Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify the UEM Agent provides an alert via the trusted channel to the UEM Server in the event of any of the following audit events: -successful application of policies to a mobile device -receiving or generating periodic reachability events -change in enrollment state -failure to install an application from the UEM Server -failure to update an application from the UEM Server. If the UEM Agent does not provide an alert via the trusted channel to the UEM Server in the event of any of the following audit events: -successful application of policies to a mobile device -receiving or generating periodic reachability events -change in enrollment state -failure to install an application from the UEM Server -failure to update an application from the UEM Server this is a finding.
Configure the UEM Agent to provide an alert via the trusted channel to the UEM Server in the event of any of the following audit events: -successful application of policies to a mobile device -receiving or generating periodic reachability events -change in enrollment state -failure to install an application from the UEM Server -failure to update an application from the UEM Server.
Verify the UEM Agent generates an UEM Agent audit record of the following auditable events: -Startup and shutdown of the UEM Agent -UEM policy updated -any modification commanded by the UEM Server. If the UEM Agent does not generate an UEM Agent audit record of the following auditable events: -Startup and shutdown of the UEM Agent -UEM policy updated -any modification commanded by the UEM Server this is a finding.
Configure the UEM Agent to generate an UEM Agent audit record of the following auditable events: -Startup and shutdown of the UEM Agent -UEM policy updated -any modification commanded by the UEM Server.
Verify the UEM Agent has enabled the following function: read audit logs of the managed endpoint device. If the UEM Agent has not enabled the following function: read audit logs of the managed endpoint device, this is a finding.
Configure the UEM Agent to enable the following function: read audit logs of the managed endpoint device.
Verify the UEM Agent records within each UEM Agent audit record the following information: -Date and time of the event -type of event -subject identity -(if relevant) the outcome (success or failure) of the event. If the UEM Agent does not record within each UEM Agent audit record the following information: -Date and time of the event -type of event -subject identity -(if relevant) the outcome (success or failure) of the event this is a finding.
Configure the UEM Agent to record within each UEM Agent audit record the following information: -Date and time of the event -type of event -subject identity -(if relevant) the outcome (success or failure) of the event.
Verify the UEM Agent does not install policies if the policy-signing certificate is deemed invalid. If the UEM Agent installs policies when the policy-signing certificate is deemed invalid, this is a finding.
Configure the UEM Agent to not install policies if the policy-signing certificate is deemed invalid.
This requirement is not applicable if the UEM Agent is provided by the managed endpoint device operating system. Verify the UEM Agent uses the managed endpoint device key storage for all persistent secret and private keys. If the UEM Agent does not use the managed endpoint device key storage for all persistent secret and private keys, this is a finding.
Configure the UEM Agent must use the managed endpoint device key storage for all persistent secret and private keys.
Verify the UEM Agent queues alerts if the trusted channel is not available. If the UEM Agent does not queue alerts if the trusted channel is not available, this is a finding.
Configure the UEM Agent to queue alerts if the trusted channel is not available.
Verify the UEM Agent has enabled the following function: transfer managed endpoint device audit logs read by the UEM Agent to an UEM server or third-party audit management server. If the UEM Agent has not enabled the following function: transfer managed endpoint device audit logs read by the UEM Agent to an UEM server or third-party audit management server, this is a finding.
Configure the UEM Agent to enable the following function: transfer managed endpoint device audit logs read by the UEM Agent to an UEM server or third-party audit management server.
Verify the UEM Agent only accepts policies and policy updates that are digitally signed by a certificate that has been authorized for policy updates by the UEM Server. If the UEM Agent does not only accept policies and policy updates that are digitally signed by a certificate that has been authorized for policy updates by the UEM Server, this is a finding.
Configure the UEM Agent to only accept policies and policy updates that are digitally signed by a certificate that has been authorized for policy updates by the UEM Server.
Verify the UEM Agent performs the following functions: Import the certificates to be used for authentication of UEM Agent communications. If the UEM Agent does not perform the following functions: Import the certificates to be used for authentication of UEM Agent communications, this is a finding.
Configure the UEM Agent to perform the following functions: Import the certificates to be used for authentication of UEM Agent communications.
Verify the UEM Agent records the reference identifier of the UEM Server during the enrollment process. If the UEM Agent does not record the reference identifier of the UEM Server during the enrollment process, this is a finding.
Configure the UEM Agent to record the reference identifier of the UEM Server during the enrollment process.
Verify the UEM Agent performs the following functions: -Enroll in management -Configure whether users can unenroll from management -Configure periodicity of reachability events. If the UEM Agent does not perform the following functions: -Enroll in management -Configure whether users can unenroll from management -Configure periodicity of reachability event this is a finding.
Configure the UEM Agent to perform the following functions: -Enroll in management -Configure whether users can unenroll from management -Configure periodicity of reachability events.
Verify the UEM Agent performs one of the following actions upon an attempt to unenroll the mobile device from management: -prevent the unenrollment from occurring -wipe the device to factory default settings -wipe the work profile with all associated applications and data. If the UEM Agent does not perform one of the following actions upon an attempt to unenroll the mobile device from management: -prevent the unenrollment from occurring -wipe the device to factory default settings -wipe the work profile with all associated applications and data this is a finding.
Configure the UEM Agent to perform one of the following actions upon an attempt to unenroll the mobile device from management: -prevent the unenrollment from occurring -wipe the device to factory default settings -wipe the work profile with all associated applications and data.
Verify all UEM Agent cryptography supporting DoD functionality is FIPS 140-2 validated. If all UEM Agent cryptography supporting DoD functionality is not FIPS 140-2 validated, this is a finding.
Configure the UEM Agent cryptography supporting DoD functionality for FIPS 140-2 mode.