CC Certificate 

Security Target 

Validation Report 

Assurance Activity 

Administrative Guide 

The Target of Evaluation (TOE) is the BlackBerry Unified Endpoint Management (UEM) Server and Android Client version 12.

The UEM Server provides centralized management of mobile devices and the UEM Android Client Agent (installed on each Android device) enforces the policies of the Server on each Android device.

The BlackBerry UEM server, including the Core and UI security enforcing components, is implemented with a combination of Java and native code running on Windows Server 2016 or Windows Server 2019 with Java JRE 8.0.  Ideally, the scope of supported platforms for the evaluation would be Windows Server 2016 or Windows Server 2019 wherever they are deployable, however, it will be limited due to NIAP policy about CAVP algorithm certificates – the allowed environments would be expected to conform to the environments of the CAVP certificates (e.g., using the processors used for CAVP algorithm testing).  In this case, the CAVP testing for Certicom was done on Windows Server 2016 and Windows Server 2019 running in a virtual environment (VMWare ESXi 7) on an Intel Xeon E5-2620.

The BlackBerry UEM Android Client has two main deployment methods– as a single Workspace client or alternatively as a dual client with one managing the Personal (whole) device and another managing the Workspace.  There is one BlackBerry UEM client deployment per enrolled mobile device.  The scope of supported managed client devices for the evaluation is limited by the set of devices evaluated on the NIAP PCL[1]:

• Android 13 - https://www.niap-ccevs.org/Product/Compliant.cfm?PID=11342,
• Android 12 - https://www.niap-ccevs.org/Product/Compliant.cfm?PID=11307 and,
• Android 12 - https://www.niap-ccevs.org/Product/Compliant.cfm?PID=11228.

Since the iOS agents are evaluated as part of the Apple iOS evaluations, the UEM server will be tested to ensure it can manage those devices, but the agent’s behavior on those devices will not otherwise be tested.  The support is limited by the set of devices evaluated on the NIAP PCL:

• iOS 15 - https://www.niap-ccevs.org/Product/Compliant.cfm?PID=11237, and
• iOS 16 -  https://www.niap-ccevs.org/Product/Compliant.cfm?PID=11349.

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance.  The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target.  The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017.  The product, when delivered and configured as identified in the BlackBerry UEM Administrative Guidance Document, Version 12.19, May 2024 document, satisfies all of the security functional requirements stated in the BlackBerry UEM Server and Android Client v12 Security Target, Version 0.93, May 29, 2024.  The project underwent CCEVS Validator review.  The evaluation was completed in May 2024.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11427-2024) prepared by CCEVS.

The logical boundaries of the UEM Server and Android Client v12 are realized in the security functions that it implements. Each of these security functions is summarized below.

Security audit:

The BlackBerry UEM server is designed to generate and export audit events.  The audit events are stored in the SQL database and sent to the configured syslog servers as events occur. The BlackBerry UEM server can also generate alerts for specific events – these alerts are sent to administrators as e-mails. The BlackBerry UEM server supports TLS tunneling of syslog messages to protect exported audit records.

The BlackBerry UEM Android client is also designed to generate and export audit events.  It stores audit events in the platform audit logs which it can retrieve and send to its enrolled BlackBerry UEM server.  The BlackBerry UEM server will forward the events to a configured syslog server as the events are received.  The BlackBerry UEM Android client can also send required alerts directly to the BlackBerry UEM server which are received, logged as audit events, and treated as administrator alerts.

Cryptographic support:

The BlackBerry UEM server uses the Certicom Security Builder FIPS Java Module for its cryptographic operations.  It includes the following algorithm certificates which are applicable as the platform for this evaluation:

·        AES       A5201

·        DRBG    A5201

·        ECDSA  A5201

·        HMAC   A5201

·        KAS       A5201

·        RSA       A5201

·        SHS        A5201

The BlackBerry UEM Android client uses the cryptographic functions provided by the evaluated mobile devices.  As such, the Android client can reference the applicable certificates in the preceding evaluations of those devices.

The BlackBerry UEM server implements a X.509 key hierarchy summarized as follows:

1.      The PKI is rooted in a self-signed certificate (RSA 4096 SHA512) created when the first server is installed.

2.      The root is used to issue an intermediate CA certificate (RSA 3072 SHA512) also created when the first server is installed.

3.      Additional certificates are issued using the intermediate CA certificate as follows:

a.      Console web server certificate (RSA 2048 SHA512)

b.      Server client certificate (RSA 2048 SHA512) – used for SYSLOG, LDAP, etc.

c.      Profile signing certificate (RSA 2048 SHA512) – used for Apple MDM

d.      Per-device BDMI payload signing key (RSA 3072 SHA512)

e.      Per-device enrolled device certificates - issued during enrollment (RSA 2048 SHA512)

4.      All of the certificates above, except the per-device certificates, are stored in the SQL database and the key store is encrypted with a DEK (AES-CBC 256) also created during installation. The per-device BDMI keys are encrypted using the DEK separately from the rest of the key store. The DEK is encrypted using an EC secp512r1 key (stored in the Windows key store), that is unique to each unit of scale (created during installation), and stored on the local file system of each unit of scale.

5.      Each individual certificate in the key store is also encrypted individually using a DEK created during installation using PBEWithHmacSHA256AndAES256 (AES-CBC mode).

6.      The enrolled device certificate private keys are generated on the mobile device and signed by the intermediate CA on the applicable UEM server.

7.      Additional trusted root CAs can be loaded to support accepting certificates from other devices (syslog, LDAP, etc.).

Identification and authentication:

The BlackBerry UEM server requires administrators to login prior to performing any security functions or accessing any services, such as creating an activation password.  Similarly, mobile devices must authenticate with the server using an activation password prior to enrolling.

Both the BlackBerry UEM server and Android client use X.509 certificates in conjunction with TLS to both authenticate and secure remote connections.

Security management:

The BlackBerry UEM server facilitates granular administrative access to functions based on roles: server primary administrators, security configuration administrators, device user administrators, auditor, and mobile device users.  Administrators access the BlackBerry UEM server via a web-based interface.  The BlackBerry UEM server also supports the definition of mobile device users, and upon enrollment each mobile device generates an X.509 certificate used to identify that enrolled device.

The BlackBerry UEM server provides all the features necessary to manage its own security functions as well as to manage mobile device policies sent to enrolled mobile devices (via their clients).

The BlackBerry UEM Android client provides the features necessary to securely communicate and enroll with the BlackBerry UEM server, apply policies received from the BlackBerry UEM server, and report the results of applying policies.

Protection of the TSF:

The BlackBerry UEM server and Android client work together to ensure that all security related communication between those components is protected from disclosure and modification.

The BlackBerry UEM server includes self-testing capabilities to ensure that they are functioning properly as well as to cryptographically verify that their executable images are not corrupted.  The UEM server also includes secure update capabilities to ensure the integrity of any updates so that updates will not introduce malicious or other unexpected changes in the TOE.

TOE access:

The BlackBerry UEM server has the capability to display an advisory banner when users attempt to login in order to manage the TOE.

Trusted path/channels:

The BlackBerry UEM server uses TLS/HTTPS to secure communication channels between itself and remote administrators and mobile device users accessing the server via a web-based user interface. It also uses TLS to secure communication channels between itself, enrolled devices, its configured SQL database server, syslog servers, and optionally configured LDAP servers.

The following is a summary of applicable secure channels:

1.      UEM server console used by administrators – TLS not subject to mutual X.509 authentication. Certicom implementation of TLS on server.

2.      Mobile device UEM client to UEM server – TLS not subject to mutual X.509 authentication for initial enrollment, but always uses mutual X.509 authentication once enrolled. Certicom implementation of TLS on server – Mobile device implementation of TLS on the client end.

3.      UEM server to SQL database, SYSLOG and LDAP – TLS optionally configured for mutual X.509 authentication. Certicom implementation of TLS on server.  Communication with the SQL database is either local within the Windows platform on which the UEM server executes, or protected by IPsec provided by the Windows platform.

Vendor Information