| V-234248 | | All UEM Agent cryptography supporting DoD functionality must be FIPS 140-2 validated. | Unapproved cryptographic algorithms cannot be relied on to provide confidentiality or integrity, and DoD data could be compromised as a result. The mo... |
| V-234235 | | The UEM Agent must provide an alert via the trusted channel to the UEM Server in the event of any of the following audit events:
-successful application of policies to a mobile device
-receiving or generating periodic reachability events
-change in enrollment state
-failure to install an application from the UEM Server
-failure to update an application from the UEM Server. | Alerts providing notification of a change in enrollment state facilitate verification of the correct operation of security functions. When an UEM serv... |
| V-234236 | | The UEM Agent must generate a UEM Agent audit record of the following auditable events:-startup and shutdown of the UEM Agent-UEM policy updated-any modification commanded by the UEM Server. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, o... |
| V-234237 | | The UEM Agent must be configured to enable the following function: read audit logs of the managed endpoint device. | Audit logs and alerts enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify when the security... |
| V-234238 | | The UEM Agent must record within each UEM Agent audit record the following information:
-date and time of the event
-type of event
-subject identity
-(if relevant) the outcome (success or failure) of the event. | Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. For audit logs to be useful, administrators mus... |
| V-234239 | | The UEM Agent must not install policies if the policy-signing certificate is deemed invalid. | It is critical that the UEM agent only use validated certificates for policy updates. Otherwise, there is no assurance that a malicious actor has not ... |
| V-234240 | | The UEM Agent must use managed endpoint device key storage for all persistent secret and private keys. | If validated secure storage locations are not used for keys, they could be compromised.
Satisfies: FCS_STG_EXT.1(2)... |
| V-234241 | | The UEM Agent must queue alerts if the trusted channel is not available. | Alerts providing notification of a change in enrollment state facilitate verification of the correct operation of security functions. When an UEM serv... |
| V-234242 | | The UEM Agent must be configured to enable the following function: transfer managed endpoint device audit logs read by the UEM Agent to an UEM server or third-party audit management server. | Audit logs and alerts enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify when the security... |
| V-234243 | | The UEM Agent must only accept policies and policy updates that are digitally signed by a certificate that has been authorized for policy updates by the UEM Server. | It is critical that the UEM agent only use validated certificates for policy updates. Otherwise, there is no assurance that a malicious actor has not ... |
| V-234244 | | The UEM Agent must perform the following functions: Import the certificates to be used for authentication of UEM Agent communications. | It is critical that the UEM agent only use validated certificates for policy updates. Otherwise, there is no assurance that a malicious actor has not ... |
| V-234245 | | The UEM Agent must record the reference identifier of the UEM Server during the enrollment process. | Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. For audit logs to be useful, administrators mus... |
| V-234246 | | The UEM Agent must perform the following functions:
-enroll in management
-configure whether users can unenroll from management
-configure periodicity of reachability events. | Access control of mobile devices to DoD sensitive information or access to DoD networks must be controlled so that DoD data will not be compromised. T... |
| V-234247 | | The UEM Agent must be configured to perform one of the following actions upon an attempt to unenroll the mobile device from management:
-prevent the unenrollment from occurring
-wipe the device to factory default settings
-wipe the work profile with all associated applications and data. | Access control of mobile devices to DoD sensitive information or access to DoD networks must be controlled so that DoD data will not be compromised. T... |
