STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

Unified Endpoint Management Agent Security Requirements Guide

Version

V2R1

Release Date

Oct 3, 2025

SCAP Benchmark ID

UEM_Agent_SRG

Total Checks

14

Tags

other
CAT I: 1CAT II: 13CAT III: 0

This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSON

Checks (14)

V-234235MEDIUMThe UEM Agent must provide an alert via the trusted channel to the UEM Server in the event of any of the following audit events: -successful application of policies to a mobile device -receiving or generating periodic reachability events -change in enrollment state -failure to install an application from the UEM Server -failure to update an application from the UEM Server.V-234236MEDIUMThe UEM Agent must generate a UEM Agent audit record of the following auditable events:-startup and shutdown of the UEM Agent-UEM policy updated-any modification commanded by the UEM Server.V-234237MEDIUMThe UEM Agent must be configured to enable the following function: read audit logs of the managed endpoint device.V-234238MEDIUMThe UEM Agent must record within each UEM Agent audit record the following information: -date and time of the event -type of event -subject identity -(if relevant) the outcome (success or failure) of the event.V-234239MEDIUMThe UEM Agent must not install policies if the policy-signing certificate is deemed invalid.V-234240MEDIUMThe UEM Agent must use managed endpoint device key storage for all persistent secret and private keys.V-234241MEDIUMThe UEM Agent must queue alerts if the trusted channel is not available.V-234242MEDIUMThe UEM Agent must be configured to enable the following function: transfer managed endpoint device audit logs read by the UEM Agent to an UEM server or third-party audit management server.V-234243MEDIUMThe UEM Agent must only accept policies and policy updates that are digitally signed by a certificate that has been authorized for policy updates by the UEM Server.V-234244MEDIUMThe UEM Agent must perform the following functions: Import the certificates to be used for authentication of UEM Agent communications.V-234245MEDIUMThe UEM Agent must record the reference identifier of the UEM Server during the enrollment process.V-234246MEDIUMThe UEM Agent must perform the following functions: -enroll in management -configure whether users can unenroll from management -configure periodicity of reachability events.V-234247MEDIUMThe UEM Agent must be configured to perform one of the following actions upon an attempt to unenroll the mobile device from management: -prevent the unenrollment from occurring -wipe the device to factory default settings -wipe the work profile with all associated applications and data.V-234248HIGHAll UEM Agent cryptography supporting DOD functionality must be FIPS 140-2/140-3 validated.