UCF STIG Viewer Logo

Unified Endpoint Management Agent Security Requirements Guide


Overview

Date Finding Count (14)
2020-12-14 CAT I (High): 1 CAT II (Med): 13 CAT III (Low): 0
STIG Description
This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Public)

Finding ID Severity Title
V-234248 High All UEM Agent cryptography supporting DoD functionality must be FIPS 140-2 validated.
V-234236 Medium The UEM Agent must generate a UEM Agent audit record of the following auditable events:-startup and shutdown of the UEM Agent-UEM policy updated-any modification commanded by the UEM Server.
V-234240 Medium The UEM Agent must use managed endpoint device key storage for all persistent secret and private keys.
V-234239 Medium The UEM Agent must not install policies if the policy-signing certificate is deemed invalid.
V-234238 Medium The UEM Agent must record within each UEM Agent audit record the following information: -date and time of the event -type of event -subject identity -(if relevant) the outcome (success or failure) of the event.
V-234237 Medium The UEM Agent must be configured to enable the following function: read audit logs of the managed endpoint device.
V-234244 Medium The UEM Agent must perform the following functions: Import the certificates to be used for authentication of UEM Agent communications.
V-234245 Medium The UEM Agent must record the reference identifier of the UEM Server during the enrollment process.
V-234246 Medium The UEM Agent must perform the following functions: -enroll in management -configure whether users can unenroll from management -configure periodicity of reachability events.
V-234247 Medium The UEM Agent must be configured to perform one of the following actions upon an attempt to unenroll the mobile device from management: -prevent the unenrollment from occurring -wipe the device to factory default settings -wipe the work profile with all associated applications and data.
V-234235 Medium The UEM Agent must provide an alert via the trusted channel to the UEM Server in the event of any of the following audit events: -successful application of policies to a mobile device -receiving or generating periodic reachability events -change in enrollment state -failure to install an application from the UEM Server -failure to update an application from the UEM Server.
V-234241 Medium The UEM Agent must queue alerts if the trusted channel is not available.
V-234242 Medium The UEM Agent must be configured to enable the following function: transfer managed endpoint device audit logs read by the UEM Agent to an UEM server or third-party audit management server.
V-234243 Medium The UEM Agent must only accept policies and policy updates that are digitally signed by a certificate that has been authorized for policy updates by the UEM Server.