannelThisfamilyisdefinedinboththeMDFandtheMDMBase-PPs.ThisPP-Moduleaugmentstheextendedfamilybyaddingoneadditionalcomponent,FCS_STG_EXT.4.Thisnewcomponentanditsimpactontheextendedfamily’scomponentlevelingareshownbelow;referencetheMDForMDMPPforallotherdefinitionsforthisfamily.
ComponentLevelingFCS_STG_EXT.4,CryptographicKeyStorage,requirestheTSFtodefineaspecificlocationforitskeystorage.
Management:FCS_STG_EXT.4Therearenomanagementfunctionsforeseen.
Audit:FCS_STG_EXT.4Therearenoauditableeventsforeseen.
FCS_STG_EXT.4CryptographicKeyStorageHierarchicalto:Noothercomponents.Dependenciesto:FCS_CKM.1CryptographicKeyGeneration
FCS_STG_EXT.4.1
TheMDMAgentshallusetheplatformprovidedkeystorageforallpersistentsecretandprivatekeys.
ComponentLevelingFCS_STG_EXT.1/KEYSTO,CryptographicKeyStorage,
Management:FCS_STG_EXT.1/KEYSTOTherearenomanagementfunctionsforeseen.
Audit:FCS_STG_EXT.1/KEYSTOTherearenoauditeventsforeseen.
FCS_STG_EXT.1/KEYSTOCryptographicKeyStorageHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.
FCS_STG_EXT.1.1/KEYSTO
Refinement:TheMDMAgentshallusethe[platform-providedkeystorage]forallpersistentsecretandprivatekeys.
FAU_ALT_EXTMDMAlertsThisfamilyisdefinedintheMDMBase-PP.ThisPP-Moduleaugmentstheextendedfamilybyaddingoneadditionalcomponent,FAU_ALT_EXT.2.Thisnewcomponentanditsimpactontheextendedfamily’scomponentlevelingareshownbelow;referencetheMDMPPforallotherdefinitionsforthisfamily.
ComponentLevelingFAU_ALT_EXT.2,AgentAlerts,requirestheTSFtodefinewhenandhowanMDMAgentgeneratesalertsandtransmitsthemtoanMDMServerbasedonitsactivity.
Management:FAU_ALT_EXT.2ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
Abilitytoconfigurethespecificeventsthatresultingenerationofalerts.
Audit:FAU_ALT_EXT.2ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
Minimal:Success/failureofsendingalert.
FAU_ALT_EXT.2AgentAlertsHierarchicalto:Noothercomponents.Dependenciesto:FAU_ALT_EXT.1ServerAlerts[FPT_ITT.1(2)BasicInternalTSFDataTransferProtection;orFTP_ITC.1Inter-TSFTrustedChannel]
FAU_ALT_EXT.2.1
TheMDMAgentshallprovideanalertviathetrustedchanneltotheMDMServerintheeventofanyofthefollowingauditevents:
successfulapplicationofpoliciestoamobiledevice,[selection:receiving,generating]periodicreachabilityevents,[selection:
changeinenrollmentstate,failuretoinstallanapplicationfromtheMASServer,failuretoupdateanapplicationfromtheMASServer,[assignment:otherevents],nootherevents
].
FAU_ALT_EXT.2.2
TheMDMAgentshallqueuealertsifthetrustedchannelisnotavailable.
FIA_ENR_EXTEnrollmentThisfamilyisdefinedintheMDMBase-PP.ThisPP-Moduleaugmentstheextendedfamilybyaddingoneadditionalcomponent,FIA_ENR_EXT.2.Thisnewcomponentanditsimpactontheextendedfamily’scomponentlevelingareshownbelow;referencetheMDMPPforallotherdefinitionsforthisfamily.
ComponentLevelingFIA_ENR_EXT.2,AgentEnrollmentofMobileDeviceintoManagement,requirestheTSFtorecordspecificinformationabouttheMDMServer(i.e.theentitythatisenrollingit)duringtheenrollmentprocess.
Management:FIA_ENR_EXT.2Therearenomanagementfunctionsforeseen.
Audit:FIA_ENR_EXT.2ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
Minimal:Completionofenrollmentprocess.
FIA_ENR_EXT.2AgentEnrollmentofMobileDeviceintoManagementHierarchicalto:Noothercomponents.Dependenciesto:FIA_ENR_EXT.1EnrollmentofMobileDeviceintoManagement
FIA_ENR_EXT.2.1
TheMDMAgentshallrecordthereferenceidentifieroftheMDMServerduringtheenrollmentprocess.
FMT_POL_EXTTrustedPolicyUpdateThisfamilyisdefinedintheMDMBase-PP.ThisPP-Moduleaugmentstheextendedfamilybyaddingoneadditionalcomponent,FMT_POL_EXT.2.Thisnewcomponentanditsimpactontheextendedfamily’scomponentlevelingareshownbelow;referencetheMDMPPforallotherdefinitionsforthisfamily.
ComponentLevelingFMT_POL_EXT.2,AgentTrustedPolicyUpdate,requirestheTSFtoverifythevalidityofthesourceofapolicybeforeapplyingit.
Management:FMT_POL_EXT.2Therearenomanagementfunctionsforeseen.
Audit:FMT_POL_EXT.2ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
Minimal:Failuretovalidatepolicy.
FMT_POL_EXT.2AgentTrustedPolicyUpdateHierarchicalto:Noothercomponents.Dependenciesto:FCS_COP.1CryptographicOperationFMT_POL_EXT.1TrustedPolicyUpdate
FMT_POL_EXT.2.1
TheMDMAgentshallonlyacceptpoliciesandpolicyupdatesthataredigitallysignedbyacertificatethathasbeenauthorizedforpolicyupdatesbytheMDMServer.
FMT_POL_EXT.2.2
TheMDMAgentshallnotinstallpoliciesifthepolicy-signingcertificateisdeemedinvalid.
FMT_SMF_EXTSpecificationofManagementFunctions(Agent)ThisfamilyisdefinedintheMDFBase-PP.ThisPP-Moduleaugmentstheextendedfamilybyaddingoneadditionalcomponent,FMT_SMF_EXT.4.Thisnewcomponentanditsimpactontheextendedfamily’scomponentlevelingareshownbelow;referencetheMDFPPforallotherdefinitionsforthisfamily.
ComponentLevelingFMT_SMF_EXT.4,SpecificationofManagementFunctions,requirestheTSFtosupporttheexecutionofcertainmanagementfunctionsthatrequireinterfacingwithotherTOEcomponents.
Management:FMT_SMF_EXT.4ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
Executionofmanagementfunctions.Configurationofmanagementfunctionsbehavior.
Audit:FMT_SMF_EXT.4ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
Minimal:Successfulandfailedexecutionofmanagementfunctions.
FMT_SMF_EXT.4SpecificationofManagementFunctionsHierarchicalto:Noothercomponents.Dependenciesto:FCS_CKM.1CryptographicKeyGeneration
FMT_SMF_EXT.4.1
TheMDMAgentshallbecapableofinteractingwiththeplatformtoperformthefollowingfunctions:ImportthecertificatestobeusedforauthenticationofMDMAgentcommunications,[selection:administrator-providedmanagementfunctionsinMDFPP,administrator-provideddevicemanagementfunctionsinMDMPP][selection:[assignment:additionalfunctions],noadditionalfunctions].
FMT_SMF_EXT.4.2
TheMDMAgentshallbecapableofperformingthefollowingfunctions:EnrollinmanagementConfigurewhetheruserscanunenrollfrommanagement[selection:configureperiodicityofreachabilityevents,[assignment:othermanagementfunctions],nootherfunctions].
FMT_UNR_EXTUnenrollment
FamilyBehaviorComponentsinthisfamilydefinerequirementsforTSFbehaviorwhenauserattemptstounenrolltheTOEfrommobiledevicemanagement.FMT_UNR_EXT FMT_UNR_EXT.1
ComponentLevelingFMT_UNR_EXT.1,UserUnenrollmentPrevention,requirestheTSFeithertopreventunenrollmententirelyortotakesomecorrectiveactionintheeventthatanunenrollmentisinitiated.
Management:FMT_UNR_EXT.1Therearenomanagementfunctionsforeseen.
Audit:FMT_UNR_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
Minimal:UnenrollmentfromMDM.
FMT_UNR_EXT.1UserUnenrollmentPreventionHierarchicalto:Noothercomponents.Dependenciesto:[FIA_ENR_EXT.1EnrollmentofMobileDeviceintoManagement;orFMT_MOF_EXT.1ManagementofFunctionsBehavior]
FMT_UNR_EXT.1.1
TheMDMAgentshallprovideamechanismtoenforcethefollowingbehavioruponanattempttounenrollthemobiledevicefrommanagement:[selection:preventtheunenrollmentfromoccurring,applyremediationactions].
FAU_STG_EXTProtectedAuditEventStorageThisfamilyisdefinedintheMDMBase-PP.ThisPP-Moduleaugmentstheextendedfamilybyaddingoneadditionalcomponent,FAU_STG_EXT.3.Thisnewcomponentanditsimpactontheextendedfamily’scomponentlevelingareshownbelow;referencetheMDMPPforallotherdefinitionsforthisfamily.
ComponentLevelingFAU_STG_EXT.3,SecurityAuditEventStorage,requirestheTSFtoidentifyalocationforauditrecordstorageandtheeventsthatarestoredatthislocation.
Management:FAU_STG_EXT.3Therearenomanagementfunctionsforeseen.
Audit:FAU_STG_EXT.3Therearenoauditableeventsforeseen.
FAU_STG_EXT.3SecurityAuditEventStorageHierarchicalto:Noothercomponents.Dependenciesto:FAU_GEN.1AuditDataGeneration
FAU_STG_EXT.3.1
TheMDMAgentshallstoreMDMauditrecordsintheplatform-providedauditstorage.
FPT_NET_EXTNetworkReachability
FamilyBehaviorComponentsinthisfamilydefinerequirementsfortrackingtheavailabilityofnetworkcomponents.FPT_NET_EXT FPT_NET_EXT.1
ComponentLevelingFPT_NET_EXT.1,NetworkReachability,requirestheTSFtokeeptrackoffailedattemptstocommunicatewitharemoteentity.
Management:FPT_NET_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
Configurationofunreachabilitythreshold.
Audit:FPT_NET_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
Minimal:Reaching/exceedingunreachabilitythreshold.
FPT_NET_EXT.1NetworkReachabilityHierarchicalto:Noothercomponents.Dependenciesto:FPT_STM.1ReliableTimeStamps
FPT_NET_EXT.1.1
TheTSFshalldetectwhenaconfigurable[selection:positiveintegerofmissedreachabilityeventsoccur,timelimitisexceeded]relatedtothelastsuccessfulconnectionwiththeserverhasbeenreached.
AppendixE-UseCaseTemplatesThefollowingusecasetemplateslistthoseselections,assignments,andobjectiverequirementsthatbestsupporttheusecasesidentifiedbythisProtectionProfile.NotethatthetemplatesassumethatallSFRslistedinSection5areincludedintheST,notjustthoselistedinthetemplates.ThesetemplatesanddeviationsfromthetemplateshouldbeidentifiedintheSecurityTargettoassistcustomerswithmakingrisk-basedpurchasingdecisions.ProductsthatdonotmeetthesetemplatesarenotprecludedfromuseinthescenariosidentifiedbythisProtectionProfile.
Whereselectionsforaparticularrequirementarenotidentifiedinausecasetemplate,allavailableselectionsareequallyapplicabletotheusecase.
[UseCase1]Enterprise-owneddeviceforgeneral-purposeenterpriseuse
Atthistimenoadditionalrequirementsarerecommendedforthisusecase.
[UseCase2]Enterprise-owneddeviceforspecialized,high-securityuse
Requirement Action
FAU_ALT_EXT.2.1Functionc IncludeinST.
FMT_UNR_EXT.1.1 Select“preventtheunenrollmentfromoccurring”.
[UseCase3]Personallyowneddeviceforpersonalandenterpriseuse
Requirement Action
FMT_UNR_ENT.1.1 Select“applyremediationactions”
[UseCase4]Personallyowneddeviceforpersonalandlimitedenterpriseuse
Atthistimenoadditionalrequirementsarerecommendedforthisusecase.
AppendixF-Bibliography
Identifier Title
[CC] CommonCriteriaforInformationTechnologySecurityEvaluation-Part1:IntroductionandGeneralModel,CCMB-2017-04-001,Version3.1,Revision5,April2017.Part2:SecurityFunctionalComponents,CCMB-2017-04-002,Version3.1,Revision5,April2017.Part3:SecurityAssuranceComponents,CCMB-2017-04-003,Version3.1,Revision5,April2017.
AppendixG-Acronyms
Acronym Meaning
API ApplicationProgrammingInterface
BYOD BringYourOwnDevice
Base-PP BaseProtectionProfile
CC CommonCriteria
CEM CommonEvaluationMethodology
COPE CorporatelyOwned,PersonallyEnabled
DN DistinguishedName
DTLS DatagramTransportLayerSecurity
GPOS GeneralPurposeOperatingSystem
HTTPS HyperTextTransferProtocolSecure
IP InternetProtocol
IPSec InternetProtocolSecurity
MAS MobileApplicationStore
MD MobileDevice
MDF MobileDeviceFundamentals
MDM MobileDeviceManagement
OE OperationalEnvironment
PP ProtectionProfile
PP-Configuration ProtectionProfileConfiguration
PP-Module ProtectionProfileModule
RBG RandomBitGeneration
SAR SecurityAssuranceRequirement
SD SupportingDocument
SFR SecurityFunctionalRequirement
ST SecurityTarget
ST SecurityTarget
TLS TransportLayerSecurity
TOE TargetofEvaluation
TSF TOESecurityFunctionality
TSS TOESummarySpecification
VPN VirtualPrivateNetwork
WiFi WirelessFidelity