Click here to load reader

VMware AirWatch Mobile Device Management · PDF fileVMware AirWatch Mobile Device Management . Supplemental Administrative Guidance . ... and Syslog Guide [8] VMware AirWatch ... Installation

  • View
    254

  • Download
    9

Embed Size (px)

Text of VMware AirWatch Mobile Device Management · PDF fileVMware AirWatch Mobile Device Management ....

  • VMware AirWatch Mobile Device Management Supplemental Administrative Guidance

    Version 1.0 January 3, 2017

    AirWatch LLC 1155 Perimeter Center West

    Suite 100 Atlanta, GA 30338

    Prepared By:

    Cyber Assurance Testing Laboratory 304 Sentinel Drive, Suite 1160

    Annapolis Junctions, MD 20701

  • 1 | P a g e

    Contents 1 Introduction ........................................................................................................................................... 2

    2 Intended Audience ................................................................................................................................ 2

    3 References ............................................................................................................................................. 2

    4 Evaluated Configuration ....................................................................................................................... 3

    4.1 Product Components ..................................................................................................................... 3

    4.2 Supporting Environmental Components ....................................................................................... 3

    4.3 Assumptions .................................................................................................................................. 3

    4.4 Communications Protocols and Services ...................................................................................... 4

    5 Secure Acceptance, Installation, and Initial Configuration................................................................... 4

    5.1 Server Installation ......................................................................................................................... 4

    5.2 Device Configuration, Agent Installation, and Enrollment........................................................... 6

    5.3 Cryptographic Engine Configuration ............................................................................................ 7

    5.3.1 Configure Agent-Server TLS Mutual Authentication ........................................................... 7

    5.3.2 Allow Upload of Policy Signing Certificate ......................................................................... 8

    5.3.3 Specify TLS Configuration ................................................................................................... 9

    5.4 Installing and Verifying Product Updates ..................................................................................... 9

    6 Secure Management of the TOE ......................................................................................................... 10

    6.1 Audit Data ................................................................................................................................... 10

    6.1.1 MDM Server and Agent Auditing ...................................................................................... 10

    6.1.2 Storage of Audit Data ......................................................................................................... 10

    6.2 Checking Connectivity Status ..................................................................................................... 11

    6.3 Device and Policy Configuration ................................................................................................ 11

    6.4 MAS Server Configuration ......................................................................................................... 13

    6.5 Administrative Roles and Privileges ........................................................................................... 14

    6.6 Login Banner Configuration ....................................................................................................... 15

    7 Auditable Events ................................................................................................................................. 15

    8 Operational Modes .............................................................................................................................. 21

    9 Additional Support .............................................................................................................................. 21

  • 2 | P a g e

    1 Introduction VMware AirWatch Mobile Device Management is a mobile device management (MDM) solution that is used to enforce access, usage, and security configuration policies on registered mobile devices in order to mitigate the risk of theft, malicious software, or other misuse. The VMware AirWatch MDM solution includes two components: a server application that is used to perform centralized administration of policies and reporting on device behavior, and an MDM agent application that is installed onto individual mobile devices and used to enforce policies and monitor device behavior through communication with the server software.

    2 Intended Audience This document is intended for administrators responsible for installing, configuring, and/or operating the VMware AirWatch MDM Server software. Guidance provided in this document allows the reader to deploy the product in an environment that is consistent with the configuration that was evaluated as part of the products Common Criteria (CC) testing process. It also provides the reader with instructions on how to exercise the security functions that were claimed as part of the CC evaluation.

    This guidance also includes information on configuration of the behavior of the MDM Agent software as well as the communications between the agent and server. However, these activities are still performed by administrators. The security-relevant configuration of AirWatch for the purposes of conformance to its Common Criteria claims are transparent to end users and so additional security-relevant guidance does not need to be provided to them. Users must be made aware of organizational policies that govern secure and appropriate use of managed devices as well as instructions for performing lifecycle maintenance activities for the VMware AirWatch MDM Agent such as enrollment and application of updates.

    3 References While this supplemental guidance provides specific instructions to readers on how to configure the VMware AirWatch Mobile Device Management infrastructure in accordance with its Common Criteria evaluated configuration, existing AirWatch documentation contains the bulk of the general instructions for the installation, configuration, and ongoing management of AirWatch. Product documentation for AirWatch customers can be found on the myAirWatch page on www.air-watch.com (registration required).

    The following documents are relevant to the security configuration of VMware AirWatch Mobile Device Management based on the claims made for its Common Criteria evaluated configuration:

    [1] VMware AirWatch Installation Guide

    [2] VMware AirWatch Mobile Device Management Guide

    [3] VMware AirWatch iOS Platform Guide

    [4] Generating and Reviewing an APNS Certificate for AirWatch

    [5] VMware AirWatch Directory Services Guide

    http://www.air-watch.com/

  • 3 | P a g e

    [6] VMware AirWatch Integration with Microsoft ADCS via DCOM

    [7] VMware AirWatch Reports, Analytics, and Syslog Guide

    [8] VMware AirWatch Apple Device Enrollment Program Guide

    [9] VMware AirWatch On-Premises Configuration Guide

    The security functionality claimed by VMware AirWatch Mobile Device Management in its Common Criteria evaluated configuration has been defined in the VMware AirWatch Mobile Device Management Security Target. Product functionality or support for platforms that have not been explicitly claimed in the Security Target have not been evaluated as part of the Common Criteria certification.

    4 Evaluated Configuration This section lists the components that have been included in the products evaluated configuration, whether they are part of the product itself, environmental components that support the security behavior of the product, or non-interfering environmental components that were present during testing but are not associated with any security claims:

    4.1 Product Components The AirWatch product in its evaluated configuration includes the VMware AirWatch Mobile Device Management server software and the iOS VMware AirWatch Mobile Device Management agent.

    4.2 Supporting Environmental Components The evaluated configuration of VMware AirWatch Mobile Device Management includes the following dependent components:

    Microsoft Windows Server 2012 R2 underlying operating system for VMware AirWatch MDM Server software and for the following dependent components:

    o Certification Authority (CA) o Microsoft SQL Enterprise o Active Directory Certification Services o Active Directory / LDAP Server

    Syslog server syslog-compatible audit server used to collect audit data for AirWatch operational behavior

    Apple iOS 9 or 10 (running on compatible Apple device) underlying operating system for VMware AirWatch MDM Agent

    Apple Push Notifications/Apple Device Enrollment Program third-party services provided by Apple that are used by AirWatch for device registration and server-to-agent communications

    4.3 Assumptions In order to ensure the product is capable of meeting its security requirements when deployed in its evaluated configuration, the following conditions must be satisfied by the organization, as defined in the claimed Protection Profiles:

  • 4 | P a g e

    Availability of network connectivity: VMware AirWatch Mobile Device Management requires network connectivity in order to communicate policy

Search related