Check: SRG-APP-000427-UEM-100007
Unified Endpoint Management Agent SRG:
SRG-APP-000427-UEM-100007
(in version v1 r1)
Title
The UEM Agent must only accept policies and policy updates that are digitally signed by a certificate that has been authorized for policy updates by the UEM Server. (Cat II impact)
Discussion
It is critical that the UEM agent only use validated certificates for policy updates. Otherwise, there is no assurance that a malicious actor has not inserted itself in the process of packaging the code or policy. Satisfies: FMT_POL_EXT.2.1
Check Content
Verify the UEM Agent only accepts policies and policy updates that are digitally signed by a certificate that has been authorized for policy updates by the UEM Server. If the UEM Agent does not only accept policies and policy updates that are digitally signed by a certificate that has been authorized for policy updates by the UEM Server, this is a finding.
Fix Text
Configure the UEM Agent to only accept policies and policy updates that are digitally signed by a certificate that has been authorized for policy updates by the UEM Server.
Additional Identifiers
Rule ID: SV-234243r617354_rule
Vulnerability ID: V-234243
Group Title: SRG-APP-000427
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-002470 |
Only allow the use of organization-defined certificate authorities for verification of the establishment of protected sessions. |
Controls
| Number | Title |
|---|---|
| SC-23(5) |
Allowed Certificate Authorities |