An error occurred:

Check: SRG-APP-000427-UEM-000502

Unified Endpoint Management Server SRG: SRG-APP-000427-UEM-000502 (in versions v2 r3 through v2 r1)

Title

The UEM server, for each unique policy managed, must validate the policy is appropriate for an agent using [selection: a private key associated with an X509 certificate representing the agent, a token issued by the agent] associated with a policy signing key uniquely associated with the policy. (Cat I impact)

Discussion

It is critical that the UEM server sign all policy updates with validated certificate or private keys. Otherwise, there is no assurance that a malicious actor has not inserted itself in the process of packaging the code or policy. This requirement focuses on communications protection for the application session rather than for the network packet. This requirement applies to applications that use communications sessions. This includes, but is not limited to, web-based applications and service-oriented architectures (SOAs). Satisfies: FMT_POL_EXT.1.3 Reference: PP-MDM-411071

Check Content

Verify the UEM server, for each unique policy managed, validates the policy is appropriate for an agent using [selection: a private key associated with an X509 certificate representing the agent, a token issued by the agent and associated with a policy signing key uniquely associated with the policy]. If the UEM server does not validate the policy is appropriate for an agent using [selection: a private key associated with an X509 certificate representing the agent, a token issued by the agent and associated with a policy signing key uniquely associated with the policy, this is a finding.

Fix Text

Configure the IUEM server, for each unique policy managed, to validate the policy is appropriate for an agent using [selection: a private key associated with an X509 certificate representing the agent, a token issued by the agent and associated with a policy signing key uniquely associated with the policy].

Additional Identifiers

Rule ID: SV-264369r985781_rule

Vulnerability ID: V-264369

Group Title: SRG-APP-000427

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002470

Only allow the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-23(5)

Allowed Certificate Authorities