ClickShare ANSSI CSPN Certification Scope & BSI Mutual Recognition - FAQs

Overview

This article explains the scope and limitations of the ANSSI CSPN certification for ClickShare CX‑50 Gen2, helping users understand what is covered, what is not covered, and how the certification should be interpreted in real‑world deployments.

Executive summary

The ANSSI CSPN certification for ClickShare CX-50 Gen2 applies to a specific, evaluated configuration consisting of the CX-50 Gen2 Base Unit (firmware 02.20.02), the associated Clickshare Button (updated to match the Base Unit firmware upon pairing) and the ClickShare Desktop App (v04.37.5). The evaluation assumes a factory-reset starting state followed by defined setup steps (including Security Level 1) and specific services disabled (SNMP and Blackboarding). Only the components, software versions, and usage scenarios included in this evaluated configuration are covered by the certificate; other features and deployment options may be used but are not covered by the CSPN evaluation.

📬Subscribe to receive updates
Stay informed on certification status and important security-related updates by subscribing to our notification list — click here to subscribe.

FAQs

1. What does the ANSSI CSPN certification cover?

The CSPN evaluation applies to the ClickShare CX-50 Gen2 Base Unit, the associated ClickShare Button, and the ClickShare Desktop App v04.37.5, operating in the evaluated configuration.

2. Which product components and software versions are covered?

• ClickShare CX-50 Gen2 Base Unit with firmware version 02.20.02
• Clickshare Button (updated to match the Base Unit firmware upon pairing)   
• ClickShare Desktop App v04.37.5 (Windows Desktop App version included in the Target of Evaluation)

Where can I download the CSPN certified software?
🔗 CX-50 Gen-II CSPN Certified Software - click here to download.
🔗 ClickShare Desktop App CSPN Certified Software Windows MSI Installer - click here to download.

3. How to interpret “covered” vs “not covered”

The CSPN certificate confirms coverage only for the evaluated configuration. Enabling a feature or deployment option that was not part of the evaluated configuration does not invalidate the certificate for the product; it means that the additional feature or usage scenario is not covered by the CSPN security evaluation. It is up to the IT or AV administrator to decide how strictly the certified scope is enforced in their environment, based on organisational security, regulatory, or compliance requirements.

4. What is the evaluated configuration?

The evaluated configuration starts from a factory reset state and includes the specific configuration steps required for the evaluated setup.

• Start from a factory reset
• Complete the setup wizard and keep Security Level set to 1
• Disable SNMP (Wi‑Fi & Network → Services → SNMP)
• Disable Blackboarding (System → Blackboard)
• Manage the device via the ClickShare Configurator (WebUI)

4.1 Certified configuration checklist (quick reference)

Quick checklist: remain within the CSPN-evaluated coverage
Use the exact versions and keep the configuration aligned with the evaluated setup. If you enable features listed as “not covered”, those features are outside the CSPN evaluation (the product certification itself is not invalidated).

• Base Unit
• Firmware version 02.20.02
• Factory reset performed before configuration
• Security Level set to 1 during setup wizard
• SNMP disabled
• Blackboarding disabled
• Networking
• LAN enabled using DHCP
• No proxy configured
• Single-network mode only
• Client mode disabled
• Base Unit internal Wi‑Fi Access Point enabled
• Buttons connect directly to the Base Unit internal Wi‑Fi Access Point
• Sharing
• Native ClickShare sharing enabled (Button sharing)
• ClickShare Desktop App sharing enabled (Desktop App v04.37.5)
• AirPlay not covered (disabled in evaluated configuration)
• Google Cast not covered (disabled in evaluated configuration)
• Miracast not covered (disabled in evaluated configuration)
• PresentSense not covered (disabled in evaluated configuration)
• Security & access
• WebUI access over HTTPS (self-signed certificate)
• Default administrator/configurator authentication policy
• API access not covered (disabled in evaluated configuration)
• No Security Level customization applied
• Cloud & remote management
• XMS Cloud connectivity not covered (disabled in evaluated configuration)
• Remote management not covered (disabled in evaluated configuration)

5. Which sharing and presentation methods are covered?

The evaluated configuration covers only the native ClickShare sharing mechanism: ClickShare Button sharing and ClickShare Desktop App sharing with the Base Unit.

6. Which network setup is covered?

The evaluated configuration assumes a direct wireless connection between Button and Base Unit via the Base Unit’s internal Wi‑Fi Access Point, with LAN enabled using DHCP and no proxy configured.

Enterprise network integration, dual-network operation, proxy usage, and client mode operation are not covered because they require configuration changes beyond the evaluated setup.

7. What is covered by the ANSSI CSPN certification (at a high level)?

8. What is not covered by the ANSSI CSPN certification?

9. Does enabling API access invalidate the certification?

No. Enabling API access does not invalidate the ANSSI CSPN certification for the ClickShare CX-50 Gen2 product. However, API-based usage is not covered because API access is disabled in the evaluated configuration. If you enable and use the API, that usage scenario is outside the ANSSI CSPN evaluation. IT/AV administrators can decide whether to enforce the evaluated configuration strictly, depending on organizational requirements.

10. Is the ANSSI CSPN certification recognized in Germany (BSI / BSZ)?

BSI and ANSSI have an agreement for mutual recognition of certificates for the BSZ and CSPN schemes. In principle, CSPN certificates are recognized in Germany by the BSI; however, certificates may be exempted from recognition in specific cases (for example due to national regulation).

What this means for German customers
For organizations in Germany, the CSPN certificate can support procurement and risk assessment where fixed‑time cybersecurity certification is requested. In principle, CSPN certificates are recognized by BSI under the mutual recognition agreement, but recognition may be subject to exceptions. Customers with formal regulatory or procurement requirements should validate acceptance with the relevant German authority or procurement body.
🔗For detailed information, click here.

11. How long is the certificate valid and what happens during that period?

The certificate is valid for 3 years. During this validity period, the firmware will be regularly monitored for newly discovered vulnerabilities, and all reasonable efforts will be made to provide patches.

📬 Stay up to date on the certification status by subscribing to our dedicated email list here.

12. Are there functional differences compared to later, non-evaluated firmware versions?

The ANSSI CSPN certification is tied to the evaluated firmware version (02.20.02) and evaluated configuration. Other firmware versions may include additional features that are not covered by the CSPN evaluation.

Compared with firmware version 2.26.0.7 (released May 2026), the later version includes updates such as:

• Support for ClickShare Base Unit discovery via the ClickShare app on iOS and Android
• Multitouch support
• Removal of the Peripheral Firmware Upgrade page

Known limitation
Microphone mute synchronization will not work with USB peripherals due to enhanced Base Unit security isolating HID device.

13. Key takeaway for IT and AV administrators

If your organization needs to operate within the CSPN-evaluated coverage, deploy ClickShare CX‑50 Gen2 using the exact evaluated versions and configuration described in this article and avoid enabling features that are not covered by the evaluation. If you choose to enable additional features, the product remains certified, but those additional features and deployment options are outside the CSPN certificate coverage and should be assessed against your own security and compliance requirements.