Unified Endpoint Management Agent Security Requirements Guide
Pick two releases to diff their requirements.
Open a previous version of this STIG.
Supporting documents 4 PDFs
Bundled by DISA alongside this STIG release: overview, revision history, and readme files. Download the full archive or open an individual PDF.
Digest of Updates ✎ 9
Comparison against the immediately-prior release (V2R1). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.
Content changes 9
- V-234235 Medium description The UEM Agent must provide an alert via the trusted channel to the UEM Server in the event of any of the following audit events: -successful application of policies to a mobile device -receiving or generating periodic reachability events -change in enrollment state -failure to install an application from the UEM Server -failure to update an application from the UEM Server.
- V-234236 Medium description The UEM Agent must generate a UEM Agent audit record of the following auditable events:-startup and shutdown of the UEM Agent-UEM policy updated-any modification commanded by the UEM Server.
- V-234237 Medium description The UEM Agent must be configured to enable the following function: read audit logs of the managed endpoint device.
- V-234238 Medium description The UEM Agent must record within each UEM Agent audit record the following information: -date and time of the event -type of event -subject identity -(if relevant) the outcome (success or failure) of the event.
- V-234240 Medium description The UEM Agent must use managed endpoint device key storage for all persistent secret and private keys.
- V-234242 Medium description The UEM Agent must be configured to enable the following function: transfer managed endpoint device audit logs read by the UEM Agent to an UEM server or third-party audit management server.
- V-234246 Medium description The UEM Agent must perform the following functions: -enroll in management -configure whether users can unenroll from management -configure periodicity of reachability events.
- V-234247 Medium description The UEM Agent must be configured to perform one of the following actions upon an attempt to unenroll the mobile device from management: -prevent the unenrollment from occurring -wipe the device to factory default settings -wipe the work profile with all associated applications and data.
- V-234248 High descriptioncheckfix All UEM Agent cryptography supporting DoW functionality must be FIPS 140-3 validated.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000169
- Version
- SRG-APP-000089-UEM-100002
- Vuln IDs
-
- V-234235
- Rule IDs
-
- SV-234235r1213329_rule
Checks: C-37420r1207964_chk
Verify the UEM Agent provides an alert via the trusted channel to the UEM Server in the event of any of the following audit events: -successful application of policies to a mobile device -receiving or generating periodic reachability events -change in enrollment state -failure to install an application from the UEM Server -failure to update an application from the UEM Server. If the UEM Agent does not provide an alert via the trusted channel to the UEM Server in the event of any of the following audit events: -successful application of policies to a mobile device -receiving or generating periodic reachability events -change in enrollment state -failure to install an application from the UEM Server -failure to update an application from the UEM Server this is a finding.
Fix: F-37385r1207965_fix
Configure the UEM Agent to provide an alert via the trusted channel to the UEM Server in the event of any of the following audit events: -successful application of policies to a mobile device -receiving or generating periodic reachability events -change in enrollment state -failure to install an application from the UEM Server -failure to update an application from the UEM Server.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000169
- Version
- SRG-APP-000089-UEM-100004
- Vuln IDs
-
- V-234236
- Rule IDs
-
- SV-234236r1213330_rule
Checks: C-37421r1207967_chk
Verify the UEM Agent generates an UEM Agent audit record of the following auditable events: -Startup and shutdown of the UEM Agent -UEM policy updated -any modification commanded by the UEM Server. If the UEM Agent does not generate an UEM Agent audit record of the following auditable events: -Startup and shutdown of the UEM Agent -UEM policy updated -any modification commanded by the UEM Server this is a finding.
Fix: F-37386r612015_fix
Configure the UEM Agent to generate an UEM Agent audit record of the following auditable events: -Startup and shutdown of the UEM Agent -UEM policy updated -any modification commanded by the UEM Server.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000169
- Version
- SRG-APP-000089-UEM-100012
- Vuln IDs
-
- V-234237
- Rule IDs
-
- SV-234237r1213331_rule
Checks: C-37422r612017_chk
Verify the UEM Agent has enabled the following function: read audit logs of the managed endpoint device. If the UEM Agent has not enabled the following function: read audit logs of the managed endpoint device, this is a finding.
Fix: F-37387r612018_fix
Configure the UEM Agent to enable the following function: read audit logs of the managed endpoint device.
- RMF Control
- AU-3
- Severity
- M
- CCI
- CCI-000132
- Version
- SRG-APP-000097-UEM-100005
- Vuln IDs
-
- V-234238
- Rule IDs
-
- SV-234238r1213332_rule
Checks: C-37423r1207970_chk
Verify the UEM Agent records within each UEM Agent audit record the following information: -Date and time of the event -type of event -subject identity -(if relevant) the outcome (success or failure) of the event. If the UEM Agent does not record within each UEM Agent audit record the following information: -Date and time of the event -type of event -subject identity -(if relevant) the outcome (success or failure) of the event this is a finding.
Fix: F-37388r612021_fix
Configure the UEM Agent to record within each UEM Agent audit record the following information: -Date and time of the event -type of event -subject identity -(if relevant) the outcome (success or failure) of the event.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000185
- Version
- SRG-APP-000175-UEM-100008
- Vuln IDs
-
- V-234239
- Rule IDs
-
- SV-234239r1213333_rule
Checks: C-37424r612023_chk
Verify the UEM Agent does not install policies if the policy-signing certificate is deemed invalid. If the UEM Agent installs policies when the policy-signing certificate is deemed invalid, this is a finding.
Fix: F-37389r612024_fix
Configure the UEM Agent to not install policies if the policy-signing certificate is deemed invalid.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000186
- Version
- SRG-APP-000176-UEM-100001
- Vuln IDs
-
- V-234240
- Rule IDs
-
- SV-234240r1213334_rule
Checks: C-37425r612026_chk
This requirement is not applicable if the UEM Agent is provided by the managed endpoint device operating system. Verify the UEM Agent uses the managed endpoint device key storage for all persistent secret and private keys. If the UEM Agent does not use the managed endpoint device key storage for all persistent secret and private keys, this is a finding.
Fix: F-37390r612027_fix
Configure the UEM Agent must use the managed endpoint device key storage for all persistent secret and private keys.
- RMF Control
- AU-4
- Severity
- M
- CCI
- CCI-001851
- Version
- SRG-APP-000358-UEM-100003
- Vuln IDs
-
- V-234241
- Rule IDs
-
- SV-234241r1213335_rule
Checks: C-37426r612029_chk
Verify the UEM Agent queues alerts if the trusted channel is not available. If the UEM Agent does not queue alerts if the trusted channel is not available, this is a finding.
Fix: F-37391r612030_fix
Configure the UEM Agent to queue alerts if the trusted channel is not available.
- RMF Control
- AU-4
- Severity
- M
- CCI
- CCI-001851
- Version
- SRG-APP-000358-UEM-100013
- Vuln IDs
-
- V-234242
- Rule IDs
-
- SV-234242r1213336_rule
Checks: C-37427r612032_chk
Verify the UEM Agent has enabled the following function: transfer managed endpoint device audit logs read by the UEM Agent to an UEM server or third-party audit management server. If the UEM Agent has not enabled the following function: transfer managed endpoint device audit logs read by the UEM Agent to an UEM server or third-party audit management server, this is a finding.
Fix: F-37392r612033_fix
Configure the UEM Agent to enable the following function: transfer managed endpoint device audit logs read by the UEM Agent to an UEM server or third-party audit management server.
- RMF Control
- SC-23
- Severity
- M
- CCI
- CCI-002470
- Version
- SRG-APP-000427-UEM-100007
- Vuln IDs
-
- V-234243
- Rule IDs
-
- SV-234243r1213337_rule
Checks: C-37428r612035_chk
Verify the UEM Agent only accepts policies and policy updates that are digitally signed by a certificate that has been authorized for policy updates by the UEM Server. If the UEM Agent does not only accept policies and policy updates that are digitally signed by a certificate that has been authorized for policy updates by the UEM Server, this is a finding.
Fix: F-37393r612036_fix
Configure the UEM Agent to only accept policies and policy updates that are digitally signed by a certificate that has been authorized for policy updates by the UEM Server.
- RMF Control
- SC-23
- Severity
- M
- CCI
- CCI-002470
- Version
- SRG-APP-000427-UEM-100009
- Vuln IDs
-
- V-234244
- Rule IDs
-
- SV-234244r1213338_rule
Checks: C-37429r612038_chk
Verify the UEM Agent performs the following functions: Import the certificates to be used for authentication of UEM Agent communications. If the UEM Agent does not perform the following functions: Import the certificates to be used for authentication of UEM Agent communications, this is a finding.
Fix: F-37394r612039_fix
Configure the UEM Agent to perform the following functions: Import the certificates to be used for authentication of UEM Agent communications.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- SRG-APP-000516-UEM-100006
- Vuln IDs
-
- V-234245
- Rule IDs
-
- SV-234245r1213339_rule
Checks: C-37430r612041_chk
Verify the UEM Agent records the reference identifier of the UEM Server during the enrollment process. If the UEM Agent does not record the reference identifier of the UEM Server during the enrollment process, this is a finding.
Fix: F-37395r612042_fix
Configure the UEM Agent to record the reference identifier of the UEM Server during the enrollment process.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- SRG-APP-000516-UEM-100010
- Vuln IDs
-
- V-234246
- Rule IDs
-
- SV-234246r1213340_rule
Checks: C-37431r1212885_chk
Verify the UEM Agent performs the following functions: -Enroll in management -Configure whether users can unenroll from management -Configure periodicity of reachability events. If the UEM Agent does not perform the following functions: -Enroll in management -Configure whether users can unenroll from management -Configure periodicity of reachability event this is a finding.
Fix: F-37396r612045_fix
Configure the UEM Agent to perform the following functions: -Enroll in management -Configure whether users can unenroll from management -Configure periodicity of reachability events.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- SRG-APP-000516-UEM-100011
- Vuln IDs
-
- V-234247
- Rule IDs
-
- SV-234247r1213341_rule
Checks: C-37432r1212887_chk
Verify the UEM Agent performs one of the following actions upon an attempt to unenroll the mobile device from management: -prevent the unenrollment from occurring -wipe the device to factory default settings -wipe the work profile with all associated applications and data. If the UEM Agent does not perform one of the following actions upon an attempt to unenroll the mobile device from management: -prevent the unenrollment from occurring -wipe the device to factory default settings -wipe the work profile with all associated applications and data this is a finding.
Fix: F-37397r612048_fix
Configure the UEM Agent to perform one of the following actions upon an attempt to unenroll the mobile device from management: -prevent the unenrollment from occurring -wipe the device to factory default settings -wipe the work profile with all associated applications and data.
- RMF Control
- SC-13
- Severity
- H
- CCI
- CCI-002450
- Version
- SRG-APP-000555-UEM-100014
- Vuln IDs
-
- V-234248
- Rule IDs
-
- SV-234248r1213344_rule
Checks: C-37433r1213342_chk
Verify all UEM Agent cryptography supporting DoW functionality is FIPS 140-3 validated. If all UEM Agent cryptography supporting DoW functionality is not FIPS 140-3 validated, this is a finding.
Fix: F-37398r1213343_fix
Configure the UEM Agent cryptography supporting DoW functionality for FIPS 140-3 mode.