STIGQter STIGQter: STIG Summary:

Unified Endpoint Management Agent Security Requirements Guide

Version: 1

Release: 1 Benchmark Date: 20 Nov 2020

SV-234235r617416_ruleThe UEM Agent must provide an alert via the trusted channel to the UEM Server in the event of any of the following audit events: -successful application of policies to a mobile device -receiving or generating periodic reachability events -change in enrollment state -failure to install an application from the UEM Server -failure to update an application from the UEM Server.
SV-234236r617390_ruleThe UEM Agent must generate a UEM Agent audit record of the following auditable events:-startup and shutdown of the UEM Agent-UEM policy updated-any modification commanded by the UEM Server.
SV-234237r617354_ruleThe UEM Agent must be configured to enable the following function: read audit logs of the managed endpoint device.
SV-234238r617417_ruleThe UEM Agent must record within each UEM Agent audit record the following information: -date and time of the event -type of event -subject identity -(if relevant) the outcome (success or failure) of the event.
SV-234239r617354_ruleThe UEM Agent must not install policies if the policy-signing certificate is deemed invalid.
SV-234240r617354_ruleThe UEM Agent must use managed endpoint device key storage for all persistent secret and private keys.
SV-234241r617354_ruleThe UEM Agent must queue alerts if the trusted channel is not available.
SV-234242r617354_ruleThe UEM Agent must be configured to enable the following function: transfer managed endpoint device audit logs read by the UEM Agent to an UEM server or third-party audit management server.
SV-234243r617354_ruleThe UEM Agent must only accept policies and policy updates that are digitally signed by a certificate that has been authorized for policy updates by the UEM Server.
SV-234244r617354_ruleThe UEM Agent must perform the following functions: Import the certificates to be used for authentication of UEM Agent communications.
SV-234245r617354_ruleThe UEM Agent must record the reference identifier of the UEM Server during the enrollment process.
SV-234246r617392_ruleThe UEM Agent must perform the following functions: -enroll in management -configure whether users can unenroll from management -configure periodicity of reachability events.
SV-234247r617393_ruleThe UEM Agent must be configured to perform one of the following actions upon an attempt to unenroll the mobile device from management: -prevent the unenrollment from occurring -wipe the device to factory default settings -wipe the work profile with all associated applications and data.
SV-234248r617402_ruleAll UEM Agent cryptography supporting DoD functionality must be FIPS 140-2 validated.