Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Samsung Android (with Knox 1.x) STIG

  • Version/Release: V2R1
  • Published: 2014-04-22
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

Developed by Samsung Electronics Co., Ltd. in coordination with DISA for the DoD.
b
The administrator/MDM must disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-Free Profile) and SPP (Serial Port Profile).
CM-6 - Medium - CCI-000366 - V-48247 - SV-61119r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-29-015700
Vuln IDs
  • V-48247
Rule IDs
  • SV-61119r1_rule
Unsecure Bluetooth profiles may allow either unauthenticated connections to mobile devices or transfer of sensitive DoD data without required DoD information assurance (IA) controls. Only the HSP, HFP, and SPP profiles are required to meet current DoD Bluetooth needs and DoD data and voice IA controls. SFR ID: FMT_SMF.1.1 #42
Checks: C-50679r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Bluetooth Profiles" settings in the "Android Restrictions" rule. 2. Verify the only profiles allowed are HSP, HFP and SPP. On the Samsung Knox Android device: 1. Attempt to pair a Bluetooth peripheral that uses profiles other than HSP, HFP, and SPP (e.g., a Bluetooth keyboard). 2. Verify the Bluetooth peripheral does not pair with the Samsung Knox Android device. If the Bluetooth profiles other than HSP, HFP, and SPP are configured to be allowed, or if the device is able to pair with a Bluetooth keyboard, this is a finding.

Fix: F-51855r1_fix

Configure the operating system to only allow HSP, HFP, and SPP Bluetooth profiles. On the MDM Administration Console, configure the "Bluetooth Profiles" setting to only allow HSP, HFP, SPP in the "Android Restrictions" rule.

b
Samsung Knox Android must protect data-at-rest on built-in storage media.
SC-28 - Medium - CCI-001199 - V-48249 - SV-61121r1_rule
RMF Control
SC-28
Severity
Medium
CCI
CCI-001199
Version
KNOX-20-004400
Vuln IDs
  • V-48249
Rule IDs
  • SV-61121r1_rule
The operating system must ensure the data being written to the mobile device's storage media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read storage devices directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. SFR ID: FDP_DAR_EXT.1.1
Checks: C-50681r2_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Storage Encryption" checkbox in the "Android Restrictions" rule. (**) 2. Verify the "Storage Encryption" checkbox is checked. On the Samsung Knox Android device: 1. Open the device settings. 2. Select "Security". 3. Verify "Encrypt device" is grayed out and "Encrypted" is displayed. 4. Select "Encrypt external SD card". 5. Verify "The encryption policy has been applied" is displayed at the bottom of the screen. NOTE: If no SD card is inserted, Step 5 should display "SD card is not inserted" at the bottom of the screen. If the specified encryption settings are not set to the appropriate values, this is a finding. (**) On some MDM vendor consoles, "Storage Encryption" enables both internal and external storage encryption.

Fix: F-51857r2_fix

Configure the mobile device to enable data-at-rest protection for built-in storage media. Configure the OS to encrypt all data at rest on the mobile device. On the MDM Administration Console, check the "Storage Encryption" checkbox in the "Android Restrictions" rule.

b
The administrator/MDM must enable CC mode.
CM-6 - Medium - CCI-000366 - V-48251 - SV-61123r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-29-015600
Vuln IDs
  • V-48251
Rule IDs
  • SV-61123r1_rule
CC mode implements several security controls required by the Mobile Device Functional Protection Profile (MDFPP). If CC mode is not implemented, DoD data is more at risk of being compromised and the MD is more at risk of being compromised if lost or stolen. CC mode implements the following controls: - enables the OpenSSL FIPS crypto library - sets the password failure settings to wipe the device to 5 (5 failed consecutive attempts will wipe the device), unless the value has been set to the DoD value (10) - disables ODIN mode (download mode) SFR ID: FMT_SMF.1.1 #42
Checks: C-50683r2_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "CC Mode" settings in the "Android Restrictions" rule. 2. Verify the value is enabled. Note: If the MDM does not support CC Mode, ask the MDM Administrator if the Samsung APK has been installed and CC Mode enabled. On the Samsung Knox Android device: 1. Open the device settings. 2. Select "About Device". 3. Verify the value of "Security software version" displays "Enforced". If the CC mode setting is not enabled, or if the "Security software version" on the device does not display "Enforced", this is a finding.

Fix: F-51859r1_fix

Configure the operating system to enable CC mode. On the MDM Administration Console, enable the "CC mode" setting in the "Android Restrictions" rule. If this setting is not available on the console, install the CC mode APK and enable CC mode from this application. This APK will be made available by Samsung.

b
The container must be enabled by the administrator/MDM.
CM-6 - Medium - CCI-000366 - V-48253 - SV-61125r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-29-015400
Vuln IDs
  • V-48253
Rule IDs
  • SV-61125r1_rule
The container must be enabled by the administrator/MDM or the container's protections will not apply to the mobile device. This will cause the mobile device's apps and data to be at significantly higher risk of compromise because they are not protected by encryption, isolation, etc. SFR ID: FMT_SMF.1.1 #42
Checks: C-50685r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Android Knox Container" rule. 2. Verify the existence of this rule, and the rule has been pushed to the device. 3. Pushing this rule to the device that does not have a container installed will result in creation of the container. On the Samsung Knox Android device: 1. From the device home screen, pull down the notification bar. 2. Verify the existence of the KNOX icon. 3. If available on the MDM agent, verify the container rule in the list of rules received by the MDM agent. If the MDM Administrator cannot configure the "Android Knox Container" rule, or if the KNOX icon is not present in the notification bar, or if the container rule is not found in MDM agent rule list (MDM vendor specific check), this is a finding.

Fix: F-51861r1_fix

On the MDM Administration Console, create the "Android Knox Container" rule and push this rule to the device.

b
The mobile device operating system must have access to DoD root and intermediate PKI certificates when performing DoD PKI-related transactions.
CM-6 - Medium - CCI-000366 - V-48255 - SV-61127r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-22-013200
Vuln IDs
  • V-48255
Rule IDs
  • SV-61127r1_rule
DoD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the root and intermediate certificates are not available, an adversary could falsely sign a certificate in such a way that it could not be detected. Providing access to the DoD root and intermediate PKI certificates greatly diminishes the risk of this attack. SFR ID: FMT_SMF.1.1 #13
Checks: C-50687r5_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. The current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://iase.disa.mil/pki-pke (for NIPRNET) or http://iase.rel.disa.smil.mil/pki-pke/function_pages/tools.html (for SIPRNET). Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the list of server authentication certificates in the "Android Certificate Configuration" rule. 2. Verify the DoD root and intermediate PKI certificates are present. On the Samsung Knox Android device: 1. Open the device settings. 2. Select "Security". 3. Select "Trusted Credentials". 4. Review Certificate Authorities listed under the "System" and "User" tabs. 5. Verify the presence of the DoD root and intermediate certificates. If the DoD root and intermediate certificates are not present in the MDM Console whitelist or on the device, this is a finding.

Fix: F-51863r4_fix

Install DoD root and intermediate certificates on the device. On the MDM Console, add the PEM encoded representations of the DoD root and intermediate certificates to the certificate whitelist in the "Android Certificate Configuration" rule. The current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://iase.disa.mil/pki-pke (for NIPRNET) or http://iase.rel.disa.smil.mil/pki-pke/function_pages/tools.html (for SIPRNET).

a
The administrator/MDM must set the maximum number of consecutive failed container authentication attempts to 10 or less.
AC-7 - Low - CCI-000043 - V-48257 - SV-61129r1_rule
RMF Control
AC-7
Severity
Low
CCI
CCI-000043
Version
KNOX-29-015200
Vuln IDs
  • V-48257
Rule IDs
  • SV-61129r1_rule
Users must not be able to override the system policy on the maximum number of consecutive failed authentication attempts because this could allow them to raise the maximum, thus giving adversaries more chances to guess/brute force passwords, which increases the risk of the mobile device being compromised. Therefore, only administrators and the MDM software should have the authority to set consecutive failed authentication attempt policies. SFR ID: FMT_SMF.1.1 #02
Checks: C-50689r2_chk

This validation procedure is performed on the MDM Administration Console only. Check whether the device lock screen setting is configured on the MDM server. 1. Ask the MDM administrator to display the "Maximum Failed Attempts" field in the "Android Knox Container Password Restrictions" rule. 2. Verify the value of the setting is 10 or less. If there is no value configured for the "Maximum Failed Attempts" field, or if it is greater than 10, this is a finding.

Fix: F-51865r2_fix

Configure the mobile operating system to allow only 10 or less consecutive failed authentication attempts. On the MDM Administration Console, set the "Maximum Failed Attempts" to the organization-defined value in the "Android Knox Container Password Restrictions" rule.

b
Only DoD PKI issued or DoD approved server authentication certificates must be installed on DoD Samsung Knox Android devices.
CM-6 - Medium - CCI-000366 - V-48261 - SV-61133r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-22-013300
Vuln IDs
  • V-48261
Rule IDs
  • SV-61133r1_rule
If unauthorized device authentication certificates are installed on the device, there is the potential that the device may connect to a rogue device or network. Rogue devices can mimic the behavior of authorized equipment to trick the user into providing authentication credentials, which could then in turn be used to compromise DoD information and networks. Restricting device authentication certificates to an authorized list mitigates the risk of attaching to rogue devices and networks. SFR ID: FMT_SMF.1.1 #14
Checks: C-50693r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the list of server authentication certificates in the "Android Certificate Configuration" rule. 2. Verify only DoD PKI issued or DoD approved server authentication certificates are present (Note: these may include those approved by the local command). On the Samsung Knox Android device: 1. Open device settings. 2. Select "Security". 3. Select "Trusted credentials". 4. Select the "User" tab. 5. Verify no certificates are listed, or that any that are listed have been authorized. If there are unapproved device authentication certificates present on the MDM whitelist or on the "User" tab, this is a finding.

Fix: F-51869r1_fix

Remove non-approved server authentication certificates from the device. On the MDM Console, modify the certificate whitelist so that it only includes DoD PKI issued or DoD approved server authentication certificates in the "Android Certificate Configuration" rule.

b
Samsung Knox Android must allow only the administrator/MDM to set the screen lock timeout for the container password.
CM-6 - Medium - CCI-000366 - V-48263 - SV-61135r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-29-015000
Vuln IDs
  • V-48263
Rule IDs
  • SV-61135r1_rule
Users must not be able to override the system policy on the screen lock timeout because this could allow them to effectively disable the timeout (e.g., by setting the timeout to 0 minutes) or to set the timeout for such a long duration as to make it nearly ineffective. Either of these would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. Therefore, only administrators and the MDM software should have the authority to set screen lock timeout policies. SFR ID: FMT_MOF.1.1(2) #02
Checks: C-50695r3_chk

Note: This validation procedure is identical to the one for KNOX-25-013600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on the first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to the DAAs. This validation procedure is performed on the Samsung Knox Android device only. On the Samsung Knox Android device: 1. Open the application list. 2. Verify the presence of an MDM agent. Note: Verification on the MDM agent is MDM vendor specific. For example, on the Fixmo MDM agent, open the MDM agent, press the Menu button and select "Details". 1. Verify Profile ID is not "NULL". 2. Press the Menu button. 3. Select "Poll Server". 4. Verify no errors are generated in the messages list. On the AirWatch MDM agent: 1. Open the MDM agent. 2. Select "Device Status". 3. Verify "Enrollment Status" is enrolled. If the MDM agent is not present on the Samsung Knox Android device, or if the MDM vendor specific checks do not show the proper value, this is a finding.

Fix: F-51871r1_fix

Configure the OS to allow only the administrator/MDM to disable the screen lock function. On the MDM Console, set the "Max Time to Lock" to organization-defined value in the "Android Knox Container Password Restrictions" rule.

b
The Samsung Knox Android Bluetooth module must not permit any data transfer between devices prior to Bluetooth mutual authentication.
CM-6 - Medium - CCI-000366 - V-48265 - SV-61137r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-23-012700
Vuln IDs
  • V-48265
Rule IDs
  • SV-61137r1_rule
Bluetooth mutual authentication provides assurance that both the mobile device and Bluetooth peripheral are legitimate. If the authentication does not occur immediately before permitting a network connection, there is the potential for a man-in-the-middle attack in which a third device intercepts the traffic between the two legitimate devices. Mutual authentication prevents this from occurring. SFR ID: FIA_BLT_EXT.1.1
Checks: C-50697r4_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Note: There is no Samsung Knox Android feature that enables an administrator to comply with the stated requirement through direct configuration. The compliance approach is to restrict permitted Bluetooth peripherals to those that have been certified to comply with this requirement. When only such devices are used, Samsung Knox Android will not transfer data prior to Bluetooth mutual authentication. Only the BAI smart card reader and headset are currently certified to meet DoD Bluetooth peripheral requirements. Check the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the list of whitelisted Bluetooth devices in the "Android Restrictions" rule. 2. Verify only the BAI smart card reader and headset are present on the list (Note: this is signified by a single entry of "401D59"). On the Samsung Knox Android device: 1. Open device settings and select "Bluetooth". 2. Review existing Bluetooth devices and verify only whitelisted devices are paired and/or are able to pair. If there are any unauthorized Bluetooth devices on the whitelist, this is a finding.

Fix: F-51873r2_fix

Configure the operating system's Bluetooth stack to prohibit data transfer between devices prior to Bluetooth mutual authentication. On the MDM Console, enter the manufacturer ID of the Bluetooth MAC address (first 6 characters) of each device that should be allowed to pair on the whitelist of the "Android Restrictions" rule. Note: To whitelist the Biometric Associates, LP Bluetooth smart card reader and headset, enter: "401D59".

a
The administrator/MDM must enforce a minimum password length of 6 characters for the container password.
IA-5 - Low - CCI-000205 - V-48267 - SV-61139r1_rule
RMF Control
IA-5
Severity
Low
CCI
CCI-000205
Version
KNOX-29-014900
Vuln IDs
  • V-48267
Rule IDs
  • SV-61139r1_rule
Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise. SFR ID: FMT_SMF.1.1 #01
Checks: C-50699r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Min Length" setting in the "Android Knox Container Password Restrictions" rule. 2. Verify the value of the setting is the same or greater than the required length. On the Samsung Knox Android device: 1. Open the Knox Container. 2. Select "Knox Settings" 3. Select "Change password". 4. Enter current password. 5. Attempt to enter a password with fewer characters than the required length. 6. Verify the password is not accepted. If the configured value of the "Min Length" setting is less than the required length or if Samsung Knox Android accepts a container password with fewer characters than the required length, this is a finding.

Fix: F-51875r1_fix

Configure the mobile device to enforce a minimum password length of 6 characters. On the MDM Console, set the "Min Length" value to 6 or greater in the "Android Knox Container Password Restrictions" rule.

b
Samsung Knox Android must authenticate devices before establishing remote network (e.g., VPN) connections using bidirectional cryptographically based authentication between devices.
IA-3 - Medium - CCI-000779 - V-48269 - SV-61141r1_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-000779
Version
KNOX-23-012800
Vuln IDs
  • V-48269
Rule IDs
  • SV-61141r1_rule
Without strong mutual authentication a mobile device may connect to an unauthorized network. In many cases, the user may falsely believe that the device is connected to an authorized network and then provide authentication credentials and other sensitive information. A strong bidirectional cryptographically based authentication method mitigates this risk. SFR ID: FMT_SMF.1.1 #42
Checks: C-50701r1_chk

This validation procedure is performed on the MDM Administrative Console. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Disable Insecure VPN Connections" checkbox in the "Android Restrictions" rule. 2. Verify the checkbox is selected. If the "Disable Insecure VPN Connections" checkbox is not selected, this is a finding.

Fix: F-51877r1_fix

Configure the operating system to authenticate devices before establishing remote connections. On the MDM Console, check the "Disable Insecure VPN Connections" checkbox in the "Android Restrictions" rule.

a
Samsung Knox Android must allow only the administrator/MDM to enforce a minimum password length for the container password.
CM-6 - Low - CCI-000366 - V-48271 - SV-61143r1_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
KNOX-29-014800
Vuln IDs
  • V-48271
Rule IDs
  • SV-61143r1_rule
Users must not be able to override the system policy on minimum password length because this could allow them to set passwords that are easily guessable or crackable. Only administrators and the MDM software should have the authority to set minimum password length policies. SFR ID: FMT_MOF.1.1(2) #01
Checks: C-50703r3_chk

Note: This validation procedure is identical to the one for KNOX-25-013600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on the first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to the DAAs. This validation procedure is performed on the Samsung Knox Android device only. On the Samsung Knox Android device: 1. Open the application list. 2. Verify the presence of an MDM agent. Note: Verification on the MDM agent is MDM vendor specific. For example, on the Fixmo MDM agent, open the MDM agent, press the Menu button and select "Details". 1. Verify Profile ID is not "NULL". 2. Press the Menu button. 3. Select "Poll Server". 4. Verify no errors are generated in the messages list. On the AirWatch MDM agent: 1. Open the MDM agent. 2. Select "Device Status". 3. Verify "Enrollment Status" is enrolled. If the MDM agent is not present on the Samsung Knox Android device, or if the MDM vendor specific checks do not show the proper value, this is a finding.

Fix: F-51879r2_fix

Implement the MDM to centrally manage configuration settings.

a
Samsung Knox Android must be able to filter both inbound and outbound traffic based on IP address and UDP/TCP port.
CM-6 - Low - CCI-000366 - V-48273 - SV-61145r1_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
KNOX-23-012900
Vuln IDs
  • V-48273
Rule IDs
  • SV-61145r1_rule
Open ports provide an attack surface that an adversary can then potentially use to breach system security. If an adversary can communicate with the mobile device from any IP address, then the device may be open to any other device on the Internet. Reducing the attack surface through IP address and port restrictions mitigates this risk. SFR ID: FMT_SMF.1.1 #42
Checks: C-50705r3_chk

Note: This validation procedure is not applicable where the command responsible for the mobile device does not have a host-based firewall policy for such devices. There is no DoD-wide rule set for mobile operating systems. This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the address/port restrictions configured in the "Android Firewall" rule. 2. Print or copy these so that they are available for the validation procedure to be performed on each sampled device. On the Samsung Knox Android device: 1. Open the device Internet Browser. 2. Attempt to navigate to a blocked IP address or port. 3. Verify the attempt fails. If it is feasible to access a blocked IP address or port, this is a finding.

Fix: F-51881r1_fix

Configure the mobile operating system to filter both inbound and outbound traffic based on IP address and UDP/TCP port. On the MDM Console, enter the allowed and denied IP addresses and ports in the "Android Firewall" rule.

b
Samsung Knox Android must prevent a user from using a browser in the container that does not direct its traffic to a DoD proxy server.
CM-6 - Medium - CCI-000366 - V-48275 - SV-61147r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-29-013500
Vuln IDs
  • V-48275
Rule IDs
  • SV-61147r1_rule
Proxy servers can inspect traffic for malware and other signs of a security attack. Allowing a mobile device to access the public Internet without proxy server inspection forgoes the protection that the proxy server would otherwise provide. Malware downloaded onto the device could have a wide variety of malicious consequences, including loss of sensitive DoD information. Forcing traffic to flow through a proxy server greatly mitigates the risk of access to public Internet resources. SFR ID: FMT_SMF.1.1 #42
Checks: C-50707r3_chk

This validation procedure is performed on the MDM Administration Console only. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Web Proxy" field in the "Android Knox Container Restrictions" rule. 2. Verify this field contains both an IP address and port of a DoD proxy or content filtering server using the format [IP Address]:[port number]. Note: If the format is not correct, the setting may not be enforced. If a proxy or web content filtering server is not configured on the MDM console using the format [IP Address]:[port number], or the device successfully accesses any known blocked website, this is a finding.

Fix: F-51883r2_fix

Disable browsers that do not support a feature to direct all traffic to a designated proxy server. Configure browsers that support this functionality to direct all traffic to a designated proxy server. On the MDM Administration Console, enter both the IP address and port of the DoD proxy in the "Web Proxy" field in the "Android Knox Container Restrictions" rule. The format must be [IP Address]:[port number]. Note: This setting only applies to the stock browser, but third party browsers would have to be whitelisted prior to operation.

a
Samsung Knox Android must synchronize the internal clock on an organization-defined periodic basis with an authoritative time server or the Global Positioning System.
AU-8 - Low - CCI-000160 - V-48277 - SV-61149r1_rule
RMF Control
AU-8
Severity
Low
CCI
CCI-000160
Version
KNOX-28-012600
Vuln IDs
  • V-48277
Rule IDs
  • SV-61149r1_rule
Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. Periodically synchronizing internal clocks with an authoritative time source is needed in order to correctly correlate the timing of events that occur across the enterprise. The two authoritative time sources for mobile operating systems are an authoritative time server which is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network (NIPRNet or SIPRNet) or the Global Positioning System (GPS). Time stamps generated by the audit system in mobile operating systems shall include both date and time. The time may be expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. SFR ID: FPT_STM.1.1
Checks: C-50709r2_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Disable Manual Date Time Changes" checkbox in the "Android Restrictions" rule. 2. Verify the checkbox is selected. On the Samsung Knox Android device: 1. Open the device settings. 2. Select "Date and time". 3. Verify the "Automatic date and time" checkbox is checked. 4. Verify a user cannot deselect the "Automatic date and time" checkbox. If either the "Disable Manual Date Time Changes" checkbox is not checked on the MDM administration console; or the "Automatic date and time" checkbox is not checked on the device; or if it is possible to deselect this option on the device, this is a finding.

Fix: F-51885r1_fix

Configure the mobile operating system to synchronize the internal clock at least once every 24 hours with an authoritative time server or the Global Positioning System. On the MDM Console, check the "Disable Manual Date Time Changes" checkbox in the "Android Restrictions" rule.

b
The Samsung Knox Android VPN client must use either IPSec or SSL/TLS when connecting to DoD networks.
CM-6 - Medium - CCI-000366 - V-48279 - SV-61151r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-23-013000
Vuln IDs
  • V-48279
Rule IDs
  • SV-61151r1_rule
Use of non-standard communications protocols can affect both the availability and confidentiality of communications. IPSec and SSL/TLS are both well-known and tested protocols that provide strong assurance with respect to both IA and interoperability. SFR ID: FMT_SMF.1.1 #42
Checks: C-50711r1_chk

This validation procedure is performed on the MDM Administrative Console. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the administrator to display the "Disable Insecure VPN Connections" checkbox in the "Android Restrictions" rule. 2. Verify the checkbox is selected. If the "Disable Insecure VPN Connections" checkbox is not selected, this is a finding.

Fix: F-51887r1_fix

Configure the mobile operating system's VPN client to use IPSec or SSL/TLS when connecting to a DoD network. On the MDM Console, check the "Disable Insecure VPN Connections" checkbox in the "Android Restrictions" rule.

a
Before establishing a user session, Samsung Knox Android must display an administrator/MDM-specified advisory notice and consent warning banner regarding use of Samsung Knox Android.
AC-8 - Low - CCI-000048 - V-48281 - SV-61153r1_rule
RMF Control
AC-8
Severity
Low
CCI
CCI-000048
Version
KNOX-26-012300
Vuln IDs
  • V-48281
Rule IDs
  • SV-61153r1_rule
The operating system is required to display the DoD approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. This ensures the legal requirements for auditing and monitoring are met. System use notification messages can be displayed when individuals log in to the information system. The approved DoD text must be used as specified in the DoD CIO memorandum dated 9 May 2008. SFR ID: FTA_TAB.1.1
Checks: C-50713r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Enable DoD Banner" checkbox in the "Android Restrictions" rule. 2. Verify the "Enable DoD Banner" checkbox is checked. On the Samsung Knox Android device: 1. Reboot the device. 2. Enter the correct device unlock password. 3. Verify the DoD banner is displayed. If the specified setting is not set to the appropriate value, or if the DoD banner is not displayed, this is a finding.

Fix: F-51889r1_fix

Configure the mobile operating system to enable DoD banner display. On the MDM Administration Console, check the "Enable DoD Banner" checkbox in the "Android Restrictions" rule.

b
The Samsung Knox Android Bluetooth stack must use 128-bit Bluetooth encryption when performing data communications with other Bluetooth devices.
CM-6 - Medium - CCI-000366 - V-48283 - SV-61155r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-23-013100
Vuln IDs
  • V-48283
Rule IDs
  • SV-61155r1_rule
If data traffic is sent unencrypted, an adversary may be able to read it to obtain sensitive information. 128-bit Bluetooth encryption for data communications mitigates the risk of unauthorized eavesdropping. DoD has determined that FIPS 140-2 validated encryption is not required for voice communications. SFR ID: FMT_SMF.1.1 #42
Checks: C-50715r3_chk

This validation procedure is performed on both the MDM Console and the Samsung Knox Android device: Note: There is no Samsung Knox Android feature that enables an administrator to comply with the stated requirement through direct configuration. The compliance approach is to restrict permitted Bluetooth peripherals to those that have been certified to comply with this requirement. When only such devices are used, Samsung Knox Android will use 128-bit Bluetooth encryption. Only the BAI smart card reader and headset are currently certified to meet DoD Bluetooth peripheral requirements. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the administrator to display the list of whitelisted Bluetooth devices in the "Android Restrictions" group. 2. Verify only the BAI smart card reader and headset are present on the list (Note: this is signified by a single entry of "401D59"). On the Samsung Knox Android device: 1. Open device settings and select "Bluetooth". 2. Review existing Bluetooth devices and verify only whitelisted devices are paired. If there are any unauthorized devices on the whitelist, this is a finding.

Fix: F-51891r2_fix

Limit Bluetooth devices to those known to employ 128-bit Bluetooth encryption. On the MDM Console, enter the manufacturer ID of the Bluetooth MAC Address (first 6 characters) of each device that should be allowed to pair on the whitelist of the "Android Restrictions" rule. Note: To whitelist the Biometric Associates, LP Bluetooth Smart card reader and headset: 401D59

a
The administrator/MDM must configure the mobile operating system to display the DoD-standard consent banner.
AC-8 - Low - CCI-000049 - V-48285 - SV-61157r1_rule
RMF Control
AC-8
Severity
Low
CCI
CCI-000049
Version
KNOX-26-009700
Vuln IDs
  • V-48285
Rule IDs
  • SV-61157r1_rule
The operating system is required to display the DoD approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. This ensures the legal requirements for auditing and monitoring are met. System use notification messages can be displayed when individuals log in to the information system. The approved DoD text must be used as specified in DTM-8-060 (dated 9 May 2008; revised 25 September 2013). The messages to choose from are: [A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system); meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating “OK.”] You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. [B. For Blackberries and other PDAs/PEDs with severe character limitations:] "I've read & consent to terms in IS user agreem't." SFR ID: FMT_SMF.1.1 #41
Checks: C-50717r2_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Enable DoD Banner" checkbox in the "Android Restrictions" rule. 2. Verify the "Enable DoD Banner" checkbox is checked. On the Samsung Knox Android device: 1. Reboot the device. 2. Verify the device displays the DoD banner. 3. Verify the DoD banner is set to one of the authorized messages. If the specified setting is not set to the appropriate value, or the device does not display the DoD banner on reboot, this is a finding. (**) On some MDM vendor consoles, the login banner automatically is displayed upon reboot while the device is MDM enrolled. On these consoles, this control is not configurable through the MDM server or on the device.

Fix: F-51893r2_fix

Configure the mobile device to display the appropriate warning banner text. On the MDM Administration Console, check the "Enable DoD Banner" checkbox in the "Android Restrictions" rule. (**) On some MDM vendor consoles, the login banner automatically is displayed upon reboot while the device is MDM enrolled. On these consoles, this control is not configurable through the MDM server or on the device.

a
The administrator/MDM must disable mock locations.
CM-6 - Low - CCI-000366 - V-48287 - SV-61159r1_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
KNOX-25-015900
Vuln IDs
  • V-48287
Rule IDs
  • SV-61159r1_rule
Developers often use mock locations in the development of apps that leverage location-based services. Developer modes circumvent certain security measures, so their use for standard operation is not recommended. Developer modes may increase the likelihood of compromise of confidentiality, integrity, and availability. In particular, malicious applications can use the mock locations feature in the Android OS to override the device GPS location and provide a fake location to the user or network provider. SFR ID: FMT_SMF.1.1 #21
Checks: C-50721r3_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow mock locations" setting in the "Android Restrictions" rule. 2. Verify the setting is disabled. On the Samsung Knox Android device: 1. Open the device settings. 2. Select "Developer options". (**) 3. Attempt to enable "Allow mock locations". 4. Verify "Allow mock locations" cannot be enabled. If the "Allow mock locations" setting in the MDM console is enabled, or if the user is able to enable "Allow mock locations" on the device, this is a finding. (**) "Developer options" is initially hidden to users. To unhide this menu item: 1. Open the device settings. 2. Select "About phone". 3. Rapidly tap on "Build number" multiple times until the device displays that "Developer options" has been turned on.

Fix: F-51897r2_fix

Configure the mobile operating system to disable mock locations. On the MDM Administration Console, disable the "Allow mock locations" setting in the "Android Restrictions" rule.

b
Samsung Knox Android must prevent a user from using a browser outside the container that does not direct its traffic to a DoD proxy server.
CM-6 - Medium - CCI-000366 - V-48289 - SV-61161r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-23-013400
Vuln IDs
  • V-48289
Rule IDs
  • SV-61161r1_rule
Proxy servers can inspect traffic for malware and other signs of a security attack. Allowing a mobile device to access the public Internet without proxy server inspection forgoes the protection that the proxy server would otherwise provide. Malware downloaded onto the device could have a wide variety of malicious consequences, including loss of sensitive DoD information. Forcing traffic to flow through a proxy server greatly mitigates the risk of access to public Internet resources. SFR ID: FMT_SMF.1.1 #42
Checks: C-50719r3_chk

This validation procedure is performed on the MDM Administration Console only. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Web Proxy" field in the "Android Restrictions" rule. 2. Verify this field contains both an IP address and port of a DoD proxy or content filtering server using the format [IP Address]:[port number]. Note: If the format is not correct, the setting may not be enforced. If a proxy or web content filtering server is not configured on the MDM console using the format [IP Address]:[port number], this is a finding.

Fix: F-51895r2_fix

Disable browsers that do not support a feature to direct all traffic to a designated proxy server. Configure browsers that support this functionality to direct all traffic to a designated proxy server. On the MDM Administration Console, enter the both IP address and port of the DoD proxy in the "Web Proxy" field in the "Android Knox Restrictions" rule. The format must be [IP Address]:[port number]. Note: This setting only applies to the stock browser, but third party browsers would have to be whitelisted prior to operation.

b
Samsung Knox Android must authenticate tethered connections to the device.
CM-6 - Medium - CCI-000366 - V-48291 - SV-61163r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-23-013700
Vuln IDs
  • V-48291
Rule IDs
  • SV-61163r1_rule
Authentication may occur either by reentry of the device unlock passcode at the time of connection, through another passcode with the same or stronger complexity, or through PKI certificates. Authentication mitigates the risk that an adversary who obtains physical possession of the device is not able to use the tethered connection to access sensitive data on the device or otherwise tamper with its operating system or applications. SFR ID: FMT_SMF.1.1 #42
Checks: C-50723r3_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Note: KNOX-25-15800 also verifies that USB Debugging has been disabled. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Disable USB Debugging", "Disable Vendor USB Protocol", and "Disable USB Media Player" checkboxes in the "Android Restrictions" rule. 2. Verify all of the checkboxes are selected. Note: This combination of settings will force the user to unlock the phone in order to perform any functions leveraging a tethered connection. On the Samsung Knox Android device: 1. With the device locked, connect the device to another device via a USB cable. 2. Verify the MOS file system is not accessible. 3. Unlock the device and open the device settings. 4. Select "Developer Options". 5. Ensure the "USB debugging" checkbox is not checked and cannot be checked by the user. If any one of the "Disable USB debugging", "Disable Vendor USB Protocol", or "Disable USB Media Player" checkboxes is not selected in the MDM Management Console; or if the file system is accessible via a USB connection when the device is locked; or the user can select the "USB debugging" checkbox within Samsung Knox, this is a finding.

Fix: F-51899r1_fix

Configure the operating system to require authentication of tethered connections. On the MDM Administration Console, check the "Disable USB Debugging", "Disable Vendor USB Protocol", and "Disable USB Media Player" checkboxes in the "Android Restrictions" rule.

b
The administrator/MDM must disable USB debugging.
CM-6 - Medium - CCI-000366 - V-48293 - SV-61165r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-25-015800
Vuln IDs
  • V-48293
Rule IDs
  • SV-61165r1_rule
USB debugging mode provides access to developer mode features. Developer modes circumvent certain security measures, so their use for standard operation is not recommended. Developer modes may increase the likelihood of compromise of confidentiality, integrity, and availability. Because of the security risks of developer modes, users must not be able to enable them. SFR ID: FMT_SMF.1.1 #21
Checks: C-50725r3_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Note: KNOX-23-13700 also verifies that USB Debugging has been disabled. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Disable USB Debugging" settings in the "Android Restrictions" rule. 2. Verify this setting is enabled. On the Samsung Knox Android device: 1. Open the device settings. 2. Select "Developer options". (**) 3. Attempt to enable "USB Debugging". 4. Verify "USB Debugging" is disabled and cannot be enabled. If the "Disable USB Debugging" setting in the MDM console is not enabled, or if the user is able to enable "USB Debugging" on the device, this is a finding. (**) "Developer options" is initially hidden to users. To unhide this menu item: 1. Open the device settings. 2. Select "About phone". 3. Rapidly tap on "Build number" multiple times until the device displays that "Developer options" has been turned on.

Fix: F-51901r1_fix

Configure the operating system to disable USB debugging. On the MDM Administration Console, enable the "Disable USB Debugging" setting in the "Android Restrictions" rule.

a
Samsung Knox Android must wipe all protected data from the device after 10 consecutive unsuccessful attempts to unlock the device.
AC-7 - Low - CCI-001383 - V-48297 - SV-61169r1_rule
RMF Control
AC-7
Severity
Low
CCI
CCI-001383
Version
KNOX-24-004800
Vuln IDs
  • V-48297
Rule IDs
  • SV-61169r1_rule
Any time an authentication method is exposed to allow for the utilization of an operating system, there is a risk that attempts will be made to obtain unauthorized access. Mobile devices present additional risks related to attempted unauthorized access. If they are lost, stolen, or misplaced, attempts can be made to unlock the device by guessing the password. Once unlocked, an adversary may be able to obtain sensitive data on the device. The odds of guessing the passwords are greatly reduced if the operating system intervenes after a small number of consecutive unsuccessful login attempts occur. Wiping all protected data at that time renders the data permanently inaccessible. SFR ID: FIA_AFL_EXT.1.2
Checks: C-50729r2_chk

This validation procedure is performed on both the MDM Administration Console only. Check whether the device lock screen setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Maximum Failed Attempts" field in the "Android Password Restrictions" rule. 2. Verify the value of the setting is 10 or less. If there is no value configured for the "Maximum Failed Attempts" field, or if it is greater than 10, this is a finding.

Fix: F-51905r2_fix

Configure the OS to wipe all protected data from the device after too many consecutive unsuccessful login attempts. On the MDM Administration Console, set the "Maximum Failed Attempts" to 10 in the "Android Password Restrictions" rule.

a
Samsung Knox Android must allow only the administrator/MDM to enforce a minimum password length.
CM-6 - Low - CCI-000366 - V-48299 - SV-61171r1_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
KNOX-24-007000
Vuln IDs
  • V-48299
Rule IDs
  • SV-61171r1_rule
Users must not be able to override the system policy on minimum password length because this could allow them to set passwords that are easily guessable or crackable. Only administrators and the MDM software should have the authority to set minimum password length policies. SFR ID: FMT_MOF.1.1(2) #01
Checks: C-50731r6_chk

Note: This validation procedure is identical to the one for KNOX-25-013600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on the first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to the DAAs. This validation procedure is performed on the Samsung Knox Android device only. On the Samsung Knox Android device: 1. Open the application list. 2. Verify the presence of an MDM agent. Note: Verification on the MDM agent is MDM vendor specific. For example, on the Fixmo MDM agent, open the MDM agent, press the Menu button and select "Details". 1. Verify Profile ID is not "NULL". 2. Press the Menu button. 3. Select "Poll Server". 4. Verify no errors are generated in the messages list. On the AirWatch MDM agent: 1. Open the MDM agent. 2. Select "Device Status". 3. Verify "Enrollment Status" is enrolled. If the MDM agent is not present on the Samsung Knox Android device, or if the MDM vendor specific checks do not show the proper value, this is a finding.

Fix: F-51907r3_fix

Implement the MDM to centrally manage configuration settings.

a
Samsung Knox Android must allow only the administrator/MDM to enforce a minimum password complexity.
CM-6 - Low - CCI-000366 - V-48301 - SV-61173r1_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
KNOX-24-007100
Vuln IDs
  • V-48301
Rule IDs
  • SV-61173r1_rule
Users must not be able to override the system policy on minimum password complexity because this could allow them to set passwords that are easily guessable or crackable. Only administrators and the MDM software should have the authority to set minimum password complexity policies. SFR ID: FMT_MOF.1.1(2) #01
Checks: C-50733r4_chk

Note: This validation procedure is identical to the one for KNOX-25-013600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on the first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to the DAAs. This validation procedure is performed on the Samsung Knox Android device only. On the Samsung Knox Android device: 1. Open the application list. 2. Verify the presence of an MDM agent. Note: Verification on the MDM agent is MDM vendor specific. For example, on the Fixmo MDM agent, open the MDM agent, press the Menu button and select "Details". 1. Verify Profile ID is not "NULL". 2. Press the Menu button. 3. Select "Poll Server". 4. Verify no errors are generated in the messages list. On the AirWatch MDM agent: 1. Open the MDM agent. 2. Select "Device Status". 3. Verify "Enrollment Status" is enrolled. If the MDM agent is not present on the Samsung Knox Android device, or if the MDM vendor specific checks do not show the proper value, this is a finding.

Fix: F-51909r2_fix

Implement the MDM to centrally manage configuration settings.

b
Samsung Knox Android must allow only the administrator/MDM to disable the screen lock function.
CM-6 - Medium - CCI-000366 - V-48305 - SV-61177r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-24-007300
Vuln IDs
  • V-48305
Rule IDs
  • SV-61177r1_rule
Users must not be able to override the system policy on the screen lock function because this could allow them to disable the function, preventing automatic screen locking from occurring. This would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Devices without automatic locking are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. Therefore, only administrators and the MDM software should have the authority to disable the screen lock function. SFR ID: FMT_MOF.1.1(2) #02
Checks: C-50737r3_chk

Note: This validation procedure is identical to the one for KNOX-25-013600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on the first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to the DAAs. This validation procedure is performed on the Samsung Knox Android device only. On the Samsung Knox Android device: 1. Open the application list. 2. Verify the presence of an MDM agent. Note: Verification on the MDM agent is MDM vendor specific. For example, on the Fixmo MDM agent, open the MDM agent, press the Menu button and select "Details". 1. Verify Profile ID is not "NULL". 2. Press the Menu button. 3. Select "Poll Server". 4. Verify no errors are generated in the messages list. On the AirWatch MDM agent: 1. Open the MDM agent. 2. Select "Device Status". 3. Verify "Enrollment Status" is enrolled. If the MDM agent is not present on the Samsung Knox Android device, or if the MDM vendor specific checks do not show the proper value, this is a finding.

Fix: F-51913r2_fix

Implement the MDM to centrally manage configuration settings.

b
Samsung Knox Android must allow only the administrator/MDM to set the screen lock timeout.
CM-6 - Medium - CCI-000366 - V-48307 - SV-61179r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-24-007400
Vuln IDs
  • V-48307
Rule IDs
  • SV-61179r1_rule
Users must not be able to override the system policy on the screen lock timeout because this could allow them to effectively disable the timeout (e.g., by setting the timeout to 0 minutes) or to set the timeout for such a long duration as to make it nearly ineffective. Either of these would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. Therefore, only administrators and the MDM software should have the authority to set screen lock timeout policies. SFR ID: FMT_MOF.1.1(2) #02
Checks: C-50739r3_chk

Note: This validation procedure is identical to the one for KNOX-25-013600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on the first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to the DAAs. This validation procedure is performed on the Samsung Knox Android device only. On the Samsung Knox Android device: 1. Open the application list. 2. Verify the presence of an MDM agent. Note: Verification on the MDM agent is MDM vendor specific. For example, on the Fixmo MDM agent, open the MDM agent, press the Menu button and select "Details". 1. Verify Profile ID is not "NULL". 2. Press the Menu button. 3. Select "Poll Server". 4. Verify no errors are generated in the messages list. On the AirWatch MDM agent: 1. Open the MDM agent. 2. Select "Device Status". 3. Verify "Enrollment Status" is enrolled. If the MDM agent is not present on the Samsung Knox Android device, or if the MDM vendor specific checks do not show the proper value, this is a finding.

Fix: F-51915r2_fix

Implement the MDM to centrally manage configuration settings.

a
Samsung Knox Android must allow only the administrator/MDM to set the maximum number of consecutive failed authentication attempts.
CM-6 - Low - CCI-000366 - V-48309 - SV-61181r1_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
KNOX-24-007500
Vuln IDs
  • V-48309
Rule IDs
  • SV-61181r1_rule
Users must not be able to override the system policy on the maximum number of consecutive failed authentication attempts because this could allow them to raise the maximum, thus giving adversaries more chances to guess/brute force passwords, which increases the risk of the mobile device being compromised. Therefore, only administrators and the MDM software should have the authority to set consecutive failed authentication attempt policies. SFR ID: FMT_MOF.1.1(2) #02
Checks: C-50741r3_chk

Note: This validation procedure is identical to the one for KNOX-25-013600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on the first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to the DAAs. This validation procedure is performed on the Samsung Knox Android device only. On the Samsung Knox Android device: 1. Open the application list. 2. Verify the presence of an MDM agent. Note: Verification on the MDM agent is MDM vendor specific. For example, on the Fixmo MDM agent, open the MDM agent, press the Menu button and select "Details". 1. Verify Profile ID is not "NULL". 2. Press the Menu button. 3. Select "Poll Server". 4. Verify no errors are generated in the messages list. On the AirWatch MDM agent: 1. Open the MDM agent. 2. Select "Device Status". 3. Verify "Enrollment Status" is enrolled. If the MDM agent is not present on the Samsung Knox Android device, or if the MDM vendor specific checks do not show the proper value, this is a finding.

Fix: F-51917r2_fix

Implement the MDM to centrally manage configuration settings.

a
The administrator/MDM must enforce a minimum device unlock password length of 6 characters.
IA-5 - Low - CCI-000205 - V-48311 - SV-61183r1_rule
RMF Control
IA-5
Severity
Low
CCI
CCI-000205
Version
KNOX-24-008700
Vuln IDs
  • V-48311
Rule IDs
  • SV-61183r1_rule
Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can make each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too short of minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise. SFR ID: FMT_SMF.1.1 #01
Checks: C-50743r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Min Length" setting in the "Android Password Restrictions" rule. 2. Verify the value of the setting is the same or greater than the required length. On the Samsung Knox Android device: 1. Open the device settings. 2. Select "Lock screen". 3. Select "Screen lock". 4. Enter current password. 5. Select Password. 6. Attempt to enter a password with fewer characters than the required length. 7. Verify the password is not accepted. If the configured value of the "Min Length" setting is less than the required length or if device accepts a password of less than the required length, this is a finding. (**) When device encryption is enabled, Samsung Knox Android automatically enforces a minimum length 6.

Fix: F-51919r1_fix

Configure the mobile device to enforce a minimum password length of 6 characters. On the MDM Administration Console, set the "Min Length" value to 6 or greater in the "Android Password Restrictions" rule. (**) When device encryption is enabled, Samsung Knox Android automatically enforces a minimum length 6.

b
Samsung Knox Android must employ mobile device management services to centrally manage security relevant configuration and policy settings.
CM-6 - Medium - CCI-000366 - V-48313 - SV-61185r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-25-013600
Vuln IDs
  • V-48313
Rule IDs
  • SV-61185r1_rule
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. SFR ID: FMT_SMF.1.1 #15
Checks: C-50745r1_chk

This validation procedure is performed on the Samsung Knox Android device only. On the Samsung Knox Android device: 1. Open the application list and verify the presence of an MDM agent. 2. Verification on the MDM agent is MDM vendor specific. For example, on the Fixmo MDM agent, open the MDM agent, press the menu button and select "Details". 1. Verify Profile ID is not "NULL". 2. Press the menu button. 3. Select "Poll Server". 4. Verify no errors are generated in the messages list. On the AirWatch MDM agent: 1. Open the MDM agent. 2. Select "Device Status". 3. Verify "Enrollment Status" is enrolled. If the MDM agent is not present on the Samsung Knox Android device, or if the MDM vendor specific checks do not show the proper value, this is a finding.

Fix: F-51921r1_fix

Implement MDM to centrally manage configuration settings.

a
The administrator/MDM must set the maximum number of consecutive failed authentication attempts for the device unlock password to 10 or less.
AC-7 - Low - CCI-000043 - V-48317 - SV-61189r1_rule
RMF Control
AC-7
Severity
Low
CCI
CCI-000043
Version
KNOX-24-008900
Vuln IDs
  • V-48317
Rule IDs
  • SV-61189r1_rule
Users must not be able to override the system policy on the maximum number of consecutive failed authentication attempts because this could allow them to raise the maximum, thus giving adversaries more chances to guess/brute force passwords, which increases the risk of the mobile device being compromised. Therefore, only administrators and the MDM software should have the authority to set consecutive failed authentication attempt policies. SFR ID: FMT_SMF.1.1 #02
Checks: C-50749r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Maximum Failed Attempts" field in the "Android Password Restrictions" rule for the device unlock password. 2. Verify the value of the setting is 10 or less. This configuration is not available on the Samsung Knox Android device.

Fix: F-51925r1_fix

Configure the mobile device to allow only 10 or less consecutive failed authentication attempts. On the MDM Administration Console, set the "Maximum Failed Attempts" to 10 or less in the "Android Password Restrictions" rule for the device unlock password.

b
Samsung Knox Android must lock the device screen after a time period of inactivity.
AC-11 - Medium - CCI-000057 - V-48319 - SV-61191r1_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
KNOX-24-012100
Vuln IDs
  • V-48319
Rule IDs
  • SV-61191r1_rule
Having a session lock after an idle time helps protect the device from unauthorized access. The idle time is a window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Devices that do not initiate a session lock after a period of time are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. SFR ID: FTA_SSL_EXT.1.1(1)
Checks: C-50751r2_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Max Time to Lock" setting in the "Android Password Restrictions" rule. 2. Verify the value of the setting is 15 minutes or less. On the Samsung Knox Android device: 1. Unlock the device. 2. Refrain from performing any activity on the device for 15 minutes. 3. Verify the device requires the user to enter the device unlock password to access the device. If the user does not have to unlock the device after 15 minutes of inactivity, this is a finding.

Fix: F-51927r2_fix

Configure the mobile operating system to lock the device after no more than 15 minutes of inactivity. On the MDM Administration Console, configure the "Max Time to Lock" option to 15 minutes in the "Android Password Restrictions" rule.

b
The administrator/MDM must disable USB mass storage mode.
CM-6 - Medium - CCI-000366 - V-48321 - SV-61193r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-25-009800
Vuln IDs
  • V-48321
Rule IDs
  • SV-61193r1_rule
This data transfer capability could allow users to transfer sensitive DoD data onto unauthorized USB storage devices, thus leading to the compromise of this DoD data. SFR ID: FMT_SMF.1.1 #42
Checks: C-50753r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Disable USB Media Player" checkbox in the "Android Restrictions" rule. 2. Verify the "Disable USB Media Player" checkbox is checked. On the Samsung Knox Android device: 1. Attempt to connect the device to a PC USB connection. If the specified setting is not set to the appropriate value, or if the device is shown in the PC finder, this is a finding.

Fix: F-51929r1_fix

Configure the mobile device to disable data transfer capabilities for USB mass storage mode. Configure the mobile operating system to disable USB mass storage. On the MDM Administration Console, check the "Disable USB Media Player" checkbox in the "Android Restrictions" rule.

b
The administrator/MDM must configure an application whitelist, listing authorized applications and versions.
CM-6 - Medium - CCI-000366 - V-48333 - SV-61205r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-25-009100
Vuln IDs
  • V-48333
Rule IDs
  • SV-61205r1_rule
Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. SFR ID: FMT_SMF.1.1 #10
Checks: C-50765r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the list of whitelisted applications in the "Android Applications" rule. On the Samsung Knox Android device: 1. Attempt to install an application that is not in the application whitelist. If the device allows the user to successfully install the application, this is a finding.

Fix: F-51941r2_fix

Configure the mobile device to use an application whitelist. On the MDM Administration Console, configure the list of whitelisted applications in the "Android Applications" rule.

b
Samsung Knox Android must allow only the administrator/MDM to configure application installation policy by specifying authorized application repositories.
CM-6 - Medium - CCI-000366 - V-48335 - SV-61207r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-25-007800
Vuln IDs
  • V-48335
Rule IDs
  • SV-61207r1_rule
Users must not be able to override the system policy on specifying authorized application repositories because this could allow them to list unauthorized sites as part of the "authorized" list. This could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. SFR ID: FMT_MOF.1.1(2) #04
Checks: C-50767r3_chk

Note: This validation procedure is identical to the one for KNOX-25-013600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on the first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to the DAAs. This validation procedure is performed on the Samsung Knox Android device only. On the Samsung Knox Android device: 1. Open the application list. 2. Verify the presence of an MDM agent. Note: Verification on the MDM agent is MDM vendor specific. For example, on the Fixmo MDM agent, open the MDM agent, press the Menu button and select "Details". 1. Verify Profile ID is not "NULL". 2. Press the Menu button. 3. Select "Poll Server". 4. Verify no errors are generated in the messages list. On the AirWatch MDM agent: 1. Open the MDM agent. 2. Select "Device Status". 3. Verify "Enrollment Status" is enrolled. If the MDM agent is not present on the Samsung Knox Android device, or if the MDM vendor specific checks do not show the proper value, this is a finding.

Fix: F-51943r2_fix

Configure the OS to allow only the administrator/MDM to disable the screen lock function. On the MDM Console, set the "Max Time to Lock" to organization-defined value in the "Android Knox Container Password Restrictions" rule.

b
The administrator/MDM must configure the application installation policy by specifying authorized application repositories (Disable Google Play).
CM-6 - Medium - CCI-000366 - V-48337 - SV-61209r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-25-009000
Vuln IDs
  • V-48337
Rule IDs
  • SV-61209r1_rule
Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DoD data accessible by these unauthorized/malicious applications. SFR ID: FMT_SMF.1.1 #10
Checks: C-50769r3_chk

Configuring an application installation policy on Samsung Knox Android by specifying an application repository involves three steps: (1) Disabling Google Play, (2) Disabling unknown application sources, and (3) Enrolling in an MDM (which designates the repository). This validation procedure covers the first of these steps. It is performed on both the MDM Administration Console and the Samsung Knox Android device. On the MDM Administration Console: 1. Ask the MDM administrator to display the "Enable Google Play" setting in the "Android Restrictions" rule. 2. Verify it is disabled. On the Samsung Knox Android device: 1. Attempt to locate the "Google Play" application. 2. Verify it is not present on the device. If the "Enable Google Play" is not disabled, or if a user can successfully launch Google Play on the device, this is a finding.

Fix: F-51945r2_fix

Configure the OS to disable Google Play. On the MDM Administration Console, disable "Enable Google Play" in the "Android Restrictions" rule.

b
Samsung Knox Android must allow only the administrator/MDM to configure application installation policy by specifying a set of allowed applications and versions (an application whitelist).
CM-6 - Medium - CCI-000366 - V-48339 - SV-61211r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-25-007900
Vuln IDs
  • V-48339
Rule IDs
  • SV-61211r1_rule
Users must not be able to override the system policy on specifying an application whitelist because this could allow them to list unauthorized applications as part of the whitelist. This could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. SFR ID: FMT_MOF.1.1(2) #04
Checks: C-50771r3_chk

Note: This validation procedure is identical to the one for KNOX-25-013600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on the first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to the DAAs. This validation procedure is performed on the Samsung Knox Android device only. On the Samsung Knox Android device: 1. Open the application list. 2. Verify the presence of an MDM agent. Note: Verification on the MDM agent is MDM vendor specific. For example, on the Fixmo MDM agent, open the MDM agent, press the Menu button and select "Details". 1. Verify Profile ID is not "NULL". 2. Press the Menu button. 3. Select "Poll Server". 4. Verify no errors are generated in the messages list. On the AirWatch MDM agent: 1. Open the MDM agent. 2. Select "Device Status". 3. Verify "Enrollment Status" is enrolled. If the MDM agent is not present on the Samsung Knox Android device, or if the MDM vendor specific checks do not show the proper value, this is a finding.

Fix: F-51947r4_fix

Configure the OS to allow only the administrator/MDM to disable the screen lock function. On the MDM Console, set the "Max Time to Lock" to the organization-defined value in the "Android Knox Container Password Restrictions" rule.

b
Samsung Knox Android must allow only the administrator/MDM to enable/disable wireless remote access connections (except for personal hotspot service), and tethered connections.
CM-6 - Medium - CCI-000366 - V-48341 - SV-61213r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-25-008000
Vuln IDs
  • V-48341
Rule IDs
  • SV-61213r1_rule
Users must not be able to override the system policy on wireless remote access connections because this could allow them to establish unauthorized remote access connections. The mobile device itself could provide services to other systems, which is not an acceptable use of the mobile device. Unauthorized remote access connections would expose the mobile device to additional risk, thereby increasing the likelihood of compromise of its confidentiality and integrity. SFR ID: FMT_MOF.1.1(2) #08
Checks: C-50773r3_chk

Note: This validation procedure is identical to the one for KNOX-25-013600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on the first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to the DAAs. This validation procedure is performed on the Samsung Knox Android device only. On the Samsung Knox Android device: 1. Open the application list. 2. Verify the presence of an MDM agent. Note: Verification on the MDM agent is MDM vendor specific. For example, on the Fixmo MDM agent, open the MDM agent, press the Menu button and select "Details". 1. Verify Profile ID is not "NULL". 2. Press the Menu button. 3. Select "Poll Server". 4. Verify no errors are generated in the messages list. On the AirWatch MDM agent: 1. Open the MDM agent. 2. Select "Device Status". 3. Verify "Enrollment Status" is enrolled. If the MDM agent is not present on the Samsung Knox Android device, or if the MDM vendor specific checks do not show the proper value, this is a finding.

Fix: F-51949r3_fix

Configure the OS to allow only the administrator/MDM to disable the screen lock function. On the MDM Console, set the "Max Time to Lock" to the organization-defined value in the "Android Knox Container Password Restrictions" rule.

b
Samsung Knox Android must allow only the administrator/MDM to enable/disable developer modes.
CM-6 - Medium - CCI-000366 - V-48343 - SV-61215r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-25-008100
Vuln IDs
  • V-48343
Rule IDs
  • SV-61215r1_rule
Developer modes circumvent certain security measures, so their use for standard operation is not recommended. Developer modes may increase the likelihood of compromise of confidentiality, integrity, and availability. Because of the security risks of developer modes, users must not be able to enable them. SFR ID: FMT_MOF.1.1(2) #11
Checks: C-50775r4_chk

Note: This validation procedure is identical to the one for KNOX-25-013600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on the first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to the DAAs. This validation procedure is performed on the Samsung Knox Android device only. On the Samsung Knox Android device: 1. Open the application list. 2. Verify the presence of an MDM agent. Note: Verification on the MDM agent is MDM vendor specific. For example, on the Fixmo MDM agent, open the MDM agent, press the Menu button and select "Details". 1. Verify Profile ID is not "NULL". 2. Press the Menu button. 3. Select "Poll Server". 4. Verify no errors are generated in the messages list. On the AirWatch MDM agent: 1. Open the MDM agent. 2. Select "Device Status". 3. Verify "Enrollment Status" is enrolled. If the MDM agent is not present on the Samsung Knox Android device, or if the MDM vendor specific checks do not show the proper value, this is a finding.

Fix: F-51951r3_fix

Configure the OS to allow only the administrator/MDM to disable the screen lock function. On the MDM Console, set the "Max Time to Lock" to the organization-defined value in the "Android Knox Container Password Restrictions" rule.

b
Samsung Knox Android must allow only the administrator/MDM to enable/disable data-at-rest protection.
CM-6 - Medium - CCI-000366 - V-48345 - SV-61217r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-25-008200
Vuln IDs
  • V-48345
Rule IDs
  • SV-61217r1_rule
Users must not be able to override the system policy on data-at-rest protection. The operating system must ensure the data being written to the mobile device's built-in storage media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read storage media directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. There are also considerable security and operational risks in allowing users to enable data-at-rest protection because they are unlikely to configure it according to DoD requirements, thus creating weaknesses that can be exploited to gain unauthorized access to data. Therefore, only administrators and the MDM software should be able to set the data-at-rest protection policy. SFR ID: FMT_MOF.1.1(2) #12
Checks: C-50777r3_chk

Note: This validation procedure is identical to the one for KNOX-25-013600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on the first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to the DAAs. This validation procedure is performed on the Samsung Knox Android device only. On the Samsung Knox Android device: 1. Open the application list. 2. Verify the presence of an MDM agent. Note: Verification on the MDM agent is MDM vendor specific. For example, on the Fixmo MDM agent, open the MDM agent, press the Menu button and select "Details". 1. Verify Profile ID is not "NULL". 2. Press the Menu button. 3. Select "Poll Server". 4. Verify no errors are generated in the messages list. On the AirWatch MDM agent: 1. Open the MDM agent. 2. Select "Device Status". 3. Verify "Enrollment Status" is enrolled. If the MDM agent is not present on the Samsung Knox Android device, or if the MDM vendor specific checks do not show the proper value, this is a finding.

Fix: F-51953r2_fix

Configure the OS to allow only the administrator/MDM to disable the screen lock function. On the MDM Console, set the "Max Time to Lock" to the organization-defined value in the "Android Knox Container Password Restrictions" rule.

b
Samsung Knox Android must allow only the administrator/MDM to enable/disable data-at-rest protection for removable media.
CM-6 - Medium - CCI-000366 - V-48347 - SV-61219r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-25-008300
Vuln IDs
  • V-48347
Rule IDs
  • SV-61219r1_rule
Users must not be able to override the system policy on data-at-rest protection for removable media. The operating system must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read removable media directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. There are also considerable security and operational risks in allowing users to enable data-at-rest protection because they are unlikely to configure it according to DoD requirements, thus creating weaknesses that can be exploited to gain unauthorized access to data. Therefore, only administrators and the MDM software should be able to set the data-at-rest protection policy for removable media. SFR ID: FMT_MOF.1.1(2) #13
Checks: C-50779r3_chk

Note: This validation procedure is identical to the one for KNOX-25-013600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on the first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to the DAAs. This validation procedure is performed on the Samsung Knox Android device only. On the Samsung Knox Android device: 1. Open the application list. 2. Verify the presence of an MDM agent. Note: Verification on the MDM agent is MDM vendor specific. For example, on the Fixmo MDM agent, open the MDM agent, press the Menu button and select "Details". 1. Verify Profile ID is not "NULL". 2. Press the Menu button. 3. Select "Poll Server". 4. Verify no errors are generated in the messages list. On the AirWatch MDM agent: 1. Open the MDM agent. 2. Select "Device Status". 3. Verify "Enrollment Status" is enrolled. If the MDM agent is not present on the Samsung Knox Android device, or if the MDM vendor specific checks do not show the proper value, this is a finding.

Fix: F-51955r2_fix

Configure the OS to allow only the administrator/MDM to disable the screen lock function. On the MDM Console, set the "Max Time to Lock" to the organization-defined value in the "Android Knox Container Password Restrictions" rule.

b
Samsung Knox Android must allow only the administrator/MDM to enable/disable USB mass storage mode.
CM-6 - Medium - CCI-000366 - V-48349 - SV-61221r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-25-008600
Vuln IDs
  • V-48349
Rule IDs
  • SV-61221r1_rule
Users must not be able to override the system policy on enabling/disabling USB mass storage mode. Enabling USB mass storage mode could allow sensitive DoD data to be copied to USB storage devices, thus compromising the confidentiality of the data. SFR ID: FMT_MOF.1.1(2) #31
Checks: C-50781r4_chk

Note: This validation procedure is identical to the one for KNOX-25-013600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on the first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to the DAAs. This validation procedure is performed on the Samsung Knox Android device only. On the Samsung Knox Android device: 1. Open the application list. 2. Verify the presence of an MDM agent. Note: Verification on the MDM agent is MDM vendor specific. For example, on the Fixmo MDM agent, open the MDM agent, press the Menu button and select "Details". 1. Verify Profile ID is not "NULL". 2. Press the Menu button. 3. Select "Poll Server". 4. Verify no errors are generated in the messages list. On the AirWatch MDM agent: 1. Open the MDM agent. 2. Select "Device Status". 3. Verify "Enrollment Status" is enrolled. If the MDM agent is not present on the Samsung Knox Android device, or if the MDM vendor specific checks do not show the proper value, this is a finding.

Fix: F-51957r2_fix

Configure the OS to allow only the administrator/MDM to disable the screen lock function. On the MDM Console, set the "Max Time to Lock" to the organization-defined value in the "Android Knox Container Password Restrictions" rule.

b
Samsung Knox Android must protect data-at-rest on removable storage media.
SC-28 - Medium - CCI-001199 - V-49681 - SV-62615r1_rule
RMF Control
SC-28
Severity
Medium
CCI
CCI-001199
Version
KNOX-20-004410
Vuln IDs
  • V-49681
Rule IDs
  • SV-62615r1_rule
The operating system must ensure the data being written to the mobile device's storage media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read storage devices directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. SFR ID: FDP_DAR_EXT.1.1
Checks: C-51565r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Storage Encryption" and "External Storage Encryption" checkbox in the "Android Restrictions" rule. (**) 2. Verify the "Storage Encryption" and "External Storage Encryption" checkbox are checked. On the Samsung Knox Android device: 1. Open the device settings. 2. Select "Security". 3. Verify "Encrypt device" is grayed out and "Encrypted" is displayed. 4. Select "Encrypt external SD card". 5. Verify "The encryption policy has been applied" is displayed at the bottom of the screen. NOTE: If no SD card is inserted, Step 5 should display "SD card is not inserted" at the bottom of the screen. If the specified encryption settings are not set to the appropriate values, this is a finding. (**) On some MDM vendor consoles, "Storage Encryption" enables both internal and external storage encryption.

Fix: F-53195r2_fix

Configure the mobile device to enable data-at-rest protection for removable media. Configure the OS to encrypt all data at rest on the mobile device. On the MDM Administration Console, check the "Storage Encryption" and "External Storage Encryption" checkbox in the "Android Restrictions" rule.

b
The administrator/MDM must configure the application installation policy by specifying authorized application repositories (Disable unknown sources).
CM-6 - Medium - CCI-000366 - V-49683 - SV-62619r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-25-009010
Vuln IDs
  • V-49683
Rule IDs
  • SV-62619r1_rule
Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DoD data accessible by these unauthorized/malicious applications. SFR ID: FMT_SMF.1.1 #10
Checks: C-51567r1_chk

Configuring an application installation policy on Samsung Knox Android by specifying an application repository involves three steps: (1) Disabling Google Play, (2) Disabling unknown application sources, and (3) Enrolling in MDM (which designates the repository). This validation procedure covers the second of these steps. It is performed on both the MDM Administration Console and the Samsung Knox Android device. On the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow Unknown Sources" settings in the "Android Restrictions" rule. 2. Verify it is disabled. On the Samsung Knox Android device: 1. Open the device settings. 2. Select "Security". 3. Attempt to enable "Unknown sources". 4. Verify it cannot be enabled. If the "Enable Google Play" setting is not disabled , or if a user can successfully enable "Unknown sources" on the device, this is a finding.

Fix: F-53197r1_fix

Configure the mobile operating system to disable application installations from unknown sources. On the MDM Administration Console, disable "Allow Unknown Sources" in the "Android Restrictions" rule.

b
The administrator/MDM must configure the application installation policy by specifying authorized application repositories (Enroll in MDM).
CM-6 - Medium - CCI-000366 - V-49685 - SV-62621r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-25-009020
Vuln IDs
  • V-49685
Rule IDs
  • SV-62621r1_rule
Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DoD data accessible by these unauthorized/malicious applications. SFR ID: FMT_SMF.1.1 #10
Checks: C-51571r1_chk

Note: This validation procedure is identical to the one for KNOX-25-013600. It only needs to be performed once. If it found compliant on the first check, it is also compliant here. If it is determined to be a finding on first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to DAAs. Configuring an application installation policy on Samsung Knox Android by specifying an application repository involves three steps: (1) Disabling Google Play, (2) Disabling unknown application sources, and (3) Enrolling in MDM (which designates the repository). This validation procedure covers the last of these steps. It is performed on the Samsung Knox Android device only. On the Samsung Knox Android device: 1. Open the application list and verify the presence of an MDM agent. 2. Verification on the MDM agent is MDM vendor specific. For example, on the Fixmo MDM agent, open the MDM agent, press the menu button and select "Details". 1. Verify Profile ID is not "NULL". 2. Press the menu button. 3. Select "Poll Server". 4. Verify no errors are generated in the messages list. On the AirWatch MDM agent: 1. Open the MDM agent. 2. Select "Device Status". 3. Verify "Enrollment Status" is enrolled. If the MDM agent is not present on the Samsung Knox Android device, or if the MDM vendor specific checks do not show the proper value, this is a finding.

Fix: F-53199r1_fix

Enroll the device in MDM.

b
Samsung Knox Android must lock the container after 15 minutes of inactivity.
AC-11 - Medium - CCI-000057 - V-49687 - SV-62623r1_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
KNOX-24-012110
Vuln IDs
  • V-49687
Rule IDs
  • SV-62623r1_rule
Having a session lock after an idle time helps protect the device from unauthorized access. The idle time is a window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Devices that do not initiate a session lock after a period of time are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. SFR ID: FTA_SSL_EXT.1.1(1)
Checks: C-51573r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Max Time to Lock" setting in the "Android Knox Container Password Restrictions" rule. 2. Verify the value of the setting is 15 minutes or less. On the Samsung Knox Android device: 1. Open the Knox Container. 2. Refrain from using the Knox Container for 15 minutes. 3. Verify the that container applications are no longer accessible. If the selected value is larger than 15 minutes, or if the Knox container does not lock after 15 minutes, this is a finding.

Fix: F-53203r1_fix

Configure the OS to initiate a session lock after a time period of inactivity. Configure the mobile operating system to lock the device after no more than 15 minutes of inactivity. On the MDM Administration Console, configure the "Max Time to Lock" option to 15 minutes in the "Android Password Restrictions" rule.