Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Password" setting in the MDM console. 2. Verify a password policy has been configured. 3. Verify a password policy has been assigned to all groups. On the LG Android device: 1. Unlock the device. 2. Navigate to the password entry screen: Settings >> General >> Security (or Fingerprints & security) >> Lock screen >> Select screen lock. 3. Verify password is enabled and cannot be disabled (grayed out). If on the MDM console a password policy is not configured or on the LG Android device the password is not enabled or can be disabled, this is a finding.
Configure the mobile operating system to force successful entry of a password before data resident on the device is decrypted. On the MDM Administration Console, configure a "Password" policy and assign it to all groups.
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM Console, do the following: 1. Ask the MDM administrator to display the "Password length" setting in the MDM console. 2. In the password policy, verify the setting for the password length equals or is greater than six characters. On the LG Android device: 1. Unlock the device. 2. Navigate to the password entry screen: Settings >> General >> Security (or Fingerprints & security) >> Lock screen >> Select screen lock >> Password >> Set password. 3. Attempt to enter a password with a length less than the required value. If the configured value of the "Password length" setting is less than six characters or if the LG Android device accepts a password of less than six characters, this is a finding.
Configure the mobile operating system to enforce a minimum password length of six characters or more. On the MDM Administration Console, set the "Password length" value to six or greater.
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Maximum time to lock" setting in the password policy on the MDM console. 2. Verify the value of the setting is 15 minutes or less. On the LG Android device: 1. Unlock the device. 2. Navigate to the password entry screen: Settings >> General >> Security (or Fingerprints & security) >> Lock screen >> Lock timer. 3. Verify "Lock timer" is set to 15 minutes or less. If on the MDM console the "maximum time to lock" setting is not set to 15 minutes or less or if on the LG Android device the "Lock timer" is not set to 15 minutes or less, this is a finding.
Configure the mobile operating system to lock the device display after 15 minutes (or less) of inactivity. On the MDM Administration Console, set the "Maximum time to lock" value to 15 minutes (or less).
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Max Repeating Characters" and "Max Sequential Numbers" settings in the Android Password Policy. 2. Verify the value of the setting is two or less. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Unlock the device. 2. Navigate to the password entry screen: Settings >> General >> Security (or Fingerprints & security) >> Lock screen >> Select screen lock >> Password >> Set password. 3. Attempt to enter a password that contains repeating characters or sequential numbers of more than two. 4. Verify the password is not accepted. If on the MDM console the configured values of the "Max Repeating Character" and "Max Sequential Number" settings are greater than two or the LG Android device accepts a password that contains more than two repeating characters or sequential numbers, this is a finding.
Configure the mobile operating system to prevent passwords from containing more than two repeating or sequential characters. On the MDM Administration Console, set the "Max Repeating Characters" and "Max Sequential Numbers" values to 2 or less.
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM Console, do the following: 1. Ask the MDM administrator to display "Maximum failed password attempts" in the password policy. 2. Verify the value is 10 or less. On the LG Android device: Note: It is recommended that this procedure be performed only on a test device. Enter the wrong Password until the device performs a factory reset. Note: The number of password attempts needed before the device performs a factory reset. If on the MDM console the "Maximum failed password attempts" is not set to 10 or less or the LG Android device did not perform a factory reset before a wrong password was entered eleven times, this is a finding.
Configure the mobile operating system to allow only 10 or less consecutive failed authentication attempts. On the MDM Administration Console, set the "Maximum failed password attempts" value to 10 or less.
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow Google Play Store" setting in the MDM console. 2. Verify the setting is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Unlock the device. 2. Navigate to the Play Store on the device home screen. 3. Verify Google Play Store application does not run. If on the MDM console the "Allow Google Play Store" setting is enabled or if the user is able to run the Google Play Store on the LG Android device, this is a finding.
Configure the mobile operating system to disable unauthorized application repositories. On the MDM Administration Console, disable "Google Play Store".
This validation procedure is performed on the MDM Administration Console. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Application whitelist configuration (install)" setting. 2. Verify the "Application whitelist configuration (install)" setting is enabled. 3. Verify all applications on the list of white-listed applications have been approved by the Authorizing Official (AO). 4. Verify an application white list policy has been assigned to all groups. Note: This list can be empty if no applications have been approved. If the "Application whitelist configuration (install)" setting is disabled, or if applications listed in the MDM console "Application whitelist configuration (install)" are not approved by the AO, this is a finding.
Configure the mobile operating system to use an application whitelist. On the MDM Administration Console, set "Application whitelist configuration (install)".
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow Keyguard" setting in the MDM console. 2. Verify "All" or "Secure notifications" is selected in the "Keyguard Disabled" policy. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Unlock the device. 2. Add a calendar event for the current day on the device. 3. Lock the device. 4. Verify no notifications are displayed on the locked screen of the LG Android device. If on the MDM console the "Keyguard Disabled" policy is not set to "All" or "Secure notifications" is not set on the LG Android device; a notification can be displayed on the locked screen, this is a finding.
Configure the mobile operating system to not display notifications when the device is locked. On the MDM Administration Console, select "All" or "Secure notifications" in the Keyguard Disabled policy.
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow developer modes" setting in the MDM console. 2. Verify the setting is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Unlock the device. 2. Navigate to Settings >> General >> About Phone >> Software info >> Build number. 3. Push "Build number" multiple times until a pop-up menu display indicates developer option unavailable by server policy. If on the MDM console and the "Allow developer modes" setting is enabled or on the LG Android device the developer mode is available, this is a finding.
Configure the mobile operating system to disable developer modes. On the MDM Administration Console, disable "Allow Developer Modes".
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Encryption" setting in the MDM console. 2. Verify "Device Encryption" is selected. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Unlock the device. 2. Navigate to Settings >> General >> Security (or Fingerprints & security). 3. Verify "Encrypt phone" is enabled and cannot be disabled (grayed out). If on the MDM console "Device Encryption" is not enabled or if on the LG Android device "Encrypt phone" is not enabled and grayed out, this is a finding.
Configure the mobile operating system to enable data-at-rest protection for built-in storage media. On the MDM Administration Console, enable "Device Encryption" for on-device storage.
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Encryption" setting in the MDM console. 2. Verify "Storage Card Encryption" is enabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Unlock the device. 2. Navigate to Settings >> General >> Security (or Fingerprints & security). 3. Verify "Encrypt SD card storage" is enabled and cannot be disabled. If on the MDM console the "Storage Card Encryption" is not enabled or if LG Android device "Encrypt SD card storage" is not enabled and grayed out, this is a finding.
Configure the mobile operating system to enable data-at-rest protection for removable media. On the MDM Administration Console, enable "Storage Card Encryption" for removable media.
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Enforce warning banner" setting in the MDM console. 2. Verify the warning banner has been set up and the wording is exactly as specified in the Vulnerability Discussion. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Reboot the device and verify the warning banner is displayed. 2. Verify the required text is displayed and the user must click "Agree" after checking "I understand and agree to this". If on the MDM console the "Enforce warning banner" setting is not set and does not show the required text or if the LG Android device does not show the Warning banner after every device reboot, this is a finding.
Configure the mobile operating system to display the DoD-mandated warning banner text. On the MDM Administration Console, set the "Enforce warning banner" with the required text.
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow USB" setting in the MDM console. 2. Verify the setting is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Unlock the device. 2. Connect device to a USB cable. 3. Open device Notification bar and select the USB notification "Tap for more USB options. 4. Verify all USB connection types, except for "Charge only", are disabled and cannot be enabled (grayed out). Since the USB storage and USB media player cannot be used, the USB function is only available for device charging. If on the MDM console the "Allow USB" setting is enabled or if on the LG Android device any USB functions that are available other than device charging, this is a finding.
Configure the mobile operating system to disable USB mass storage mode. On the MDM Administration Console, disable "Allow USB".
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow LG Backup" settings in the MDM console. 2. Verify the setting is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Unlock the device. 2. Navigate to Settings >> General >> Backup & reset. 3. Select "LG Backup" and verify it is unavailable by server policy. If on the MDM console the "Allow LG Backup" setting is enabled and on the LG Android device the setting "LG Backup" is available, this is a finding.
Configure the mobile operating system to disable backup to locally connected systems. On the MDM Administration Console, disable the "Allow LG Backup" setting. Note: LGA6-201016-01 may be used together to make disabling the USB connection to a locally connected system like a PC.
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow Google Backup" settings in MDM console. 2. Verify the setting is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Unlock the device. 2. Navigate to Settings >> General >> Backup & reset. 3. Verify "Back up my data" is disabled (grayed out). If on the MDM console the "Allow Google Backup" setting is enabled or on the LG Android device "Back up my data" is not disabled (grayed out), this is a finding. Note: To disable cloud backup applications, use the application blacklist.
Configure the mobile operating system to disable backup to remote systems (including commercial clouds). On the MDM Administration Console, disable the "Allow Google Backup" setting.
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow Google crash report" setting in the MDM console. 2. Verify the Google crash report is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Unlock the device. 2a. Navigate to Settings >> General. If "Developer mode" has already been disabled on the MDM console: Verify "Developer options" does not show on the screen. Also, navigate to Settings >> About phone >> Software info. Tap on "Build number" several times and verify that the device will not enable developer mode. 2b. Navigate to Settings >> General. If "Developer mode" has not been disabled on the MDM console: Enable USB debugging. Next go to Developer options >> Select Take bug report and choose "Report". Verify Google crash report cannot be used. If on the MDM console the "Allow Google crash report" setting is enabled or on the LG Android device the Google crash report is available, this is a finding.
Configure the mobile operating system to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. On the MDM Administration Console, disable the "Allow Google crash report" setting.
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow fingerprint" setting in the MDM console. 2. Verify the fingerprint for screen lock is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device (this procedure is NA for devices without fingerprint support): 1. Navigate to Settings >> Security (or Fingerprints & security) >> Select Fingerprints. 2. Verify the "Screen Lock" option is disabled (grayed out) and cannot be enabled. If on the MDM console the Fingerprint for screen lock is enabled or on the LG Android device a user is able to enable the fingerprint for screen lock feature, this is a finding.
Configure the mobile operating system to not allow authentication mechanisms other than a Password Authentication Factor where the authentication provides user access to protected data. On the MDM Administration Console, disable the "Allow fingerprint" setting.
This validation procedure is performed on both the MDM Administration Console and the LG for Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the list of configured VPN profiles in the "VPN profiles" rule. 2. Verify the list includes the organization VPN profile. On the LG Android device: 1. Open Settings >> Networks >> VPN. 2. Select "LG VPN". 3. Verify the list includes the organization VPN profile. If on the MDM console the organization VPN profile has not been set up or on the LG Android device the organization profile is not listed under "LG VPN", this is a finding.
Configure the mobile operating system to enable VPN protection. On the MDM Administration Console, configure the organization VPN profile in the "VPN profiles" rule.
This validation procedure is performed on the MDM Administration Console. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Application blacklist configuration (launch)” setting in the "Android Application" rule. 2. Verify the list contains all pre-installed applications which have not been approved by the Authorizing Official (AO). 3. Ask the MDM administrator to display the "Application whitelist configuration (install)” setting in the "Android Application" rule. 4. Verify no applications with the following prohibited features are included on the whitelist. -backup MD data to non-DoD cloud servers (including user and application access to cloud backup services); -transmit MD diagnostic data to non-DoD servers; -voice assistant application if available when MD is locked; -voice dialing application if available when MD is locked; -allows synchronization of data or applications between devices associated with user; -payment processing; and -allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs, display screens (screen mirroring), or printers. 5. Verify the policy has been assigned to all groups. Note: Refer to the Supplemental document for additional information. If on the MDM console the "Application blacklist configuration (launch)" does not have all unapproved pre-installed applications or the "Application whitelist configuration (install)" has applications with unauthorized features, this is a finding.
Configure the MDM console application whitelist (install) to exclude applications with the following characteristics: -backup MD data to non-DoD cloud servers (including user and application access to cloud backup services); -transmit MD diagnostic data to non-DoD servers; -voice assistant application if available when MD is locked; -voice dialing application if available when MD is locked; -allows synchronization of data or applications between devices associated with user; -payment processing; and -allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs, display screens (screen mirroring), or printers. Configure the MDM console application blacklist (launch) to include all pre-installed applications which have not been approved by the AO.
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow Bluetooth Data Transfer" setting in the MDM console. 2. Verify the Bluetooth Data transfer is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Unlock the device. 2. Navigate to Settings >> Networks. 3. Verify under "Bluetooth" the following text appears: "Only headset is available by server policy". If on the MDM console the "Allow Bluetooth Data Transfer" setting is not disabled and on the LG Android device the text "Only headset is available by server policy" is not under "Bluetooth" in "Wireless Networks", this is a finding.
Configure the mobile operating system to disable Bluetooth Data Transfer. On the MDM Administration Console, disable the "Allow Bluetooth Data Transfer" setting.
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow VPN Split Tunneling" setting in the MDM console. 2. Verify the setting for the VPN Split Tunneling is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Unlock the device. 2. Navigate to the VPN Split Tunneling setting: Settings >> Network >> VPN >> LG VPN >> Add LG VPN network >> Show advanced options popup. 3. Verify "Disable Split Tunneling" option is checked and cannot be changed (grayed out). If on the MDM console the "Allow VPN split tunneling" setting is enabled or the LG Android device the "Disable Split Tunneling" setting is not checked and can be changed, this is a finding.
Configure the mobile operating system to disable VPN split-tunneling (if the MD provides a configurable control). On the MDM Administration Console, disable the "Allow VPN split tunneling" setting.
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the list of unapproved core and preinstalled applications in the "Application blacklist configuration (launch)" setting in the MDM console. 2. Verify the FOTA client application (package name: com.lge.lgdmsclient) is on the blacklist. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Unlock the device. 2. Open the device settings. 3. Navigate to Settings >> General >> About phone >> Software update (AT&T) (or System Updates for Verizon) 4. Verify the when the user clicks the "Software Update" the following message is displayed: "Cannot open this app by server policy." If on the MDM console in the "Application blacklist configuration (launch)" does not list the FOTA client or on the LG Android device the "Software Update" setting can be launched, this is a finding.
Configure the mobile operating system to disable automatic updates of system software. On the MDM Console, add the FOTA client application (package name: com.lge.lgdmsclient) in “Application blacklist (launch)" to disable automatic updates of system software.
This validation procedure is performed on both the MDM Administration Console and the LG for Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the list of server authentication certificates in the "Certificate Configuration" rule. 2. Verify the CA certificates are present. 3. Verify the policy has been assigned to all groups. On the LG for Android device: 1. Navigate to Settings >> General >> Security (or Fingerprints & security) >> Certificate management >> Trusted credentials. 2. Select the "User" tab. 3a. Verify the presence of the CA certificates under "Personal" for Activation Type COPE#2. 3b. Verify the presence of the CA certificates for Activation Type COPE#1. If on the MDM console the CA certificates are not present in the MDM Console certificate configuration or on the device the CA certificates are not listed under the "User" tab, this is a finding.
Configure the mobile operating system to install CA certificates on the device. On the MDM Console, add the CA certificates to the "Certificate Configuration" rule.
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow unknown sources" setting in the MDM console. 2. Verify the setting is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Unlock the device. 2. Navigate to Settings >> General >> Security (or Fingerprints and security >> Unknown sources. 3. Verify "Unknown sources" setting is disabled (grayed out). If on the MDM console the "Allow unknown sources" setting is enabled or on the LG Android device the "Unknown sources" setting is accessible, this is a finding.
Configure the mobile operating system to disable unauthorized application repositories. On the MDM Administration Console, disable "Unknown Sources".
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow Bluetooth tethering" setting in the MDM console. 2. Verify the setting is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Open the device settings. 2. Select Settings >> Networks >> Tethering. 3. Verify the "Bluetooth tethering" setting is set to “Off” and disabled (off and grayed out). If on the MDM console the "Allow Bluetooth tethering" is not disabled, or on the LG Android device "Bluetooth tethering" is not set to “off” and disabled, this is a finding.
Configure the mobile operating system to disable wireless remote access connections. On the MDM Administration Console, disable "Bluetooth tethering".
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow Smart Lock" setting in the MDM console. 2. Verify the Smart Lock is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Navigate to Settings >> Security (or Fingerprints & security) >> Trust agents. 2. Verify Smart Lock is disabled (grayed out) and cannot be enabled. If on the MDM console Smart Lock for Lock screen authentication is enabled or on the LG Android device a user is able to enable the Smart lock settings on the device, this is a finding.
Configure the mobile operating system to not allow authentication mechanisms other than a Password Authentication Factor where the authentication provides user access to protected data. On the MDM Administration Console, disable the "Allow Smart Lock" setting.
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow USB tethering" setting in the MDM console. 2. Verify the setting is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: Open the device settings. For AT&T devices: -Select Settings >> Networks >> Tethering. -Verify "USB tethering" setting is set to “off” and disabled (grayed out). For Verizon devices: -Open status bar and then click "Use USB connection for". -Verify "Tethering" option is set to “off” and disabled (grayed out). If on the MDM console "Allow USB tethering" is not disabled or if on the LG Android device the USB tethering option is not set to “off” and disabled, this is a finding.
Configure the mobile operating system to disable wireless remote access connections. On the MDM Administration Console, disable "USB tethering".
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "USB host storage" setting in the "Android Restrictions" rule. 2. Verify the setting is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Connect a USB OTG flash drive to the device. 2. Go to file manager. 3. Verify USB storage is not available. If on the MDM console the "USB host storage" configuration is enabled or on the LG Android device USB storage is available when a USB OTG flash drive is connected to the device, this is a finding.
Configure the mobile operating system to disable USB host storage. On the MDM Administration Console, disable the "USB host storage" setting in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow Voice Command" settings in the "Android Restrictions" rule. 2. Verify the value "Allow Voice Command" is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Select "Applications". 2. Select the "Voice Command" app. 3. Verify the "Voice Command" app cannot be selected and a message “Voice apps are unavailable by server policy." If on the MDM console the "Allow Voice Command" setting is enabled or on the LG Android device the voice application is not disabled, this is a finding.
Configure the mobile operating system to disable Voice Command. On the MDM Administration Console, disable "Allow Voice Command".
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow NFC" setting in the "Android Restrictions" rule. 2. Verify the setting is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Open Settings >> Networks >> Share & connect. 2. Verify "NFC" is disabled (grayed out). If on the MDM console the "Allow NFC" configuration is enabled or on the LG Android device NFC is not disabled (grayed out), this is a finding.
Configure the mobile operating system to disable NFC. On the MDM Administration Console, disable "Allow NFC".
This validation procedure is performed both on the MDM console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow DLNA" settings. 2. Verify the value is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Select Settings >> Networks >> Share & connect 2. Try to launch "Media server". 3. Verify "Media server" is disabled and the following message is displayed: "DLNA discovery is unavailable by server policy." If on the MDM console "Allow DLNA" configuration is enabled or the LG Android device the "Media server" is not disabled, this is a finding.
Configure the mobile operating system to disable DLNA. On the MDM Administration Console, disable "Allow DLNA".
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow Removal of device administrator rights" settings in the "Android Restrictions" rule. 2. Verify the value is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Navigate to Settings >> General >> Security (or Fingerprint and security). 2. Select "Phone administrators". 3. Verify the enterprise MDM agent is on and cannot be turned off (grayed out). (Note: Name of agent app will depend on the MDM vendor used.) If on the MDM console the "Allow Removal of device administrator rights" setting is enabled or on the LG Android device the MDM agent can be disabled, this is a finding.
Configure the mobile operating system to disable Removal of device administrator rights. On the MDM Administration Console, disable "Removal of device administrator rights".
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Disable System Time Changes" check box in the "Android Restrictions" rule. 2. Verify the check box is selected. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Navigate to Settings >> General >> Date & time. 2. Verify the "Auto-date & time" checkbox is checked and cannot be changed (grayed out). If on the MDM console "Disable System Time Changes" is not enabled or on the LG Android device "Auto-date & time" is not enabled or can be changed, this is a finding.
Configure the mobile operating system to disable system time changes, to synchronize the internal clock with network-provided time. On the MDM Console, select the "Disable System Time Changes" checkbox in the "Android Restrictions" rule.
This validation procedure is performed on the MDM Administration Console. On the MDM console, do the following: 1. Ask the MDM administrator to display the "CC Mode" settings in the "Android Restrictions" rule. 2. Verify the value is enabled. 3. Verify the policy has been assigned to all groups. If on the MDM console the "CC Mode" setting is disabled, this is a finding.
Configure the mobile operating system to enable CC mode. On the MDM Administration Console, enable CC mode.
This validation procedure is performed on the MDM Administration Console. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Application blacklist configuration (launch)” setting in the "Android Application" rule. 2. Verify the list contains all non-approved preinstalled applications. 3. Verify the policy has been assigned to all groups. See the Supplemental document for more information. If on the MDM console the "Application blacklist configuration (launch)" configuration does not contain all non-approved pre-installed applications, this is a finding.
Configure the mobile operating system to disable pre-installed applications which have not been approved by the Authorizing Official (AO). On the MDM Administration Console, add all pre-installed applications to the "Application blacklist configuration (launch)" setting in the "Android Applications" rule. Note: Refer to the Supplemental document for additional information.
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the list of unapproved core and preinstalled applications in the “Application Blacklist Configuration (launch)" setting in the MDM console. 2. Verify the list contains LG Browser and Chrome. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Attempt to launch the native Android Browser (LG Browser) and Chrome browser on the device. 2. Verify the browsers will not run and the following message is displayed: Application is disabled by server policy. If on the MDM console the "Application Blacklist Configuration (launch)" setting is not set up with the Android/LG Browser and Chrome browser or on the LG Android device the native Android browser and Chrome browser can be launched, this is a finding.
Configure the mobile device to disable non-FIPS-validated browsers. On the MDM Administration Console, add "Browser" and "Chrome" browser to the application list in the "Application Blacklist Configuration (launch)" setting. Note: This requirement is Not Applicable for the COPE#2 Activation Type.
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow AutoSync" setting in the MDM console. 2. Verify the setting "Allow AutoSync" is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Unlock the device. 2. Navigate to Settings >> General >> Accounts (or Account & Sync). 3. Verify the message "AutoSync is disabled" is displayed. If on the MDM console the "Allow AutoSync" setting is enabled or on the LG Android device the message "AutoSync is disabled" is not displayed, this is a finding.
Configure the mobile device to disable Google auto sync. On the MDM Administration Console, disable the "Allow AutoSync" setting.
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow Android Beam" setting in the MDM console. 2. Verify the setting for the Android Beam is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Unlock the device. 2. Navigate to Settings >> General >> Share & connect. 3. Verify the Android Beam disabled and the following message is displayed: "Android Beam is disabled by server policy". If on the MDM console the "Allow Android Beam" setting is enabled or on the LG Android device Android Beam not disabled and the following message is not displayed: "Android Beam is disabled by server policy", this is a finding.
Configure the mobile device to disable Android Beam. On the MDM Administration Console, disable the "Allow Android Beam" setting.
This validation procedure is performed on the MDM Administration Console. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow Download mode" setting in the MDM console. 2. Verify the setting for the Download mode is disabled. 3. Verify the policy has been assigned to all groups. If on the MDM console "Allow download mode" setting is enabled, this is a finding.
Configure the mobile device to disable download mode. On the MDM Administration Console, disable the "Allow download mode" setting.
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow addition of Google Accounts (for Work Profile)" settings. 2. Verify the setting is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Navigate to Settings >> Accounts. 2. Verify in the Work Profile there is no "Add account" setting available. If on the MDM console "Allow addition of Google Accounts (for Work Profile)" is not disabled or on the LG Android device the "Add account" setting is available in the Work Profile, this is a finding.
Configure the mobile operating system to disable addition of a Google account. On the MDM Administration Console, disable "Allow addition of Google Accounts (for Work Profile)" setting.
This validation procedure is performed on the MDM Administration Console. On the MDM console, do the following: 1. Ask the MDM administrator to display the Whitelisted Android Apps (for Work Profile). 2. Verify the list of apps has been approved by the AO. 3. Verify the policy has been assigned to all groups. If on the MDM console the Whitelisted Android apps (for Work Profile) contain non-AO approved apps, this is a finding.
Configure the mobile operating system to list only approved apps on the Whitelisted Android Apps (for Work Profile). On the MDM Administration Console, add the approved system applications in the lists of Whitelisted Android Apps (for Work Profile).
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the Whitelisted Android Apps (for Work Profile). 2. Verify apps designated by the AO as being mandatory have been set to "uninstall not allowed" on the whitelist. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Go to "Apps" menu or "Home" screen. 2. Select 1-2 apps designated by the AO as being mandatory. 3. Verify that user cannot uninstall the apps. If on the MDM console mandatory work profile apps are not set to "uninstall not allowed" in the Whitelisted Android Apps (for Work Profile) or on the LG Android device the user can uninstall mandatory apps, this is a finding.
Configure the mobile operating system to block application's uninstallation. On the MDM Administration Console, configure the list of mandatory Work Profile apps in the Whitelisted Android Apps (for Work Profile) to "uninstall not allowed".
This validation procedure is performed on both the MDM Administration Console and the LG for Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the list of server authentication certificates in the "Certificate Configuration" rule for Work Profile. 2. Verify the CA certificates are present. 3. Verify the policy has been assigned to all groups. On the LG for Android device: 1. Navigate to Settings >> General >> Security (or Fingerprints & security) >> Certificate management >> Trusted credentials. 2. Select the "User" tab. 3. Verify the presence of the CA certificates under "Work" for Activation Type COPE#2. If on the MDM console the CA certificates are not present in the MDM Console certificate configuration or on the device the CA certificates are not listed under the "User" tab, this is a finding.
Configure the mobile operating system to install CA certificates on the device. On the MDM Console, add the CA certificates to the "Certificate Configuration" rule for the Work Profile.
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow content sharing from work profile to personal space (Work Profile only)" settings. 2. Verify that the setting is not checked. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Launch badged "Contacts" app. 2. Choose one of the contacts to share. 3. Select the menu. 4. Choose a "Share". 5. Verify that the message "No application to perform this action" is displayed. If on the MDM console "Allow content sharing from work profile to personal space (Work Profile only)" is enabled or on the LG Android device a contact in the Work Profile can be shared, this is a finding.
Configure the mobile operating system to disable cross-profile sharing. On the MDM Administration Console, set the "Allow Cross-Profile Sharing (for Work Profile)" to disable.
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow copy and paste from work profile to personal space (Work Profile only)" settings. 2. Verify that the setting is not checked. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Copy text from a Work Profile app (for example a Contact phone number). 2. Verify the text cannot be pasted into a Personal space app (for example the browser search box). If on the MDM console "Allow copy and paste from work profile to personal space (Work Profile only)" is enabled or on the LG Android device text from a Work Profile app can be pasted into a Personal space app, this is a finding.
Configure the mobile operating system to disable cross-profile sharing. On the MDM Administration Console, set the "Allow Cross-Profile Sharing (for Work Profile)" to disable.