VMware AirWatch Mobile Device Management Supplemental

VMware AirWatch Mobile Device Management Supplemental
VMware AirWatch Mobile Device Management
Supplemental Administrative Guidance
Version 1.0
January 3, 2017
AirWatch LLC
1155 Perimeter Center West
Suite 100
Atlanta, GA 30338
Prepared By:
Cyber Assurance Testing Laboratory
304 Sentinel Drive, Suite 1160
Annapolis Junctions, MD 20701
Contents
1
Introduction ........................................................................................................................................... 2
2
Intended Audience ................................................................................................................................ 2
3
References ............................................................................................................................................. 2
4
Evaluated Configuration ....................................................................................................................... 3
5
4.1
Product Components ..................................................................................................................... 3
4.2
Supporting Environmental Components ....................................................................................... 3
4.3
Assumptions.................................................................................................................................. 3
4.4
Communications Protocols and Services ...................................................................................... 4
Secure Acceptance, Installation, and Initial Configuration................................................................... 4
5.1
Server Installation ......................................................................................................................... 4
5.2
Device Configuration, Agent Installation, and Enrollment........................................................... 6
5.3
Cryptographic Engine Configuration ............................................................................................ 7
5.3.1
Configure Agent-Server TLS Mutual Authentication........................................................... 7
5.3.2
Allow Upload of Policy Signing Certificate ......................................................................... 8
5.3.3
Specify TLS Configuration ................................................................................................... 9
5.4
6
Installing and Verifying Product Updates ..................................................................................... 9
Secure Management of the TOE ......................................................................................................... 10
6.1
Audit Data ................................................................................................................................... 10
6.1.1
MDM Server and Agent Auditing ...................................................................................... 10
6.1.2
Storage of Audit Data ......................................................................................................... 10
6.2
Checking Connectivity Status ..................................................................................................... 11
6.3
Device and Policy Configuration ................................................................................................ 11
6.4
MAS Server Configuration ......................................................................................................... 13
6.5
Administrative Roles and Privileges ........................................................................................... 14
6.6
Login Banner Configuration ....................................................................................................... 15
7
Auditable Events ................................................................................................................................. 15
8
Operational Modes .............................................................................................................................. 21
9
Additional Support .............................................................................................................................. 21
1|Page
1 Introduction
VMware AirWatch Mobile Device Management is a mobile device management (MDM) solution that is
used to enforce access, usage, and security configuration policies on registered mobile devices in order to
mitigate the risk of theft, malicious software, or other misuse. The VMware AirWatch MDM solution
includes two components: a server application that is used to perform centralized administration of
policies and reporting on device behavior, and an MDM agent application that is installed onto individual
mobile devices and used to enforce policies and monitor device behavior through communication with the
server software.
2 Intended Audience
This document is intended for administrators responsible for installing, configuring, and/or operating the
VMware AirWatch MDM Server software. Guidance provided in this document allows the reader to
deploy the product in an environment that is consistent with the configuration that was evaluated as part
of the product’s Common Criteria (CC) testing process. It also provides the reader with instructions on
how to exercise the security functions that were claimed as part of the CC evaluation.
This guidance also includes information on configuration of the behavior of the MDM Agent software as
well as the communications between the agent and server. However, these activities are still performed by
administrators. The security-relevant configuration of AirWatch for the purposes of conformance to its
Common Criteria claims are transparent to end users and so additional security-relevant guidance does
not need to be provided to them. Users must be made aware of organizational policies that govern secure
and appropriate use of managed devices as well as instructions for performing lifecycle maintenance
activities for the VMware AirWatch MDM Agent such as enrollment and application of updates.
3 References
While this supplemental guidance provides specific instructions to readers on how to configure the
VMware AirWatch Mobile Device Management infrastructure in accordance with its Common Criteria
‘evaluated configuration’, existing AirWatch documentation contains the bulk of the general instructions
for the installation, configuration, and ongoing management of AirWatch. Product documentation for
AirWatch customers can be found on the “myAirWatch” page on www.air-watch.com (registration
required).
The following documents are relevant to the security configuration of VMware AirWatch Mobile Device
Management based on the claims made for its Common Criteria evaluated configuration:
[1]
VMware AirWatch Installation Guide
[2]
VMware AirWatch Mobile Device Management Guide
[3]
VMware AirWatch iOS Platform Guide
[4]
Generating and Reviewing an APNS Certificate for AirWatch
[5]
VMware AirWatch Directory Services Guide
2|Page
[6]
VMware AirWatch Integration with Microsoft ADCS via DCOM
[7]
VMware AirWatch Reports, Analytics, and Syslog Guide
[8]
VMware AirWatch Apple Device Enrollment Program Guide
[9]
VMware AirWatch On-Premises Configuration Guide
The security functionality claimed by VMware AirWatch Mobile Device Management in its Common
Criteria evaluated configuration has been defined in the VMware AirWatch Mobile Device Management
Security Target. Product functionality or support for platforms that have not been explicitly claimed in the
Security Target have not been evaluated as part of the Common Criteria certification.
4 Evaluated Configuration
This section lists the components that have been included in the product’s evaluated configuration,
whether they are part of the product itself, environmental components that support the security behavior
of the product, or non-interfering environmental components that were present during testing but are not
associated with any security claims:
4.1 Product Components
The AirWatch product in its evaluated configuration includes the VMware AirWatch Mobile Device
Management server software and the iOS VMware AirWatch Mobile Device Management agent.
4.2 Supporting Environmental Components
The evaluated configuration of VMware AirWatch Mobile Device Management includes the following
dependent components:
•
•
•
•
Microsoft Windows Server 2012 R2 – underlying operating system for VMware AirWatch MDM
Server software and for the following dependent components:
o Certification Authority (CA)
o Microsoft SQL Enterprise
o Active Directory Certification Services
o Active Directory / LDAP Server
Syslog server – syslog-compatible audit server used to collect audit data for AirWatch operational
behavior
Apple iOS 9 or 10 (running on compatible Apple device) – underlying operating system for
VMware AirWatch MDM Agent
Apple Push Notifications/Apple Device Enrollment Program – third-party services provided by
Apple that are used by AirWatch for device registration and server-to-agent communications
4.3 Assumptions
In order to ensure the product is capable of meeting its security requirements when deployed in its
evaluated configuration, the following conditions must be satisfied by the organization, as defined in the
claimed Protection Profiles:
3|Page
•
•
•
•
•
Availability of network connectivity: VMware AirWatch Mobile Device Management requires
network connectivity in order to communicate policy updates to managed devices and to receive
status information from them. This also requires mutual connectivity to the network services
provided by Apple.
Trustworthiness of server platform: The system on which the AirWatch server application is
installed and the local network that it resides in is assumed to be configured securely and to have
access to the functionality required for meeting its security requirements such as certificate
validation services, remote audit storage, and directory services. In the evaluated configuration,
two instances of the AirWatch server application are deployed such that one instance is
configured internally while the instance that interfaces directly with managed devices resides in a
DMZ.
Trusted administration: Administrators are expected to be trusted individuals with relevant
technical skills for administration of AirWatch and are expected to read and abide by its
configuration instructions, including this supplemental guidance.
Proper users: Users of mobile devices are expected to not be willfully negligent or hostile and
will use the device in a manner that complies with organizational security policies.
Trustworthiness of device platform: The VMware AirWatch MDM Agent will be installed on a
mobile operating system that is configured in accordance with its own Common Criteria
evaluated configuration.
4.4 Communications Protocols and Services
In the evaluated configuration, the following secure protocols were tested:
•
•
•
•
•
•
TLS/HTTPS: remote administration of VMware AirWatch MDM Server application
TLS: LDAP communications
TLS: syslog server communications
TLS: SQL database communications
TLS: communications between AirWatch and Apple Push Notifications/Apple DEP
TLS/HTTPS: VMware AirWatch MDM Agent/Server communications
5 Secure Acceptance, Installation, and Initial Configuration
5.1 Server Installation
After acquiring licenses from AirWatch sales, the customer will receive an account to support.airwatch.com. The executable files for server components are loaded onto the “Resource Portal” page of the
customer support account. These files can then be downloaded by the customer and transferred to the
appropriate servers for installation.
In the evaluated configuration, AirWatch was deployed in an On-Premises configuration as described in
[9]. This deployment consists of an instance of the VMware AirWatch MDM Server application that
resides in an internal network for remote administration and a second instance of the application (referred
to as Device Services) which resides in a DMZ and is used to facilitate communications with individual
MDM Agents.
4|Page
During operation, there is no expectation that Device Services is managed persistently; all configuration
instructions for the Device Services server are to be performed during initial setup.
VMware AirWatch Mobile Device Management also includes a Mobile Application Store (MAS) Server.
This is installed automatically as part of the MDM Server software and is not a separate component.
However, since certain Common Criteria requirements explicitly reference MAS Server functionality
separately from the remainder of the MDM capabilities, its configuration and use is discussed separately
when necessary.
Installation of the VMware AirWatch MDM Server software is described comprehensively in [1]. There
are no specific instructions or deviations from this guidance that need to be followed in order to ensure
that AirWatch is set up in its evaluated configuration. Note however that when compatible operating
system platforms are specified in [1], the administrator is expected to choose one of the supporting
components that are specified in section 4.2 of this guidance.
Once the installation has been performed, the database should be configured to accept TLS
communications. This is done by following the steps specified in Database
https://technet.microsoft.com/en-us/library/ms191192.aspx.
Configuration of the MDM Server certificate and use of HTTPS for trusted communications is specified
in chapter 2 of [1]. When HTTPS is enabled, port 80 connection attempts to the MDM Server will be
redirected to port 443.
Once the MDM Server has been installed, the following guidance should be followed for first-time usage
and to set up the relevant connections to external interfaces.
1. After installation, use the following default credentials at AirWatch Console Web GUI Portal:
Username: administrator
Password: airwatch
2. Change the default password to a strong password (e.g. a passphrase at least fifteen characters in
length) and then accept the license agreement.
3. Specify the password recovery questions and security PIN.
4. Configure the MDM Server to communicate with Apple Push Notification Service (APNS) by
following the procedures in “Generating and Renewing an APNS Certificate for AirWatch”. [4]
5. Configure the MDM Server to communicate with an external authentication (AD/LDAP) server
by following the procedures in “VMware AirWatch Directory Services Guide”. [5]
6. Configure the MDM Server to communicate with the Certification Authority server by following
the procedures in “VMware AirWatch Integration with Microsoft ADCS via DCOM”. [6]
7. Configure the MDM Server to communicate with an external audit (syslog) server by following
the procedures in “VMware AirWatch Reports, Analytics, and Syslog Guide”. [7]
a. Execute the following database query to eliminate the minimum severity threshold for
transmission of audit data to Syslog:
UPDATE DBO.SystemCode
SET DefaultValue = 'True'
WHERE SystemCodeID = 5122
5|Page
8. Configure the MDM Server to communicate with Apple Device Enrollment Program (DEP) by
following the procedures in “VMware AirWatch Apple Device Enrollment Program Guide”. [8]
9. Configure the MDM Server for communication with an SMTP server by completing the
following steps:
a.
b.
c.
d.
Authenticate to the AirWatch MDM Console as the administrator.
Navigate to “Groups & Settings” > “All Settings” > “Enterprise Integration” > “Email (SMTP)”.
Enter in the SMTP server and port.
Click “Save”.
10. Perform the following configuration settings to the AirWatch MDM Console to ensure regular
compliance checking of enrolled devices:
a. Authenticate to the AirWatch MDM Console as the administrator.
b. Navigate to “Groups & Settings” > “All Settings” > “Installation” > “Performance Tuning”.
c. Ensure “Allow minutes as minimum compliance interval” is checked.
5.2 Device Configuration, Agent Installation, and Enrollment
In order to ensure that AirWatch is deployed in a manner that is consistent with the assumptions defined
in section 4.3 of this document, the underlying mobile device must be configured in a manner consistent
with its Common Criteria evaluated configuration. Guidance for this can be found in the Common
Criteria supplemental guidance for iOS 9.3.2, found here: https://www.niap-ccevs.org/st/st_vid10725agd.pdf.
Once the AirWatch server application is up and running, individual devices will acquire the VMware
AirWatch MDM Agent through enrollment. In the evaluated configuration, enrollment is performed
through Apple DEP. The administrator must follow the steps outlined in chapter 2 of [3] under “Enrolling
an iOS Device with the Apple Device Enrollment Program (DEP)” including any subsequent references
(e.g. the entirety of [8]) in order to ensure the environment is configured to support this enrollment
method. To conform to the Common Criteria evaluated configuration, the Lock MDM Profile setting in
MDM Features must be enabled when creating the DEP Profile that is used for enrollment. This prevents
the user from unenrolling their device by any method other than factory reset of the device.
When the device has been registered through DEP and assigned to an MDM Profile in AirWatch, the user
or administrator performing the initial configuration of the device will be prompted to set up the
connection to the environment’s VMware AirWatch MDM Server as part of the initial setup process of
the device. Enrollment must be performed by the device when it is coming out of its factory default/reset
state. As part of the enrollment process, the device will automatically receive a unique certificate for the
VMware AirWatch MDM Agent and configure certificate information for the MDM Server, including the
reference identifier for the MDM Server certificate.
Since the evaluated configuration of AirWatch limits enrollment to only devices registered by Apple
DEP, it is necessary to configure the VMware AirWatch MDM Server to enforce this restriction. This is
done in the AirWatch Console under Settings > All Settings > Devices & Users > General >
Enrollment. On the first tab (Authentication), the Current Setting button must be set to Override and
Devices Enrollment Mode must be set to Registered Devices Only.
6|Page
5.3 Cryptographic Engine Configuration
VMware AirWatch Mobile Device Management provides cryptography in support of satisfying its
security objectives. The VMware AirWatch MDM Agent software uses the FIPS-validated cryptography
provided by the underlying iOS platform so no additional configuration is required on the device.
There are no specific steps that are required to follow in order to configure key generation and
establishment functionality; these functions are provided automatically by the underlying cryptographic
modules and are specified by the specific protocols that require them.
This evaluation does not make any claims of cryptographic strength for any other cryptographic modules
or configurations besides what is claimed in the Security Target.
The evaluated configuration of the VMware AirWatch MDM Server software requires the underlying
operating system to use its FIPS-validated cryptographic modules (CNG.sys and bcryptprimitives.dll).
Prior to installation of AirWatch, administrators must ensure that the configuration guidance provided in
the FIPS Security Policy documentation is followed. The documentation can be found at the following
locations:
•
•
5.3.1
1.
2.
3.
4.
5.
6.
CNG.sys: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2356.pdf
bcryptprimitives.dll: http://csrc.nist.gov/groups/STM/cmvp/documents/1401/140sp/140sp2357.pdf
Configure Agent-Server TLS Mutual Authentication
On the Device Services system, launch IIS Manager.
Go to “Sites” > “Default Web Site” > “DeviceServices”.
Click on “SSL Settings”.
Check “Require SSL” and choose “Require” for Client certificates.
Launch a command prompt by entering “cmd.exe” at the Run box.
Enter the following commands at the command prompt:
netsh http show sslcert ipport=0.0.0.0:443
record the “certificate hash” and “GUID” values in the output
netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 certhash=[certificate hash from above] appid={[GUID
from above]} certstorename=MY verifyclientcertrevocation=enable
VerifyRevocationWithCachedClientCertOnly=disable UsageCheck=Enable
clientcertnegotiation=enable
netsh http show sslcert
7.
8.
9.
10.
11.
12.
13.
On the Device Services system, launch IIS Manager.
Go to “Sites” > “Default Web Site”.
Click on “Bindings…”.
Click “Add…”.
Choose “https” for the type, specify “All Unassigned” for IP address, specify “8443” for the port.
Specify the SSL certificate then click “OK”.
To enable TLS mutual authentication, execute the following query on the database server:
UPDATE DBO.SystemCode
SET DefaultValue = 'True'
7|Page
WHERE SystemCodeID = 5107
14. Navigate to Groups & Settings -> All Settings -> System-> Security-> TLS Mutual
Authentication and select the CA and Certificate Template for DEP Enrollment Profile and Agent
Authentication Settings as seen in the screenshot below.
15. Log in to the AirWatch MDM Server console and navigate to “Groups & Settings” > “All
Settings” > “System” > “Advanced” > “Site URLs”.
a. Specify the “Device Management URL” to be the following: https://<FQDN of Device
Services server>:8443/DeviceManagement
5.3.2
Allow Upload of Policy Signing Certificate
1. Execute the following database query to enable the ability to upload a “Policy Signing
Certificate” to the MDM Server:
UPDATE dbo.SystemCodeCategory
SET ResourceID = 7192
WHERE SystemCodeCategoryID = 370
2. On the MDM Console Server and DS Server, open the AirWatch/AirWatch
9.0/Services/AW.ChangeEvent.QueueService.exe.config file in a text editor.
a. Add the following string to the file in the <appSettings></appSettings> section:
<!-- setting to enable TLS cert validation -->
<add key="ValidateSyslogCert" value="true"/>
b. On the MDM Console server, launch services.msc and restart the “AirWatch Entity Change
Queue Monitor” service.
3. On the MDM Console Server, open the AirWatch/AirWatch
9.0/Websites/WanderingWiFi.AirWatch.Console.Web/Web.config file in a text editor.
a. Add the following string to the file in the <appSettings></appSettings> section:
8|Page
<!-- setting to enable TLS cert validation -->
<add key="ValidateSyslogCert" value="true"/>
b. On the MDM Console server, restart IIS by executing the the iisreset command.
Once this has been done, the actual policy signing certificate is uploaded through the AirWatch Console
under Groups & Settings > System > Advanced > Policy Signing Certificate.
5.3.3
Specify TLS Configuration
1. On the MDM Console Server and DS Server, limit the TLS ciphersuites such that only the
claimed ciphers are enabled. All or a subset of the following TLS ciphersuites must be chosen:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_ SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
a. Launch Start > Run > “gpedit.msc”.
b. Navigate to “Computer Configuration” > “Administrative Templates” > “Network” > “SSL
Configuration Settings” > “SSL Cipher Suite Order”.
c. Enable “SSL Cipher Suite Order”.
d. Specify the claimed SSL cipher suites in the text box.
e. Click “Apply” then “OK”.
f. Restart the system.
The following steps are used to specify that TLS 1.0, TLS 1.1, and TLS 1.2 are the only supported TLS
versions:
2. On the MDM Console Server and DS Server, open the AirWatch/AirWatch
9.0/WebSites/WanderingWiFi.AirWatch.Console.Web/web.config, AirWatch/AirWatch
9.0/Services/AW.ChangeEvent.QueueService.exe.config files in a text editor.
a. Add the following string to the file in the <appSettings></appSettings> section:
<add key=”OutboundTlsProtocols” value=”Tls, Tls11, Tls12”/>
b. On the MDM Console and DS server, launch services.msc
c. Restart the “AirWatch Entity Change Queue Monitor” service.
TLS reference identifiers for the MDM Agent client are hard-coded and automatically set upon
enrollment; no administrative actions are required in order to configure this. Validation of the reference
identifier is automatically handled by IIS and so this does not require administrative action in order to use
in its evaluated configuration.
5.4 Installing and Verifying Product Updates
The VMware AirWatch MDM Server software is updated entirely through the underlying Windows
Server platform. The signing certificate used by AirWatch is provided by VeriSign and installed to the
Windows trusted key store. Software updates are made available to AirWatch customers at
http://www.air-watch.com. In order to install the update, the administrator will stop all AirWatch services
9|Page
and then run the provided executable installer. If AirWatch is installed on the system, the installer will
automatically locate it. If the signature of the update cannot be validated by the platform, the installation
process will return an error and abort. Individual systems must be updated separately so the administrator
should take care to update both the MDM Console server and the DS server when updates are available.
The current running version of the software can be verified in the MDM Console under About.
6 Secure Management of the TOE
6.1 Audit Data
6.1.1
MDM Server and Agent Auditing
Both the VMware AirWatch MDM Server and VMware AirWatch MDM Agent produce audit logs of
their security-relevant behavior. Since the MAS Server is the same logical component as the MDM
Server, all auditable events for both components will be treated identically. The specific log types and
sample audit data are provided in section 7 of this guide.
By default, records that are transmitted remotely to syslog begin with a timestamp. The remainder of the
records use a configurable format that is specified in the AirWatch Console under Settings > System >
Enterprise Integration > Syslog and can be reorganized as desired. The default format is as follows:
AirWatch Syslog Details are as follows Event Type: {EventType}Event: {Event}User: {User}Event
Source: {EventSource}Event Module: {EventModule}Event Category: {EventCategory}Event Data:
{EventData}
The set of events that are audited can be configured as well. This can be managed under Groups &
Settings > System > Enterprise Integration > Syslog > Advanced. It is recommended that “Select All”
be chosen for both Console and Device events.
6.1.2
Storage of Audit Data
Audit data generated by AirWatch is always visible in the AirWatch Console under Hub > Reports &
Analytics > Events. This is further broken down into Device Events for audit records of Agent activity
and Console Events for audit records of Server activity. The only exception to this is Administrator login
history, which can also be viewed under Accounts > Administrators > System Activity > Login
Activity.
In the evaluated configuration, Syslog will be used as a permanent method of remote audit storage. Syslog
can be configured either under Settings > System > Enterprise Integration > Syslog or Hub > Reports
& Analytics > Events > Syslog (they point to the same location). In order to ensure that these
communications are secured, the “Secure TCP” setting must be chosen. In order to ensure the most
verbose logging is performed, “Kernel Messages” should be chosen under Syslog Facility. Other settings
such as hostname and port number should be defined based on the organization’s environment.
Audit data is streamed to the Syslog server as it is generated. When data is transmitted to the Syslog
server, it continues to be retained on the MDM Server. The MDM Server’s copy of the audit data is
10 | P a g e
retained indefinitely. Audit data of device activity is collected by the iOS native MDM agent. AirWatch
uses a push notification to request transmission of this data back to the MDM Server.
6.2 Checking Connectivity Status
The connectivity status between the VMware AirWatch MDM Server and an enrolled device can be
checked from both ends of the connection. An administrator on the MDM Console can check the
connectivity status of a particular device by navigating to Devices > List View, clicking the check box
next to the entry for that device, and selecting Query. The Last Seen column shows the connection status
of the device, and if the device is not connected, the last time the connection was active. To check
connectivity status from the agent side of the connection, launch the VMware AirWatch MDM Agent on
the mobile device and select My Device. The connectivity status will be displayed.
AirWatch will periodically check the status of enrolled devices for connectivity over an administratordefined time interval. This is configured globally for each individual device platform. The sampling
interval is configured under Groups & Settings > All Settings > Devices & Users > Apple > MDM
Sample Schedule. Different timers can be configured for sampling of different information about the
managed devices.
6.3 Device and Policy Configuration
The AirWatch MDM Console provides the ability to issue commands remotely to managed devices.
Devices can be viewed under Devices > List View. Selecting an individual device will open the Details
View page for that particular device. When issuing a command to the device, it may be handled on the
device side of the connection by either the VMware AirWatch MDM Agent or natively by iOS, but this is
transparent to both the user and administrator. The following table, taken from the VMware AirWatch
Mobile Device Management Security Target, lists the security functionality that is required by the
claimed Protection Profiles, whether the functionality is implemented on the device side by the VMware
AirWatch MDM Agent or natively by iOS, and the specific section of the Details View page for the
device where the particular command is issued.
Command
1. transition to the locked state – “Lock” button.
2. full wipe of protected data – “More Actions” button >
Device Wipe.
3. unenroll from management – “More Actions” button >
Device Wipe.
4. install policies – assigned and applied to target devices at
the creation or modification of a profile under Devices >
Profiles.
5. query connectivity status – “Query” button.
6. query the current version of the MD firmware/software
– “Query” button. Status shown in the main detail view page.
7. query the current version of the hardware model of the
device – “Query” button. Status shown in the main detail view
page.
8. query the current version of installed mobile
11 | P a g e
Implemented By
Platform
VMware AirWatch MDM Agent
VMware AirWatch MDM Agent
Platform
VMware AirWatch MDM Agent
(initiator) Platform (response)
VMware AirWatch MDM Agent
(initiator) Platform (response)
VMware AirWatch MDM Agent
(initiator) Platform (response)
VMware AirWatch MDM Agent
applications – “Query” button. Status shown in the Apps tab
under the main detail view page.
9. import X.509v3 certificates into the Trust Anchor
Database – assigned and applied to devices as part of a policy
under the “Credentials” tab when defining the policy.
10. install applications – Apps and Books tab, Details View.
Admin will be prompted to define what devices an application
is assigned to during definition or modification of the
application. When the application is specified as automatic
distribution, the installation is initiated by the TSF.
13. remove Enterprise applications – can be removed in
several ways:
- specific application from a single device: Device details,
Apps tab, Remove option (“X”) button for the desired
application.
- specific application from all devices: Apps and Books, App
details, “Remove From All” button.
14. wipe Enterprise data – “More Actions” button > Device
Wipe.
15. remove imported X509v3 certificates – “More” tab >
“Certificates”, Revoke option.
16. alert the administrator – “Send” button.
(initiator) Platform (response)
Platform
Platform
Platform
VMware AirWatch MDM Agent
Platform
Note that this refers to alerting the administrator of the mobile Platform
device, not the Administrator for the MDM Server. This can be
sent as an email, SMS, or push notification.
22. place applications into application process groups –
VMware AirWatch MDM Server
Apps & Books > Applications Settings > App Groups.
Configuration policies for mobile devices are defined on the AirWatch MDM Console under Devices >
Profiles & Resources > Profiles. Existing profiles will be listed here and the Add > Add Profile option
allows for a new profile to be defined. When defining a new profile, an assignment to a Smart Group is
specified so that the profile is only applied to the relevant devices, users, and/or organizational members.
AirWatch provides a large number of device settings and policies that can be defined within a profile. The
following table, taken from the VMware AirWatch Mobile Device Management Security Target, lists the
security functionality that is required by the claimed Protection Profiles, whether the functionality is
implemented on the device side by the VMware AirWatch MDM Agent or natively by iOS, and the
specific section of the Add/Edit Profile dialog where the particular policy setting is configured.
Configuration Policy
24. password policy – defined in the Passcode properties of a
profile.
25. session locking policy – Defined in the Passcode
properties of a profile.
26. wireless networks (SSIDs) to which the MD may
connect – Defined under the Wi-Fi properties of a profile.
Note that a profile specifies only a single permitted SSID so if
multiple SSIDs are permitted, multiple profiles must be
assigned to the device.
12 | P a g e
iOS Implementation
Platform
Platform
Platform
27. security policy for each wireless network – defined in
the Wi-Fi properties of a profile, except for the permitted
CA(s) which is specified under Credentials.
28. application installation policy – groups of required,
whitelisted, and/or blacklisted apps can be defined in Apps &
Books > App Groups.
Note that iOS does not provide a mechanism to pre-emptively
enforce application whitelisting/blacklisting but the TOE can
take corrective action if a compliance policy is defined to
detect the presence of a blacklisted or non-whitelisted app.
29. enable/disable policy for camera and microphone
across MD – defined in the Restrictions properties of a profile.
30. enable/disable policy for the VPN across the mobile
device and on a per-app basis – defined in the VPN
properties of a profile or in the “VPN Access” setting for an
individual app assignment.
35. enable policy for data-at-rest protection – For Apple
devices, data-at-rest protection is automatically enabled if a
passcode is set so this is configured under the Passcode
properties of a profile.
49. enable/disable backup – Defined in the Restrictions
properties of a profile under the iCloud subcategory.
53b. enable/disable authentication mechanisms providing
user access to protected data other than a Password
Authentication Factor (e.g. using a fingerprint) – Defined in
the Restrictions properties of a profile under the Device
Functionality subcategory.
53c. policies for which there are required configuration
values in the mobile operating system STIG relevant to the
MD – The act of defining profiles in general allows relevant
STIG configuration values to be applied.
53d. full wipe of all user data and applications not included
in the out-of-the-box install – Accomplished through Factory
Reset of the device from the Device Details view.
Platform
Platform
Platform
Platform
Platform
Platform
Platform
Platform
VMware AirWatch MDM Agent
6.4 MAS Server Configuration
As with MDM policies, MAS Server capabilities are all configured through the AirWatch MDM Console.
Applications managed by the MAS Server are assigned to users via “smart groups”. A smart group
consists of one or more organization groups, user groups, and device characteristics. Smart groups are
listed under Groups & Settings > Groups > Assignment Groups. New smart groups can be created via
the Add Smart Group button on this page. Once a smart group has been created, it can be assigned to an
application. New applications are defined in the MAS Server under Apps & Books > Applications >
List View using the Add Application button. When adding a new application, the Assignment tab is
used to specify the initial smart group assignment. The Save & Assign button is used to commit this
assignment after uploading the app. Existing applications are also listed here. To modify the group
assignment for an existing application, select the application in the list view and select the Assign button,
13 | P a g e
followed by Update Assignment. In both cases, the Select Assignment Groups text box allows the
mapped group(s) to be specified.
Applications can also be grouped together when they share a common usage profile. The following types
of groups with the following properties can be defined:
•
•
•
Whitelist: a device’s MDM Agent will notify the MDM Server if an app that is absent from the
whitelist is present on the device.
Blacklist: a device’s MDM Agent will notify the MDM Server if an app that is present on the
blacklist is present on the device.
Required: a device’s MDM Agent will notify the MDM Server if an app that is present on the
required list is absent from the device.
Note that iOS does not provide the capability to actively prevent unauthorized apps from being installed.
Because of this, AirWatch only has the ability to generate a reactive alert if any of the groups listed above
are violated. This is done through the use of Compliance Policies. To define a Compliance Policy,
navigate to Devices > Compliance Policies > List View and press the Add button. On the Rules tab,
application-related rules can be chosen using the Application List dropdown option. From here, the
Contains Non-Whitelisted App(s), Contains Blacklisted App(s), and Does Not Contain Required
App(s) options correspond to the violations listed above. Additional actions, such as sending an email to
the user or administrator or requiring a device check-in, can be specified in the Actions tab. The
Assignment tab, like with the application assignments themselves, allow the applicable smart groups for
this Compliance Policy to be assigned.
To create a new application group, navigate to Apps & Books > Applications Settings > App Groups >
Add Group. On the List tab, the type of group and the applications that belong to the group are specified,
and on the Assignment tab, the assigned organization group (mandatory) and user group (optional) are
specified.
When assigning an application to a group, the Push Mode option determines if the application is pushed
to the devices in the assigned group or simply permitted to be downloaded on demand at the device
owner’s discretion. iOS does not have the ability to force install apps, so when the Push Mode for the app
is set to Auto, users will receive a push notification prompting them to initiate the download of the app.
Updated versions of applications that are managed by the AirWatch MAS Server itself are loaded using
the Add Version button when in the Details View of a given application. Similar to a new application
being loaded onto the MAS Server, if the app is set to Push Mode, the user will be notified to initiate the
update when it has been uploaded. For apps that reside in the public App Store, users can be made aware
of app updates either through the AirWatch administrator adding the new version of public app in the
MDM Console or through Apple’s own App Store notifications from the device itself.
6.5 Administrative Roles and Privileges
All administration of AirWatch is performed through the AirWatch Console. The AirWatch Console can
have multiple administrator accounts, each with differing roles and levels of privilege. Administrators are
viewed and managed under Accounts > Administrators. The List View option shows all administrators
defined by the AirWatch Console. New administrators are also defined here using the Add button.
Administrative privileges are derived from two sources: Role, which determines the read/write
14 | P a g e
permissions that the administrator has for various functions; and Organization Group, which defines the
scope of control over which the authorized functions can be performed. Roles can be created, modified,
and viewed under Accounts > Administrators > Roles. The Create Role dialog lists all the various
activities that can be assigned to a role and the ability to grant read and/or edit permissions for those
activities. Note that an administrator who is creating a new Role cannot define privileges for it that the
administrator’s current Role does not already have.
Organization Groups are derived from the connected Active Directory server and are defined in the
environment. However, data relating to these (such as child organizations) can be configured in the
AirWatch Console under Groups & Settings > Organization Groups > Organization Group Details.
The DoD Annex for Mobile Device Management mandates administrative separation of duties through
the use of several roles, each of which have a defined set of responsibilities. AirWatch accommodates the
ability to meet this mandate through a combination of pre-defined administrative roles and the ability to
create new roles with arbitrarily-defined privileges. The following table lists and describes the roles from
the DoD Annex and how to configure AirWatch to support them.
Role
Description
Configured By
Server
primary
administrator
Responsible for server installation, initial
configuration, and maintenance functions.
Responsible for the setup and maintenance of security
configuration administrator and auditor accounts.
Defined by default as “AirWatch
Administrator” role.
Security
Responsible for security configuration of the server,
configuration setup and maintenance of mobile device profiles,
administrator definition of user groups, and setup and maintenance
of the device user group administrator role, its
members, and its permissions.
Permissions defined under
Accounts > Administrators,
Accounts > Users, Device
Management and subcategories
for each.
Device user
group
administrator
Responsible for maintenance of user accounts,
including setup, change of account configurations,
and account deletion.
Permissions defined under
Accounts > Administrators and
sub-categories.
Auditor
Responsible for review and maintenance of server
and device audit logs.
Defined by default as “Report
Viewer” role.
6.6 Login Banner Configuration
The login page of the AirWatch Console is fully configurable, which includes the ability to configure the
warning banner. The AirWatch Console does not provide the ability to enter arbitrary text on the login
page but can be configured to display an image which contains the desired text. To configure the login
image, navigate to Groups & Settings > All Settings > System > Branding. The Login Page
Background field can be used to upload an image that contains the desired banner text.
7 Auditable Events
The following section lists the auditable events that are generated by AirWatch (Server and/or Agent) in
the course of executing its security functionality. As stated in the VMware AirWatch Mobile Device
15 | P a g e
Management Security Target, a number of functions are implemented by the underlying server operating
system and/or mobile device. For information about those events, refer to the Microsoft Windows Server
2012 and Apple iOS 9.3.2 supplemental guidance documentation. Note that the audit records generated in
this section use the default audit record format specified by AirWatch. As stated in section 6.1.1, the exact
syntax of audit records is modifiable for site-specific needs.
The table below lists sample audit records for each auditable event that is generated by the MDM Server
software. All data is logged to the AirWatch Console/Syslog unless otherwise specified.
Auditable
Event(s)
Sample Audit Record
FAU_ALT_EXT.1
[SERVER]
Type of alert
Nov 9 15:45:03 172.16.72.18 November 09 20:45:05 AirWatch
NIAP AirWatch Syslog Details are as follows Event Type:
ConsoleEvent: DeviceQueryRequestedUser: testadminEvent
Source: ServerEvent Module: DeviceDetailsEvent Category:
DeviceEvent Data: Device=niaptestAD iPad iOS 9.3.4
FP84;LoginSessionID=mchytqm4w4wdDevice Friendly Name:
niaptestAD iPad iOS 9.3.4 FP84Enrollment User: niaptestAD
FAU_GEN.1(1)
Start-up and
shutdown of the
MDM Server
software
(Logged to Windows Event Log) Information | 11/16/2016
3:54:42 PM | IIS-IISReset | 3202 | None | IIS stop command
received from NIAPAW\administrator. The logged data is the
status code.
FAU_GEN.1(1)
Administrative
actions
Oct 31 14:49:45 172.16.72.18 October 31 18:49:45 AirWatch
AirWatch Syslog Details are as follows Event Type:
ConsoleEvent: UserAddedUser: AdministratorEvent Source:
ServerEvent Module: AdministrationEvent Category:
UserManagementEvent Data:
User=NIAPTest;LoginSessionID=nx2yfpkcuhr2
Event Timestamp: October 31, 2016 18:49:45
FAU_GEN.1(1)
Commands
issued from
MDM Server to
an MDM Agent
Nov 9 17:33:28 172.16.72.18 November 09 22:33:29 AirWatch
NIAP AirWatch Syslog Details are as follows Event Type:
ConsoleEvent: ProfilePublishedUser: AdministratorEvent Source:
ServerEvent Module: ProfilesEvent Category: ProfilesEvent Data:
Profile=testclient_ocsp;LoginSessionID=gy1ijzm5jbvzDevice
Friendly Name: N/AEnrollment User: N/A
FAU_GEN.1(1)
Detection of
blacklisted apps
Nov 9 15:37:02 172.16.72.18 November 09 20:37:03 AirWatch
NIAP AirWatch Syslog Details are as follows Event Type:
DeviceEvent: ComplianceStatusChangedUser: sysadminEvent
Source: ServerEvent Module: ComplianceEvent Category:
ComplianceStatusEvent Data:
ComplianceStatus=NonCompliant;CompliancePolicy=Application
List - UFC disallowedDevice Friendly Name: niaptestAD iPad
iOS 9.3.5 FP84Enrollment User: niaptestAD
FAU_GEN.1(1)
Required app(s)
missing
Nov 9 15:46:48 172.16.72.18 November 09 20:46:49 AirWatch
NIAP AirWatch Syslog Details are as follows Event Type:
DeviceEvent: ComplianceStatusChangedUser: sysadminEvent
Requirement
16 | P a g e
Requirement
Auditable
Event(s)
Sample Audit Record
Source: ServerEvent Module: ComplianceEvent Category:
ComplianceStatusEvent Data:
ComplianceStatus=NonCompliant;CompliancePolicy=Application
List - Weather missingDevice Friendly Name: niaptestAD iPad
iOS 9.3.4 FP84Enrollment User: niaptestAD
Nov 9 15:45:03 172.16.72.18 November 09 20:45:05 AirWatch
NIAP AirWatch Syslog Details are as follows Event Type:
ConsoleEvent: DeviceQueryRequestedUser: testadminEvent
Source: ServerEvent Module: DeviceDetailsEvent Category:
DeviceEvent Data: Device=niaptestAD iPad iOS 9.3.4
FP84;LoginSessionID=mchytqm4w4wdDevice Friendly Name:
niaptestAD iPad iOS 9.3.4 FP84Enrollment User: niaptestAD
Nov 9 15:45:04 172.16.72.18 November 09 20:45:05 AirWatch
NIAP AirWatch Syslog Details are as follows Event Type:
DeviceEvent: SecurityInformationRequestedUser: testadminEvent
Source: ServerEvent Module: DashboardEvent Category:
CommandEvent Data: Device Friendly Name: niaptestAD iPad
iOS 9.3.4 FP84Enrollment User: niaptestAD
FAU_GEN.1(1)
Jailbroken or
rooted device
Nov 9 15:45:18 172.16.72.19 November 09 20:45:19 AirWatch
NIAP AirWatch Syslog Details are as follows Event Type:
DeviceEvent: SecurityInformationConfirmedUser: sysadminEvent
Source: DeviceEvent Module: DevicesEvent Category:
CommandEvent Data: Device Friendly Name: niaptestAD iPad
iOS 9.3.4 FP84Enrollment User: niaptestAD
Nov 9 15:45:23 172.16.72.19 November 09 20:45:24 AirWatch
NIAP AirWatch Syslog Details are as follows Event Type:
DeviceEvent: DeviceInformationConfirmedUser: sysadminEvent
Source: DeviceEvent Module: DevicesEvent Category:
CommandEvent Data: Device Friendly Name: niaptestAD iPad
iOS 9.3.4 FP84Enrollment User: niaptestAD
Nov 9 16:39:32 172.16.72.19 November 09 21:39:33 AirWatch
NIAP AirWatch Syslog Details are as follows Event Type:
DeviceEvent: CheckInUser: sysadminEvent Source: DeviceEvent
Module: DevicesEvent Category: DeliveryEvent Data:
Application=;ApplicationVersion=;BytesReceived=82Device
Friendly Name: niaptestAD iPad iOS 9.3.4 FP84Enrollment User:
niaptestAD
FAU_GEN.1(1)
17 | P a g e
Unapproved
device
model/version
Nov 9 15:52:02 172.16.72.18 November 09 20:52:03 AirWatch
NIAP AirWatch Syslog Details are as follows Event Type:
DeviceEvent: ComplianceStatusChangedUser: sysadminEvent
Source: ServerEvent Module: ComplianceEvent Category:
ComplianceStatusEvent Data:
ComplianceStatus=NonCompliant;CompliancePolicy=OS Version
- Disallowed if greater than 9.3.3Device Friendly Name:
Requirement
Auditable
Event(s)
Sample Audit Record
niaptestAD iPad iOS 9.3.5 FP84Enrollment User: niaptestAD
Failure to push
a new
application on a
managed
mobile device
Nov 3 09:33:57 172.16.72.19 November 03 13:33:57 AirWatch
NIAP AirWatch Syslog Details are as follows Event Type:
DeviceEvent: InstallApplicationFailedUser: sysadminEvent
Source: ServerEvent Module: DevicesEvent Category:
CommandEvent Data:
ErrorCode=Pending;Application=;ApplicationVersion=;Applicati
onType=;BytesReceived=0Device Friendly Name: niapuser1 iPad
iOS 9.3.5 FP84Enrollment User: niapuser1
FAU_GEN.1(2)/Server
Failure to
update an
existing
application on a
managed
mobile device
Nov 3 09:33:57 172.16.72.19 November 03 13:33:57 AirWatch
NIAP AirWatch Syslog Details are as follows Event Type:
DeviceEvent: InstallApplicationFailedUser: sysadminEvent
Source: ServerEvent Module: DevicesEvent Category:
CommandEvent Data:
ErrorCode=Pending;Application=;ApplicationVersion=;Applicati
onType=;BytesReceived=0Device Friendly Name: niapuser1 iPad
iOS 9.3.5 FP84Enrollment User: niapuser1
FIA_ENR_EXT.1
[SERVER]
Failure of MD
user
authentication
(In AirWatch Console) Information | 11/17/2016 10:43 AM | | |
Device | Enrollment | Authentication | User Enrollment
Authentication Failure | User Enrollment Name - chris4
FMT_MOF.1(1)
[SERVER]
Issuance of
command to
perform
function
Nov 2 10:51:58 172.16.72.19 November 02 14:51:59 AirWatch
NIAP AirWatch Syslog Details are as follows Event Type:
DeviceEvent: ActivationLockBypassCodeSampleSaveUser:
sysadminEvent Source: DeviceEvent Module: DevicesEvent
Category: DeviceEvent Data: BytesReceived=553Device Friendly
Name: niapuser1 ipad iOS 9.3.5 FP84Enrollment User: niapuser1
FMT_MOF.1(1)
[SERVER]
Change of
policy settings
Nov 11 10:26:49 172.16.72.18 November 11 15:26:51 AirWatch
NIAP AirWatch Syslog Details are as follows Event Type:
ConsoleEvent: CompliancePolicyCreatedUser:
AdministratorEvent Source: ServerEvent Module:
ComplianceEvent Category: CompliancePolicyEvent Data:
PolicyName=Application
List;CompliancePolicyRule=Application List Contains
Blacklisted
App(s)<br/>;LocationGroup=Global;SupportedPlatform=Apple;C
ompliancePolicyAction=Immediately perform the following
actions<br/>Notify - Send Email to
User;MatchRules=All;AssignedSmartGroups=all @ NIAP
Test<br/>NIAP Smart Group Restricted @ NIAP
Test;ExcludedSmartGroups=N/ADevice Friendly Name:
N/AEnrollment User: N/A
FMT_MOF.1(2)
[SERVER]
Enrollment by a
user.
Nov 2 10:51:44 172.16.72.19 November 02 14:51:44 AirWatch
NIAP AirWatch Syslog Details are as follows Event Type:
FAU_GEN.1(2)/Server
18 | P a g e
Requirement
Auditable
Event(s)
Sample Audit Record
DeviceEvent: MDMEnrollmentCompleteUser: sysadminEvent
Source: ServerEvent Module: EnrollmentEvent Category:
EnrollmentEvent Data: Device Friendly Name: niapuser1 iPad
iOS 9.3.5 FP84Enrollment User: niapuser1
FMT_SMF.1(2)
[SERVER]
FTA_TAB.1
Success or
failure of
function
Change in
banner setting
Nov 10 16:20:36 172.16.72.18 November 10 21:20:37 AirWatch
NIAP AirWatch Syslog Details are as follows Event Type:
ConsoleEvent:
AppleMdmSampleScheduleSettingChangedSuccessUser:
AdministratorEvent Source: ServerEvent Module:
AdministrationEvent Category: SystemSettingsEvent Data:
LoginSessionID=bigij2deztokDevice Friendly Name:
N/AEnrollment User: N/A
Jan 5 11:50:00 172.16.72.18 January 05 16:50:08 AirWatch NIAP
AirWatch Syslog Details are as follows Event Type:
ConsoleEvent: EnrollmentAuthenticationSettingChangedUser:
AdministratorEvent Source: ServerEvent Module:
AdministrationEvent Category:SystemSettingsEvent Data:
DevicesEnrollmentMode=RegisteredDevicesOnlyDevice Friendly
Name: N/AEnrollment User: N/A
Nov 15 13:42:32 172.16.72.18 November 15 18:42:33 AirWatch
NIAP AirWatch Syslog Details are as follows Event Type:
ConsoleEvent: BrandingChangedUser: AdministratorEvent
Source: ServerEvent Module: SettingsEvent Category:
SystemSettingsEvent Data:
LoginSessionID=mnwzy1x4m5ioDevice Friendly Name:
N/AEnrollment User: N/A
In addition to the auditing that is performed by the MDM Server, MDM Agents also perform their own
auditing so that audit data for both ends of the connection can be examined as needed for consistency.
The following table lists the auditable events for the MDM Agent software along with sample audit
record data for each event. Note that since the MDM Agent software performs persistent auditing, startup
and shutdown of its auditing functions is synonymous with startup and shutdown of the app itself which is
audited by the underlying iOS platform.
Requirement
FAU_ALT_EXT.2
19 | P a g e
Auditable
Event(s)
Sample Audit Record
Type of alert
Nov 9 15:45:18 172.16.72.19 November 09 20:45:19
AirWatch NIAP AirWatch Syslog Details are as follows
Event Type: DeviceEvent:
SecurityInformationConfirmedUser: sysadminEvent Source:
DeviceEvent Module: DevicesEvent Category:
CommandEvent Data: Device Friendly Name: niaptestAD iPad
iOS 9.3.4 FP84Enrollment User: niaptestAD
Requirement
FAU_GEN.1(2)/Agent
FAU_GEN.1(2)/Agent
FIA_ENR_EXT.2
FMT_POL_EXT.2
FMT_SMF_EXT.3
FMT_UNR_EXT.1
20 | P a g e
Auditable
Event(s)
Sample Audit Record
Change in MDM
policy
Nov 9 17:35:07 172.16.72.19 November 09 22:35:08
AirWatch NIAP AirWatch Syslog Details are as follows
Event Type: DeviceEvent: InstallProfileConfirmedUser:
sysadminEvent Source: DeviceEvent Module: DevicesEvent
Category: CommandEvent Data:
Profile=testclient_ocspDevice Friendly Name: niaptestAD
iPad iOS 9.3.4 FP84Enrollment User: niaptestAD
Any modification
commanded by the
MDM Server
Nov 3 09:02:09 172.16.72.19 November 03 13:02:10
AirWatch NIAP AirWatch Syslog Details are as follows
Event Type: DeviceEvent: DeviceLockConfirmedUser:
sysadminEvent Source: DeviceEvent Module: DevicesEvent
Category: CommandEvent Data: Device Friendly Name:
niapuser1 iPad iOS 9.3.5 FP84Enrollment User: niapuser1
Enrollment in
management.
Nov 10 09:20:28 172.16.72.19 November 10 14:20:29
AirWatch NIAP AirWatch Syslog Details are as follows
Event Type: DeviceEvent: MDMEnrollmentCompleteUser:
sysadminEvent Source: ServerEvent Module: EnrollmentEvent
Category: EnrollmentEvent Data: Device Friendly Name:
niaptestAD iPad iOS 9.3.4 FP84Enrollment User: niaptestAD
Failure of policy
validation.
Nov 10 09:20:37 172.16.72.19 November 10 14:20:38
AirWatch NIAP AirWatch Syslog Details are as follows
Event Type: DeviceEvent: InstallProfileFailedUser:
sysadminEvent Source: ServerEvent Module: DevicesEvent
Category: CommandEvent Data: ErrorCode=1000 Invalid
Profile;Profile=FAU_ALT_EXT.1.1 - 002 Part 2Device
Friendly Name: niaptestAD iPad iOS 9.3.4 FP84Enrollment
User: niaptestAD
Success or failure of
function.
Nov 10 16:20:36 172.16.72.18 November 10 21:20:37
AirWatch NIAP AirWatch Syslog Details are as follows
Event Type: ConsoleEvent:
AppleMdmSampleScheduleSettingChangedSuccessUser:
AdministratorEvent Source: ServerEvent Module:
AdministrationEvent Category: SystemSettingsEvent Data:
LoginSessionID=bigij2deztokDevice Friendly Name:
N/AEnrollment User: N/A
Attempt to unenroll.
Nov 11 09:15:53 172.16.72.19 November 11 14:15:55
AirWatch NIAP AirWatch Syslog Details are as follows
Event Type: DeviceEvent: BreakMDMConfirmedUser:
sysadminEvent Source: DeviceEvent Module: DevicesEvent
Category: CommandEvent Data: Device Friendly Name:
niaptestlimit iPad iOS 9.3.4 FP84Enrollment User:
niaptestlimit
8 Operational Modes
AirWatch does not have distinct operational modes. Adherence to this guidance is necessary to ensure
that it has been deployed in a Common Criteria compliant manner.
9 Additional Support
While reading this documentation you may encounter references to documents that are not included here.
You can access this documentation through the AirWatch Resources page (https://resources.airwatch.com) on myAirWatch.
Note: Always pull the document from AirWatch Resources each time you reference it.
To search for and access documentation on AirWatch Resources:
1. Navigate to http://my.air-watch.com and log in using your AirWatch ID credentials.
2. Select AirWatch Resources from the navigation bar or home screen. The AirWatch Resources page
displays a list of recent documentation and a list of Resources Categories on the left.
3. Select your AirWatch Version from the drop-down menu in the search parameters to filter a displayed
list of documents. This selection limits the search to documentation that is specific to your version of
AirWatch.
4. Access documentation using the following methods:
•
•
•
•
Select a resource category on the left to view all documents in that category. For example, select
Documentation to view the entire technical documentation set. Select Platform to view only
platform guides.
Search for a particular resource using the search box in the top-right by entering keywords or
document names.
Add a document to your favorites and it appears in My Resources. Access documents you saved
as a Favorite by selecting myAirWatch from the navigation bar. Then select My Resources from
the toolbar.
Download a PDF of a document by selecting the button.
Note, however, that documentation is frequently updated with the latest bug fixes and feature
enhancements. Always pull the document from AirWatch Resources each time you want to reference it.
21 | P a g e
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising