An error occurred:

Check: SRG-APP-000175-UEM-100008

Unified Endpoint Management Agent SRG: SRG-APP-000175-UEM-100008 (in version v1 r1)

Title

The UEM Agent must not install policies if the policy-signing certificate is deemed invalid. (Cat II impact)

Discussion

It is critical that the UEM agent only use validated certificates for policy updates. Otherwise, there is no assurance that a malicious actor has not inserted itself in the process of packaging the code or policy. Satisfies: FMT_POL_EXT.2.2

Check Content

Verify the UEM Agent does not install policies if the policy-signing certificate is deemed invalid. If the UEM Agent installs policies when the policy-signing certificate is deemed invalid, this is a finding.

Fix Text

Configure the UEM Agent to not install policies if the policy-signing certificate is deemed invalid.

Additional Identifiers

Rule ID: SV-234239r617354_rule

Vulnerability ID: V-234239

Group Title: SRG-APP-000175

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000185

For public key-based authentication, validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-5(2)

Pki-based Authentication