The servers that comprise an AirWatch deployment can be configured with the necessary cryptographic modules to make AirWatch FIPS-140 compliant.
The 140 series of the Federal Information Processing Standards (FIPS-140) provides a list of approved cryptographic algorithms and certifies specific implementations of those algorithms in cryptographic modules. AirWatch uses encryption and hashing for three purposes:
- Storing hashes of passwords associated with AirWatch user accounts (SHA- 512)
- Encryption of documents for the AirWatch Secure Content Locker on mobile devices (AES- 256)
- Transmission of encrypted data between AirWatch and mobile devices (TLSv1)
AirWatch is built on the Microsoft .NET platform and runs on Windows Server (2003, 2008, or 2008 R2) and Microsoft SQL Server (2005, 2008, or 2008R2). Windows Server and SQL Server can be configured to only utilize FIPS-140 approved cryptographic modules through a security policy setting on the server. When all servers part of an AirWatch deployment (e.g. AirWatch console server, database server, and device services server) are configured with this flag, AirWatch is fully FIPS-140-2 compliant since it uses only the validated Microsoft Cryptography API (CAPI) and Windows Cryptographic Service Providers (CSPs). The relevant FIPS certificate number depends on the version of Windows Server being used to host AirWatch. All of the following are supported:
|Windows Server 2003||#382|
|Windows Server 2003 SP1||#382|
|Windows Server 2003 SP2||#868|
|Windows Server 2003 SP2 (w/ service patch)||#1012|
|Windows Server 2008||#1010|
|Windows Server 2008 R2||#1337|
|Windows Server 2008 R2 SP1||#1337|
Please refer to the following resources for more information:
AirWatch leverages native device encryption and offers deep integration with solutions such as Samsung SAFE devices (Samsung Approved For Enterprise) which offer additional APIs for security and have received FIPS-140 approval.