VMware AirWatch Mobile Device Management Supplemental Administrative Guidance

Version 1.0 January 3, 2017

AirWatch LLC 1155 Perimeter Center West

Suite 100 Atlanta, GA 30338

Prepared By:

Cyber Assurance Testing Laboratory 304 Sentinel Drive, Suite 1160

Annapolis Junctions, MD 20701

1 | P a g e

Contents 1 Introduction ........................................................................................................................................... 2

2 Intended Audience ................................................................................................................................ 2

3 References ............................................................................................................................................. 2

4 Evaluated Configuration ....................................................................................................................... 3

4.1 Product Components ..................................................................................................................... 3

4.2 Supporting Environmental Components ....................................................................................... 3

4.3 Assumptions .................................................................................................................................. 3

4.4 Communications Protocols and Services ...................................................................................... 4

5 Secure Acceptance, Installation, and Initial Configuration................................................................... 4

5.1 Server Installation ......................................................................................................................... 4

5.2 Device Configuration, Agent Installation, and Enrollment........................................................... 6

5.3 Cryptographic Engine Configuration ............................................................................................ 7

5.3.1 Configure Agent-Server TLS Mutual Authentication ........................................................... 7

5.3.2 Allow Upload of Policy Signing Certificate ......................................................................... 8

5.3.3 Specify TLS Configuration ................................................................................................... 9

5.4 Installing and Verifying Product Updates ..................................................................................... 9

6 Secure Management of the TOE ......................................................................................................... 10

6.1 Audit Data ................................................................................................................................... 10

6.1.1 MDM Server and Agent Auditing ...................................................................................... 10

6.1.2 Storage of Audit Data ......................................................................................................... 10

6.2 Checking Connectivity Status ..................................................................................................... 11

6.3 Device and Policy Configuration ................................................................................................ 11

6.4 MAS Server Configuration ......................................................................................................... 13

6.5 Administrative Roles and Privileges ........................................................................................... 14

6.6 Login Banner Configuration ....................................................................................................... 15

7 Auditable Events ................................................................................................................................. 15

8 Operational Modes .............................................................................................................................. 21

9 Additional Support .............................................................................................................................. 21

2 | P a g e

1 Introduction VMware AirWatch Mobile Device Management is a mobile device management (MDM) solution that is used to enforce access, usage, and security configuration policies on registered mobile devices in order to mitigate the risk of theft, malicious software, or other misuse. The VMware AirWatch MDM solution includes two components: a server application that is used to perform centralized administration of policies and reporting on device behavior, and an MDM agent application that is installed onto individual mobile devices and used to enforce policies and monitor device behavior through communication with the server software.

2 Intended Audience This document is intended for administrators responsible for installing, configuring, and/or operating the VMware AirWatch MDM Server software. Guidance provided in this document allows the reader to deploy the product in an environment that is consistent with the configuration that was evaluated as part of the product’s Common Criteria (CC) testing process. It also provides the reader with instructions on how to exercise the security functions that were claimed as part of the CC evaluation.

This guidance also includes information on configuration of the behavior of the MDM Agent software as well as the communications between the agent and server. However, these activities are still performed by administrators. The security-relevant configuration of AirWatch for the purposes of conformance to its Common Criteria claims are transparent to end users and so additional security-relevant guidance does not need to be provided to them. Users must be made aware of organizational policies that govern secure and appropriate use of managed devices as well as instructions for performing lifecycle maintenance activities for the VMware AirWatch MDM Agent such as enrollment and application of updates.

3 References While this supplemental guidance provides specific instructions to readers on how to configure the VMware AirWatch Mobile Device Management infrastructure in accordance with its Common Criteria ‘evaluated configuration’, existing AirWatch documentation contains the bulk of the general instructions for the installation, configuration, and ongoing management of AirWatch. Product documentation for AirWatch customers can be found on the “myAirWatch” page on www.air-watch.com (registration required).

The following documents are relevant to the security configuration of VMware AirWatch Mobile Device Management based on the claims made for its Common Criteria evaluated configuration:

[1] VMware AirWatch Installation Guide

[2] VMware AirWatch Mobile Device Management Guide

[3] VMware AirWatch iOS Platform Guide

[4] Generating and Reviewing an APNS Certificate for AirWatch

[5] VMware AirWatch Directory Services Guide

3 | P a g e

[6] VMware AirWatch Integration with Microsoft ADCS via DCOM

[7] VMware AirWatch Reports, Analytics, and Syslog Guide

[8] VMware AirWatch Apple Device Enrollment Program Guide

[9] VMware AirWatch On-Premises Configuration Guide

The security functionality claimed by VMware AirWatch Mobile Device Management in its Common Criteria evaluated configuration has been defined in the VMware AirWatch Mobile Device Management Security Target. Product functionality or support for platforms that have not been explicitly claimed in the Security Target have not been evaluated as part of the Common Criteria certification.

4 Evaluated Configuration This section lists the components that have been included in the product’s evaluated configuration, whether they are part of the product itself, environmental components that support the security behavior of the product, or non-interfering environmental components that were present during testing but are not associated with any security claims:

4.1 Product Components The AirWatch product in its evaluated configuration includes the VMware AirWatch Mobile Device Management server software and the iOS VMware AirWatch Mobile Device Management agent.

4.2 Supporting Environmental Components The evaluated configuration of VMware AirWatch Mobile Device Management includes the following dependent components:

• Microsoft Windows Server 2012 R2 – underlying operating system for VMware AirWatch MDM Server software and for the following dependent components:

o Certification Authority (CA) o Microsoft SQL Enterprise o Active Directory Certification Services o Active Directory / LDAP Server

• Syslog server – syslog-compatible audit server used to collect audit data for AirWatch operational behavior

• Apple iOS 9 or 10 (running on compatible Apple device) – underlying operating system for VMware AirWatch MDM Agent

• Apple Push Notifications/Apple Device Enrollment Program – third-party services provided by Apple that are used by AirWatch for device registration and server-to-agent communications

4.3 Assumptions In order to ensure the product is capable of meeting its security requirements when deployed in its evaluated configuration, the following conditions must be satisfied by the organization, as defined in the claimed Protection Profiles:

4 | P a g e

• Availability of network connectivity: VMware AirWatch Mobile Device Management requires network connectivity in order to communicate policy updates to managed devices and to receive status information from them. This also requires mutual connectivity to the network services provided by Apple.

• Trustworthiness of server platform: The system on which the AirWatch server application is installed and the local network that it resides in is assumed to be configured securely and to have access to the functionality required for meeting its security requirements such as certificate validation services, remote audit storage, and directory services. In the evaluated configuration, two instances of the AirWatch server application are deployed such that one instance is configured internally while the instance that interfaces directly with managed devices resides in a DMZ.

• Trusted administration: Administrators are expected to be trusted individuals with relevant technical skills for administration of AirWatch and are expected to read and abide by its configuration instructions, including this supplemental guidance.

• Proper users: Users of mobile devices are expected to not be willfully negligent or hostile and will use the device in a manner that complies with organizational security policies.

• Trustworthiness of device platform: The VMware AirWatch MDM Agent will be installed on a mobile operating system that is configured in accordance with its own Common Criteria evaluated configuration.

4.4 Communications Protocols and Services In the evaluated configuration, the following secure protocols were tested:

• TLS/HTTPS: remote administration of VMware AirWatch MDM Server application • TLS: LDAP communications • TLS: syslog server communications • TLS: SQL database communications • TLS: communications between AirWatch and Apple Push Notifications/Apple DEP • TLS/HTTPS: VMware AirWatch MDM Agent/Server communications

5 Secure Acceptance, Installation, and Initial Configuration

5.1 Server Installation After acquiring licenses from AirWatch sales, the customer will receive an account to support.air-watch.com. The executable files for server components are loaded onto the “Resource Portal” page of the customer support account. These files can then be downloaded by the customer and transferred to the appropriate servers for installation.

In the evaluated configuration, AirWatch was deployed in an On-Premises configuration as described in [9]. This deployment consists of an instance of the VMware AirWatch MDM Server application that resides in an internal network for remote administration and a second instance of the application (referred to as Device Services) which resides in a DMZ and is used to facilitate communications with individual MDM Agents.

5 | P a g e

During operation, there is no expectation that Device Services is managed persistently; all configuration instructions for the Device Services server are to be performed during initial setup.

VMware AirWatch Mobile Device Management also includes a Mobile Application Store (MAS) Server. This is installed automatically as part of the MDM Server software and is not a separate component. However, since certain Common Criteria requirements explicitly reference MAS Server functionality separately from the remainder of the MDM capabilities, its configuration and use is discussed separately when necessary.

Installation of the VMware AirWatch MDM Server software is described comprehensively in [1]. There are no specific instructions or deviations from this guidance that need to be followed in order to ensure that AirWatch is set up in its evaluated configuration. Note however that when compatible operating system platforms are specified in [1], the administrator is expected to choose one of the supporting components that are specified in section 4.2 of this guidance.

Once the installation has been performed, the database should be configured to accept TLS communications. This is done by following the steps specified in Database https://technet.microsoft.com/en-us/library/ms191192.aspx.

Configuration of the MDM Server certificate and use of HTTPS for trusted communications is specified in chapter 2 of [1]. When HTTPS is enabled, port 80 connection attempts to the MDM Server will be redirected to port 443.

Once the MDM Server has been installed, the following guidance should be followed for first-time usage and to set up the relevant connections to external interfaces.

1. After installation, use the following default credentials at AirWatch Console Web GUI Portal:

Username: administrator Password: airwatch

2. Change the default password to a strong password (e.g. a passphrase at least fifteen characters in length) and then accept the license agreement.

3. Specify the password recovery questions and security PIN.

4. Configure the MDM Server to communicate with Apple Push Notification Service (APNS) by following the procedures in “Generating and Renewing an APNS Certificate for AirWatch”. [4]

5. Configure the MDM Server to communicate with an external authentication (AD/LDAP) server by following the procedures in “VMware AirWatch Directory Services Guide”. [5]

6. Configure the MDM Server to communicate with the Certification Authority server by following the procedures in “VMware AirWatch Integration with Microsoft ADCS via DCOM”. [6]

7. Configure the MDM Server to communicate with an external audit (syslog) server by following the procedures in “VMware AirWatch Reports, Analytics, and Syslog Guide”. [7]

a. Execute the following database query to eliminate the minimum severity threshold for transmission of audit data to Syslog:

UPDATE DBO.SystemCode SET DefaultValue = 'True' WHERE SystemCodeID = 5122

6 | P a g e

8. Configure the MDM Server to communicate with Apple Device Enrollment Program (DEP) by following the procedures in “VMware AirWatch Apple Device Enrollment Program Guide”. [8]

9. Configure the MDM Server for communication with an SMTP server by completing the following steps:

a. Authenticate to the AirWatch MDM Console as the administrator. b. Navigate to “Groups & Settings” > “All Settings” > “Enterprise Integration” > “Email (SMTP)”. c. Enter in the SMTP server and port. d. Click “Save”.

10. Perform the following configuration settings to the AirWatch MDM Console to ensure regular compliance checking of enrolled devices:

a. Authenticate to the AirWatch MDM Console as the administrator. b. Navigate to “Groups & Settings” > “All Settings” > “Installation” > “Performance Tuning”. c. Ensure “Allow minutes as minimum compliance interval” is checked.

5.2 Device Configuration, Agent Installation, and Enrollment In order to ensure that AirWatch is deployed in a manner that is consistent with the assumptions defined in section 4.3 of this document, the underlying mobile device must be configured in a manner consistent with its Common Criteria evaluated configuration. Guidance for this can be found in the Common Criteria supplemental guidance for iOS 9.3.2, found here: https://www.niap-ccevs.org/st/st_vid10725-agd.pdf.

Once the AirWatch server application is up and running, individual devices will acquire the VMware AirWatch MDM Agent through enrollment. In the evaluated configuration, enrollment is performed through Apple DEP. The administrator must follow the steps outlined in chapter 2 of [3] under “Enrolling an iOS Device with the Apple Device Enrollment Program (DEP)” including any subsequent references (e.g. the entirety of [8]) in order to ensure the environment is configured to support this enrollment method. To conform to the Common Criteria evaluated configuration, the Lock MDM Profile setting in MDM Features must be enabled when creating the DEP Profile that is used for enrollment. This prevents the user from unenrolling their device by any method other than factory reset of the device.

When the device has been registered through DEP and assigned to an MDM Profile in AirWatch, the user or administrator performing the initial configuration of the device will be prompted to set up the connection to the environment’s VMware AirWatch MDM Server as part of the initial setup process of the device. Enrollment must be performed by the device when it is coming out of its factory default/reset state. As part of the enrollment process, the device will automatically receive a unique certificate for the VMware AirWatch MDM Agent and configure certificate information for the MDM Server, including the reference identifier for the MDM Server certificate.

Since the evaluated configuration of AirWatch limits enrollment to only devices registered by Apple DEP, it is necessary to configure the VMware AirWatch MDM Server to enforce this restriction. This is done in the AirWatch Console under Settings > All Settings > Devices & Users > General > Enrollment. On the first tab (Authentication), the Current Setting button must be set to Override and Devices Enrollment Mode must be set to Registered Devices Only.

7 | P a g e

5.3 Cryptographic Engine Configuration VMware AirWatch Mobile Device Management provides cryptography in support of satisfying its security objectives. The VMware AirWatch MDM Agent software uses the FIPS-validated cryptography provided by the underlying iOS platform so no additional configuration is required on the device.

There are no specific steps that are required to follow in order to configure key generation and establishment functionality; these functions are provided automatically by the underlying cryptographic modules and are specified by the specific protocols that require them.

This evaluation does not make any claims of cryptographic strength for any other cryptographic modules or configurations besides what is claimed in the Security Target.

The evaluated configuration of the VMware AirWatch MDM Server software requires the underlying operating system to use its FIPS-validated cryptographic modules (CNG.sys and bcryptprimitives.dll). Prior to installation of AirWatch, administrators must ensure that the configuration guidance provided in the FIPS Security Policy documentation is followed. The documentation can be found at the following locations:

• CNG.sys: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2356.pdf • bcryptprimitives.dll: http://csrc.nist.gov/groups/STM/cmvp/documents/140-

1/140sp/140sp2357.pdf

5.3.1 Configure Agent-Server TLS Mutual Authentication

1. On the Device Services system, launch IIS Manager. 2. Go to “Sites” > “Default Web Site” > “DeviceServices”. 3. Click on “SSL Settings”. 4. Check “Require SSL” and choose “Require” for Client certificates. 5. Launch a command prompt by entering “cmd.exe” at the Run box. 6. Enter the following commands at the command prompt:

netsh http show sslcert ipport=0.0.0.0:443 record the “certificate hash” and “GUID” values in the output

netsh http delete sslcert ipport=0.0.0.0:443 netsh http add sslcert ipport=0.0.0.0:443 certhash=[certificate hash from above] appid={[GUID from above]} certstorename=MY verifyclientcertrevocation=enable VerifyRevocationWithCachedClientCertOnly=disable UsageCheck=Enable clientcertnegotiation=enable netsh http show sslcert

7. On the Device Services system, launch IIS Manager. 8. Go to “Sites” > “Default Web Site”. 9. Click on “Bindings…”. 10. Click “Add…”. 11. Choose “https” for the type, specify “All Unassigned” for IP address, specify “8443” for the port. 12. Specify the SSL certificate then click “OK”. 13. To enable TLS mutual authentication, execute the following query on the database server:

UPDATE DBO.SystemCode SET DefaultValue = 'True'

8 | P a g e

WHERE SystemCodeID = 5107

14. Navigate to Groups & Settings -> All Settings -> System-> Security-> TLS Mutual Authentication and select the CA and Certificate Template for DEP Enrollment Profile and Agent Authentication Settings as seen in the screenshot below.

15. Log in to the AirWatch MDM Server console and navigate to “Groups & Settings” > “All

Settings” > “System” > “Advanced” > “Site URLs”.

a. Specify the “Device Management URL” to be the following: https://<FQDN of Device Services server>:8443/DeviceManagement

5.3.2 Allow Upload of Policy Signing Certificate

1. Execute the following database query to enable the ability to upload a “Policy Signing Certificate” to the MDM Server:

UPDATE dbo.SystemCodeCategory SET ResourceID = 7192 WHERE SystemCodeCategoryID = 370

2. On the MDM Console Server and DS Server, open the AirWatch/AirWatch 9.0/Services/AW.ChangeEvent.QueueService.exe.config file in a text editor.

a. Add the following string to the file in the <appSettings></appSettings> section:

<!-- setting to enable TLS cert validation --> <add key="ValidateSyslogCert" value="true"/>

b. On the MDM Console server, launch services.msc and restart the “AirWatch Entity Change Queue Monitor” service.

3. On the MDM Console Server, open the AirWatch/AirWatch 9.0/Websites/WanderingWiFi.AirWatch.Console.Web/Web.config file in a text editor.

a. Add the following string to the file in the <appSettings></appSettings> section:

9 | P a g e

<!-- setting to enable TLS cert validation --> <add key="ValidateSyslogCert" value="true"/>

b. On the MDM Console server, restart IIS by executing the the iisreset command.

Once this has been done, the actual policy signing certificate is uploaded through the AirWatch Console under Groups & Settings > System > Advanced > Policy Signing Certificate.

5.3.3 Specify TLS Configuration

1. On the MDM Console Server and DS Server, limit the TLS ciphersuites such that only the claimed ciphers are enabled. All or a subset of the following TLS ciphersuites must be chosen:

TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_ SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

a. Launch Start > Run > “gpedit.msc”. b. Navigate to “Computer Configuration” > “Administrative Templates” > “Network” > “SSL

Configuration Settings” > “SSL Cipher Suite Order”. c. Enable “SSL Cipher Suite Order”. d. Specify the claimed SSL cipher suites in the text box. e. Click “Apply” then “OK”. f. Restart the system.

The following steps are used to specify that TLS 1.0, TLS 1.1, and TLS 1.2 are the only supported TLS versions:

2. On the MDM Console Server and DS Server, open the AirWatch/AirWatch 9.0/WebSites/WanderingWiFi.AirWatch.Console.Web/web.config, AirWatch/AirWatch 9.0/Services/AW.ChangeEvent.QueueService.exe.config files in a text editor.

a. Add the following string to the file in the <appSettings></appSettings> section:

<add key=”OutboundTlsProtocols” value=”Tls, Tls11, Tls12”/>

b. On the MDM Console and DS server, launch services.msc c. Restart the “AirWatch Entity Change Queue Monitor” service.

TLS reference identifiers for the MDM Agent client are hard-coded and automatically set upon enrollment; no administrative actions are required in order to configure this. Validation of the reference identifier is automatically handled by IIS and so this does not require administrative action in order to use in its evaluated configuration.

5.4 Installing and Verifying Product Updates The VMware AirWatch MDM Server software is updated entirely through the underlying Windows Server platform. The signing certificate used by AirWatch is provided by VeriSign and installed to the Windows trusted key store. Software updates are made available to AirWatch customers at http://www.air-watch.com. In order to install the update, the administrator will stop all AirWatch services

10 | P a g e

and then run the provided executable installer. If AirWatch is installed on the system, the installer will automatically locate it. If the signature of the update cannot be validated by the platform, the installation process will return an error and abort. Individual systems must be updated separately so the administrator should take care to update both the MDM Console server and the DS server when updates are available. The current running version of the software can be verified in the MDM Console under About.

6 Secure Management of the TOE

6.1 Audit Data

6.1.1 MDM Server and Agent Auditing

Both the VMware AirWatch MDM Server and VMware AirWatch MDM Agent produce audit logs of their security-relevant behavior. Since the MAS Server is the same logical component as the MDM Server, all auditable events for both components will be treated identically. The specific log types and sample audit data are provided in section 7 of this guide.

By default, records that are transmitted remotely to syslog begin with a timestamp. The remainder of the records use a configurable format that is specified in the AirWatch Console under Settings > System > Enterprise Integration > Syslog and can be reorganized as desired. The default format is as follows:

AirWatch Syslog Details are as follows Event Type: {EventType}Event: {Event}User: {User}Event Source: {EventSource}Event Module: {EventModule}Event Category: {EventCategory}Event Data: {EventData}

The set of events that are audited can be configured as well. This can be managed under Groups & Settings > System > Enterprise Integration > Syslog > Advanced. It is recommended that “Select All” be chosen for both Console and Device events.

6.1.2 Storage of Audit Data

Audit data generated by AirWatch is always visible in the AirWatch Console under Hub > Reports & Analytics > Events. This is further broken down into Device Events for audit records of Agent activity and Console Events for audit records of Server activity. The only exception to this is Administrator login history, which can also be viewed under Accounts > Administrators > System Activity > Login Activity.

In the evaluated configuration, Syslog will be used as a permanent method of remote audit storage. Syslog can be configured either under Settings > System > Enterprise Integration > Syslog or Hub > Reports & Analytics > Events > Syslog (they point to the same location). In order to ensure that these communications are secured, the “Secure TCP” setting must be chosen. In order to ensure the most verbose logging is performed, “Kernel Messages” should be chosen under Syslog Facility. Other settings such as hostname and port number should be defined based on the organization’s environment.

Audit data is streamed to the Syslog server as it is generated. When data is transmitted to the Syslog server, it continues to be retained on the MDM Server. The MDM Server’s copy of the audit data is

11 | P a g e

retained indefinitely. Audit data of device activity is collected by the iOS native MDM agent. AirWatch uses a push notification to request transmission of this data back to the MDM Server.

6.2 Checking Connectivity Status The connectivity status between the VMware AirWatch MDM Server and an enrolled device can be checked from both ends of the connection. An administrator on the MDM Console can check the connectivity status of a particular device by navigating to Devices > List View, clicking the check box next to the entry for that device, and selecting Query. The Last Seen column shows the connection status of the device, and if the device is not connected, the last time the connection was active. To check connectivity status from the agent side of the connection, launch the VMware AirWatch MDM Agent on the mobile device and select My Device. The connectivity status will be displayed.

AirWatch will periodically check the status of enrolled devices for connectivity over an administrator-defined time interval. This is configured globally for each individual device platform. The sampling interval is configured under Groups & Settings > All Settings > Devices & Users > Apple > MDM Sample Schedule. Different timers can be configured for sampling of different information about the managed devices.

6.3 Device and Policy Configuration The AirWatch MDM Console provides the ability to issue commands remotely to managed devices. Devices can be viewed under Devices > List View. Selecting an individual device will open the Details View page for that particular device. When issuing a command to the device, it may be handled on the device side of the connection by either the VMware AirWatch MDM Agent or natively by iOS, but this is transparent to both the user and administrator. The following table, taken from the VMware AirWatch Mobile Device Management Security Target, lists the security functionality that is required by the claimed Protection Profiles, whether the functionality is implemented on the device side by the VMware AirWatch MDM Agent or natively by iOS, and the specific section of the Details View page for the device where the particular command is issued.

Command Implemented By 1. transition to the locked state – “Lock” button. Platform 2. full wipe of protected data – “More Actions” button > Device Wipe. VMware AirWatch MDM Agent

3. unenroll from management – “More Actions” button > Device Wipe. VMware AirWatch MDM Agent

4. install policies – assigned and applied to target devices at the creation or modification of a profile under Devices > Profiles.

Platform

5. query connectivity status – “Query” button. VMware AirWatch MDM Agent (initiator) Platform (response)

6. query the current version of the MD firmware/software – “Query” button. Status shown in the main detail view page.

VMware AirWatch MDM Agent (initiator) Platform (response)

7. query the current version of the hardware model of the device – “Query” button. Status shown in the main detail view page.

VMware AirWatch MDM Agent (initiator) Platform (response)

8. query the current version of installed mobile VMware AirWatch MDM Agent

12 | P a g e

applications – “Query” button. Status shown in the Apps tab under the main detail view page.

(initiator) Platform (response)

9. import X.509v3 certificates into the Trust Anchor Database – assigned and applied to devices as part of a policy under the “Credentials” tab when defining the policy.

Platform

10. install applications – Apps and Books tab, Details View. Admin will be prompted to define what devices an application is assigned to during definition or modification of the application. When the application is specified as automatic distribution, the installation is initiated by the TSF.

Platform

13. remove Enterprise applications – can be removed in several ways: - specific application from a single device: Device details, Apps tab, Remove option (“X”) button for the desired application. - specific application from all devices: Apps and Books, App details, “Remove From All” button.

Platform

14. wipe Enterprise data – “More Actions” button > Device Wipe. VMware AirWatch MDM Agent

15. remove imported X509v3 certificates – “More” tab > “Certificates”, Revoke option. Platform

16. alert the administrator – “Send” button. Note that this refers to alerting the administrator of the mobile device, not the Administrator for the MDM Server. This can be sent as an email, SMS, or push notification.

Platform

22. place applications into application process groups – Apps & Books > Applications Settings > App Groups. VMware AirWatch MDM Server

Configuration policies for mobile devices are defined on the AirWatch MDM Console under Devices > Profiles & Resources > Profiles. Existing profiles will be listed here and the Add > Add Profile option allows for a new profile to be defined. When defining a new profile, an assignment to a Smart Group is specified so that the profile is only applied to the relevant devices, users, and/or organizational members. AirWatch provides a large number of device settings and policies that can be defined within a profile. The following table, taken from the VMware AirWatch Mobile Device Management Security Target, lists the security functionality that is required by the claimed Protection Profiles, whether the functionality is implemented on the device side by the VMware AirWatch MDM Agent or natively by iOS, and the specific section of the Add/Edit Profile dialog where the particular policy setting is configured.

Configuration Policy iOS Implementation 24. password policy – defined in the Passcode properties of a profile. Platform

25. session locking policy – Defined in the Passcode properties of a profile. Platform

26. wireless networks (SSIDs) to which the MD may connect – Defined under the Wi-Fi properties of a profile. Note that a profile specifies only a single permitted SSID so if multiple SSIDs are permitted, multiple profiles must be assigned to the device.

Platform

13 | P a g e

27. security policy for each wireless network – defined in the Wi-Fi properties of a profile, except for the permitted CA(s) which is specified under Credentials.

Platform

28. application installation policy – groups of required, whitelisted, and/or blacklisted apps can be defined in Apps & Books > App Groups. Note that iOS does not provide a mechanism to pre-emptively enforce application whitelisting/blacklisting but the TOE can take corrective action if a compliance policy is defined to detect the presence of a blacklisted or non-whitelisted app.

Platform

29. enable/disable policy for camera and microphone across MD – defined in the Restrictions properties of a profile. Platform

30. enable/disable policy for the VPN across the mobile device and on a per-app basis – defined in the VPN properties of a profile or in the “VPN Access” setting for an individual app assignment.

Platform

35. enable policy for data-at-rest protection – For Apple devices, data-at-rest protection is automatically enabled if a passcode is set so this is configured under the Passcode properties of a profile.

Platform

49. enable/disable backup – Defined in the Restrictions properties of a profile under the iCloud subcategory. Platform

53b. enable/disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor (e.g. using a fingerprint) – Defined in the Restrictions properties of a profile under the Device Functionality subcategory.

Platform

53c. policies for which there are required configuration values in the mobile operating system STIG relevant to the MD – The act of defining profiles in general allows relevant STIG configuration values to be applied.

Platform

53d. full wipe of all user data and applications not included in the out-of-the-box install – Accomplished through Factory Reset of the device from the Device Details view.

VMware AirWatch MDM Agent

6.4 MAS Server Configuration As with MDM policies, MAS Server capabilities are all configured through the AirWatch MDM Console. Applications managed by the MAS Server are assigned to users via “smart groups”. A smart group consists of one or more organization groups, user groups, and device characteristics. Smart groups are listed under Groups & Settings > Groups > Assignment Groups. New smart groups can be created via the Add Smart Group button on this page. Once a smart group has been created, it can be assigned to an application. New applications are defined in the MAS Server under Apps & Books > Applications > List View using the Add Application button. When adding a new application, the Assignment tab is used to specify the initial smart group assignment. The Save & Assign button is used to commit this assignment after uploading the app. Existing applications are also listed here. To modify the group assignment for an existing application, select the application in the list view and select the Assign button,

14 | P a g e

followed by Update Assignment. In both cases, the Select Assignment Groups text box allows the mapped group(s) to be specified.

Applications can also be grouped together when they share a common usage profile. The following types of groups with the following properties can be defined:

• Whitelist: a device’s MDM Agent will notify the MDM Server if an app that is absent from the whitelist is present on the device.

• Blacklist: a device’s MDM Agent will notify the MDM Server if an app that is present on the blacklist is present on the device.

• Required: a device’s MDM Agent will notify the MDM Server if an app that is present on the required list is absent from the device.

Note that iOS does not provide the capability to actively prevent unauthorized apps from being installed. Because of this, AirWatch only has the ability to generate a reactive alert if any of the groups listed above are violated. This is done through the use of Compliance Policies. To define a Compliance Policy, navigate to Devices > Compliance Policies > List View and press the Add button. On the Rules tab, application-related rules can be chosen using the Application List dropdown option. From here, the Contains Non-Whitelisted App(s), Contains Blacklisted App(s), and Does Not Contain Required App(s) options correspond to the violations listed above. Additional actions, such as sending an email to the user or administrator or requiring a device check-in, can be specified in the Actions tab. The Assignment tab, like with the application assignments themselves, allow the applicable smart groups for this Compliance Policy to be assigned.

To create a new application group, navigate to Apps & Books > Applications Settings > App Groups > Add Group. On the List tab, the type of group and the applications that belong to the group are specified, and on the Assignment tab, the assigned organization group (mandatory) and user group (optional) are specified.

When assigning an application to a group, the Push Mode option determines if the application is pushed to the devices in the assigned group or simply permitted to be downloaded on demand at the device owner’s discretion. iOS does not have the ability to force install apps, so when the Push Mode for the app is set to Auto, users will receive a push notification prompting them to initiate the download of the app. Updated versions of applications that are managed by the AirWatch MAS Server itself are loaded using the Add Version button when in the Details View of a given application. Similar to a new application being loaded onto the MAS Server, if the app is set to Push Mode, the user will be notified to initiate the update when it has been uploaded. For apps that reside in the public App Store, users can be made aware of app updates either through the AirWatch administrator adding the new version of public app in the MDM Console or through Apple’s own App Store notifications from the device itself.

6.5 Administrative Roles and Privileges All administration of AirWatch is performed through the AirWatch Console. The AirWatch Console can have multiple administrator accounts, each with differing roles and levels of privilege. Administrators are viewed and managed under Accounts > Administrators. The List View option shows all administrators defined by the AirWatch Console. New administrators are also defined here using the Add button. Administrative privileges are derived from two sources: Role, which determines the read/write

15 | P a g e

permissions that the administrator has for various functions; and Organization Group, which defines the scope of control over which the authorized functions can be performed. Roles can be created, modified, and viewed under Accounts > Administrators > Roles. The Create Role dialog lists all the various activities that can be assigned to a role and the ability to grant read and/or edit permissions for those activities. Note that an administrator who is creating a new Role cannot define privileges for it that the administrator’s current Role does not already have.

Organization Groups are derived from the connected Active Directory server and are defined in the environment. However, data relating to these (such as child organizations) can be configured in the AirWatch Console under Groups & Settings > Organization Groups > Organization Group Details.

The DoD Annex for Mobile Device Management mandates administrative separation of duties through the use of several roles, each of which have a defined set of responsibilities. AirWatch accommodates the ability to meet this mandate through a combination of pre-defined administrative roles and the ability to create new roles with arbitrarily-defined privileges. The following table lists and describes the roles from the DoD Annex and how to configure AirWatch to support them.

Role Description Configured By

Server primary administrator

Responsible for server installation, initial configuration, and maintenance functions. Responsible for the setup and maintenance of security configuration administrator and auditor accounts.

Defined by default as “AirWatch Administrator” role.

Security configuration administrator

Responsible for security configuration of the server, setup and maintenance of mobile device profiles, definition of user groups, and setup and maintenance of the device user group administrator role, its members, and its permissions.

Permissions defined under Accounts > Administrators, Accounts > Users, Device Management and subcategories for each.

Device user group administrator

Responsible for maintenance of user accounts, including setup, change of account configurations, and account deletion.

Permissions defined under Accounts > Administrators and sub-categories.

Auditor Responsible for review and maintenance of server and device audit logs.

Defined by default as “Report Viewer” role.

6.6 Login Banner Configuration The login page of the AirWatch Console is fully configurable, which includes the ability to configure the warning banner. The AirWatch Console does not provide the ability to enter arbitrary text on the login page but can be configured to display an image which contains the desired text. To configure the login image, navigate to Groups & Settings > All Settings > System > Branding. The Login Page Background field can be used to upload an image that contains the desired banner text.

7 Auditable Events The following section lists the auditable events that are generated by AirWatch (Server and/or Agent) in the course of executing its security functionality. As stated in the VMware AirWatch Mobile Device

16 | P a g e

Management Security Target, a number of functions are implemented by the underlying server operating system and/or mobile device. For information about those events, refer to the Microsoft Windows Server 2012 and Apple iOS 9.3.2 supplemental guidance documentation. Note that the audit records generated in this section use the default audit record format specified by AirWatch. As stated in section 6.1.1, the exact syntax of audit records is modifiable for site-specific needs.

The table below lists sample audit records for each auditable event that is generated by the MDM Server software. All data is logged to the AirWatch Console/Syslog unless otherwise specified.

Requirement Auditable Event(s)

Sample Audit Record

FAU_ALT_EXT.1 [SERVER]

Type of alert

Nov 9 15:45:03 172.16.72.18 November 09 20:45:05 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: ConsoleEvent: DeviceQueryRequestedUser: testadminEvent Source: ServerEvent Module: DeviceDetailsEvent Category: DeviceEvent Data: Device=niaptestAD iPad iOS 9.3.4 FP84;LoginSessionID=mchytqm4w4wdDevice Friendly Name: niaptestAD iPad iOS 9.3.4 FP84Enrollment User: niaptestAD

FAU_GEN.1(1)

Start-up and shutdown of the MDM Server software

(Logged to Windows Event Log) Information | 11/16/2016 3:54:42 PM | IIS-IISReset | 3202 | None | IIS stop command received from NIAPAW\administrator. The logged data is the status code.

FAU_GEN.1(1) Administrative actions

Oct 31 14:49:45 172.16.72.18 October 31 18:49:45 AirWatch AirWatch Syslog Details are as follows Event Type: ConsoleEvent: UserAddedUser: AdministratorEvent Source: ServerEvent Module: AdministrationEvent Category: UserManagementEvent Data: User=NIAPTest;LoginSessionID=nx2yfpkcuhr2 Event Timestamp: October 31, 2016 18:49:45

FAU_GEN.1(1)

Commands issued from MDM Server to an MDM Agent

Nov 9 17:33:28 172.16.72.18 November 09 22:33:29 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: ConsoleEvent: ProfilePublishedUser: AdministratorEvent Source: ServerEvent Module: ProfilesEvent Category: ProfilesEvent Data: Profile=testclient_ocsp;LoginSessionID=gy1ijzm5jbvzDevice Friendly Name: N/AEnrollment User: N/A

FAU_GEN.1(1) Detection of blacklisted apps

Nov 9 15:37:02 172.16.72.18 November 09 20:37:03 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: DeviceEvent: ComplianceStatusChangedUser: sysadminEvent Source: ServerEvent Module: ComplianceEvent Category: ComplianceStatusEvent Data: ComplianceStatus=NonCompliant;CompliancePolicy=Application List - UFC disallowedDevice Friendly Name: niaptestAD iPad iOS 9.3.5 FP84Enrollment User: niaptestAD

FAU_GEN.1(1) Required app(s) missing

Nov 9 15:46:48 172.16.72.18 November 09 20:46:49 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: DeviceEvent: ComplianceStatusChangedUser: sysadminEvent

17 | P a g e

Requirement Auditable Event(s)

Sample Audit Record

Source: ServerEvent Module: ComplianceEvent Category: ComplianceStatusEvent Data: ComplianceStatus=NonCompliant;CompliancePolicy=Application List - Weather missingDevice Friendly Name: niaptestAD iPad iOS 9.3.4 FP84Enrollment User: niaptestAD

FAU_GEN.1(1) Jailbroken or rooted device

Nov 9 15:45:03 172.16.72.18 November 09 20:45:05 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: ConsoleEvent: DeviceQueryRequestedUser: testadminEvent Source: ServerEvent Module: DeviceDetailsEvent Category: DeviceEvent Data: Device=niaptestAD iPad iOS 9.3.4 FP84;LoginSessionID=mchytqm4w4wdDevice Friendly Name: niaptestAD iPad iOS 9.3.4 FP84Enrollment User: niaptestAD Nov 9 15:45:04 172.16.72.18 November 09 20:45:05 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: DeviceEvent: SecurityInformationRequestedUser: testadminEvent Source: ServerEvent Module: DashboardEvent Category: CommandEvent Data: Device Friendly Name: niaptestAD iPad iOS 9.3.4 FP84Enrollment User: niaptestAD Nov 9 15:45:18 172.16.72.19 November 09 20:45:19 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: DeviceEvent: SecurityInformationConfirmedUser: sysadminEvent Source: DeviceEvent Module: DevicesEvent Category: CommandEvent Data: Device Friendly Name: niaptestAD iPad iOS 9.3.4 FP84Enrollment User: niaptestAD Nov 9 15:45:23 172.16.72.19 November 09 20:45:24 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: DeviceEvent: DeviceInformationConfirmedUser: sysadminEvent Source: DeviceEvent Module: DevicesEvent Category: CommandEvent Data: Device Friendly Name: niaptestAD iPad iOS 9.3.4 FP84Enrollment User: niaptestAD Nov 9 16:39:32 172.16.72.19 November 09 21:39:33 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: DeviceEvent: CheckInUser: sysadminEvent Source: DeviceEvent Module: DevicesEvent Category: DeliveryEvent Data: Application=;ApplicationVersion=;BytesReceived=82Device Friendly Name: niaptestAD iPad iOS 9.3.4 FP84Enrollment User: niaptestAD

FAU_GEN.1(1) Unapproved device model/version

Nov 9 15:52:02 172.16.72.18 November 09 20:52:03 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: DeviceEvent: ComplianceStatusChangedUser: sysadminEvent Source: ServerEvent Module: ComplianceEvent Category: ComplianceStatusEvent Data: ComplianceStatus=NonCompliant;CompliancePolicy=OS Version - Disallowed if greater than 9.3.3Device Friendly Name:

18 | P a g e

Requirement Auditable Event(s)

Sample Audit Record

niaptestAD iPad iOS 9.3.5 FP84Enrollment User: niaptestAD

FAU_GEN.1(2)/Server

Failure to push a new application on a managed mobile device

Nov 3 09:33:57 172.16.72.19 November 03 13:33:57 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: DeviceEvent: InstallApplicationFailedUser: sysadminEvent Source: ServerEvent Module: DevicesEvent Category: CommandEvent Data: ErrorCode=Pending;Application=;ApplicationVersion=;ApplicationType=;BytesReceived=0Device Friendly Name: niapuser1 iPad iOS 9.3.5 FP84Enrollment User: niapuser1

FAU_GEN.1(2)/Server

Failure to update an existing application on a managed mobile device

Nov 3 09:33:57 172.16.72.19 November 03 13:33:57 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: DeviceEvent: InstallApplicationFailedUser: sysadminEvent Source: ServerEvent Module: DevicesEvent Category: CommandEvent Data: ErrorCode=Pending;Application=;ApplicationVersion=;ApplicationType=;BytesReceived=0Device Friendly Name: niapuser1 iPad iOS 9.3.5 FP84Enrollment User: niapuser1

FIA_ENR_EXT.1 [SERVER]

Failure of MD user authentication

(In AirWatch Console) Information | 11/17/2016 10:43 AM | | | Device | Enrollment | Authentication | User Enrollment Authentication Failure | User Enrollment Name - chris4

FMT_MOF.1(1) [SERVER]

Issuance of command to perform function

Nov 2 10:51:58 172.16.72.19 November 02 14:51:59 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: DeviceEvent: ActivationLockBypassCodeSampleSaveUser: sysadminEvent Source: DeviceEvent Module: DevicesEvent Category: DeviceEvent Data: BytesReceived=553Device Friendly Name: niapuser1 ipad iOS 9.3.5 FP84Enrollment User: niapuser1

FMT_MOF.1(1) [SERVER]

Change of policy settings

Nov 11 10:26:49 172.16.72.18 November 11 15:26:51 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: ConsoleEvent: CompliancePolicyCreatedUser: AdministratorEvent Source: ServerEvent Module: ComplianceEvent Category: CompliancePolicyEvent Data: PolicyName=Application List;CompliancePolicyRule=Application List Contains Blacklisted App(s)<br/>;LocationGroup=Global;SupportedPlatform=Apple;CompliancePolicyAction=Immediately perform the following actions<br/>Notify - Send Email to User;MatchRules=All;AssignedSmartGroups=all @ NIAP Test<br/>NIAP Smart Group Restricted @ NIAP Test;ExcludedSmartGroups=N/ADevice Friendly Name: N/AEnrollment User: N/A

FMT_MOF.1(2) [SERVER]

Enrollment by a user.

Nov 2 10:51:44 172.16.72.19 November 02 14:51:44 AirWatch NIAP AirWatch Syslog Details are as follows Event Type:

19 | P a g e

Requirement Auditable Event(s)

Sample Audit Record

DeviceEvent: MDMEnrollmentCompleteUser: sysadminEvent Source: ServerEvent Module: EnrollmentEvent Category: EnrollmentEvent Data: Device Friendly Name: niapuser1 iPad iOS 9.3.5 FP84Enrollment User: niapuser1

FMT_SMF.1(2) [SERVER]

Success or failure of function

Nov 10 16:20:36 172.16.72.18 November 10 21:20:37 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: ConsoleEvent: AppleMdmSampleScheduleSettingChangedSuccessUser: AdministratorEvent Source: ServerEvent Module: AdministrationEvent Category: SystemSettingsEvent Data: LoginSessionID=bigij2deztokDevice Friendly Name: N/AEnrollment User: N/A Jan 5 11:50:00 172.16.72.18 January 05 16:50:08 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: ConsoleEvent: EnrollmentAuthenticationSettingChangedUser: AdministratorEvent Source: ServerEvent Module: AdministrationEvent Category:SystemSettingsEvent Data: DevicesEnrollmentMode=RegisteredDevicesOnlyDevice Friendly Name: N/AEnrollment User: N/A

FTA_TAB.1 Change in banner setting

Nov 15 13:42:32 172.16.72.18 November 15 18:42:33 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: ConsoleEvent: BrandingChangedUser: AdministratorEvent Source: ServerEvent Module: SettingsEvent Category: SystemSettingsEvent Data: LoginSessionID=mnwzy1x4m5ioDevice Friendly Name: N/AEnrollment User: N/A

In addition to the auditing that is performed by the MDM Server, MDM Agents also perform their own auditing so that audit data for both ends of the connection can be examined as needed for consistency. The following table lists the auditable events for the MDM Agent software along with sample audit record data for each event. Note that since the MDM Agent software performs persistent auditing, startup and shutdown of its auditing functions is synonymous with startup and shutdown of the app itself which is audited by the underlying iOS platform.

Requirement Auditable Event(s)

Sample Audit Record

FAU_ALT_EXT.2 Type of alert

Nov 9 15:45:18 172.16.72.19 November 09 20:45:19 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: DeviceEvent: SecurityInformationConfirmedUser: sysadminEvent Source: DeviceEvent Module: DevicesEvent Category: CommandEvent Data: Device Friendly Name: niaptestAD iPad iOS 9.3.4 FP84Enrollment User: niaptestAD

20 | P a g e

Requirement Auditable Event(s) Sample Audit Record

FAU_GEN.1(2)/Agent Change in MDM policy

Nov 9 17:35:07 172.16.72.19 November 09 22:35:08 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: DeviceEvent: InstallProfileConfirmedUser: sysadminEvent Source: DeviceEvent Module: DevicesEvent Category: CommandEvent Data: Profile=testclient_ocspDevice Friendly Name: niaptestAD iPad iOS 9.3.4 FP84Enrollment User: niaptestAD

FAU_GEN.1(2)/Agent Any modification commanded by the MDM Server

Nov 3 09:02:09 172.16.72.19 November 03 13:02:10 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: DeviceEvent: DeviceLockConfirmedUser: sysadminEvent Source: DeviceEvent Module: DevicesEvent Category: CommandEvent Data: Device Friendly Name: niapuser1 iPad iOS 9.3.5 FP84Enrollment User: niapuser1

FIA_ENR_EXT.2 Enrollment in management.

Nov 10 09:20:28 172.16.72.19 November 10 14:20:29 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: DeviceEvent: MDMEnrollmentCompleteUser: sysadminEvent Source: ServerEvent Module: EnrollmentEvent Category: EnrollmentEvent Data: Device Friendly Name: niaptestAD iPad iOS 9.3.4 FP84Enrollment User: niaptestAD

FMT_POL_EXT.2 Failure of policy validation.

Nov 10 09:20:37 172.16.72.19 November 10 14:20:38 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: DeviceEvent: InstallProfileFailedUser: sysadminEvent Source: ServerEvent Module: DevicesEvent Category: CommandEvent Data: ErrorCode=1000 Invalid Profile;Profile=FAU_ALT_EXT.1.1 - 002 Part 2Device Friendly Name: niaptestAD iPad iOS 9.3.4 FP84Enrollment User: niaptestAD

FMT_SMF_EXT.3 Success or failure of function.

Nov 10 16:20:36 172.16.72.18 November 10 21:20:37 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: ConsoleEvent: AppleMdmSampleScheduleSettingChangedSuccessUser: AdministratorEvent Source: ServerEvent Module: AdministrationEvent Category: SystemSettingsEvent Data: LoginSessionID=bigij2deztokDevice Friendly Name: N/AEnrollment User: N/A

FMT_UNR_EXT.1 Attempt to unenroll.

Nov 11 09:15:53 172.16.72.19 November 11 14:15:55 AirWatch NIAP AirWatch Syslog Details are as follows Event Type: DeviceEvent: BreakMDMConfirmedUser: sysadminEvent Source: DeviceEvent Module: DevicesEvent Category: CommandEvent Data: Device Friendly Name: niaptestlimit iPad iOS 9.3.4 FP84Enrollment User: niaptestlimit

21 | P a g e

8 Operational Modes AirWatch does not have distinct operational modes. Adherence to this guidance is necessary to ensure that it has been deployed in a Common Criteria compliant manner.

9 Additional Support While reading this documentation you may encounter references to documents that are not included here. You can access this documentation through the AirWatch Resources page (https://resources.air-watch.com) on myAirWatch.

Note: Always pull the document from AirWatch Resources each time you reference it.

To search for and access documentation on AirWatch Resources:

1. Navigate to http://my.air-watch.com and log in using your AirWatch ID credentials.

2. Select AirWatch Resources from the navigation bar or home screen. The AirWatch Resources page displays a list of recent documentation and a list of Resources Categories on the left.

3. Select your AirWatch Version from the drop-down menu in the search parameters to filter a displayed list of documents. This selection limits the search to documentation that is specific to your version of AirWatch.

4. Access documentation using the following methods:

• Select a resource category on the left to view all documents in that category. For example, select Documentation to view the entire technical documentation set. Select Platform to view only platform guides.

• Search for a particular resource using the search box in the top-right by entering keywords or document names.

• Add a document to your favorites and it appears in My Resources. Access documents you saved as a Favorite by selecting myAirWatch from the navigation bar. Then select My Resources from the toolbar.

• Download a PDF of a document by selecting the button.

Note, however, that documentation is frequently updated with the latest bug fixes and feature enhancements. Always pull the document from AirWatch Resources each time you want to reference it.