Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Samsung Android OS 10 with Knox 3.x Security Technical Implementation Guide

  • Version/Release: V2R1
  • Published: 2023-05-22
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
Samsung Android must be configured to enforce a minimum password length of six characters.
IA-5 - Medium - CCI-000205 - V-241192 - SV-241192r680217_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000205
Version
KNOX-10-000100
Vuln IDs
  • V-241192
  • V-99913
Rule IDs
  • SV-241192r680217_rule
  • SV-109017
Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise. SFR ID: FMT_SMF_EXT.1.1 #1a
Checks: C-44468r680215_chk

Review Samsung Android device configuration settings to determine if the mobile device is enforcing a minimum password length of six characters. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device password requirements section, verify the "minimum password length" is set to "6". On the Samsung Android device, do the following: 1. Open Settings >> Lock screen >> Screen lock type. 2. Enter current password. 3. Tap "PIN". 4. Verify the text "PIN must contain at least", followed by a value of at least "6 digits", appears above the PIN entry. If on the management tool the "minimum password length" is not set to "6", or on the Samsung Android device the text "PIN must contain at least" is followed by a value of less than "6 digits", this is a finding.

Fix: F-44427r680216_fix

Configure Samsung Android to enforce a minimum password length of six characters. On the management tool, in the device password requirements section, set the "minimum password length" to "6".

b
Samsung Android must be configured to not allow passwords that include more than two repeating or sequential characters.
CM-6 - Medium - CCI-000366 - V-241193 - SV-241193r680220_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-000200
Vuln IDs
  • V-241193
  • V-99915
Rule IDs
  • SV-241193r680220_rule
  • SV-109019
Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or sequential characters are significantly easier to guess than those that do not contain repeating or sequential characters. Therefore, disallowing repeating or sequential characters increases password strength and decreases risk. SFR ID: FMT_SMF_EXT.1.1 #1b
Checks: C-44469r680218_chk

Review Samsung Android configuration settings to determine if the mobile device is prohibiting passwords with more than two repeating or sequential characters. This validation procedure is performed on both the management tool and the Samsung Android device. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. **** Method #1: Require Numeric(Complex) password. On the management tool, in the device password requirements section, verify that "minimum password quality" is set to "Numeric (Complex)". On the Samsung Android device, do the following: 1. Open Settings >> Lock screen >> Screen lock type. 2. Enter current password. 3. Tap "PIN". 4. Enter a password with an invalid sequence and verify that text "Consecutive or repeating numbers are not allowed" is displayed above the PIN entry. If on the management tool the "minimum password quality" is not set to "Numeric (Complex)", or on the Samsung Android device the text "Consecutive or repeating numbers are not allowed" is not displayed, this is a finding. **** Method #2: Require Numeric password with KPE password constraints. On the management tool, do the following: 1. In the device password requirements section, verify the "minimum password quality" is set to "Numeric". 2. In the KPE device password section, verify that "maximum sequential characters" is "2" or less. 3. In the KPE device password section, verify that "maximum sequential numbers" is "2" or less. On the Samsung Android device, do the following: 1. Open Settings. 2. Tap "Lock screen". 3. Tap "Screen lock type". 4. Enter current password. 5. Tap "Password". 6. Verify that passwords with two or more sequential numbers are not accepted. If on the management tool "minimum password quality" is not set to "Numeric" or "maximum sequential characters" or "maximum sequential numbers" is more than "2", or on the Samsung Android device a password with two or more sequential characters or numbers is accepted, this is a finding. **** Note: Alphabetic, Alphanumeric, and Complex are also acceptable selections but these selections will cause the user to select a complex password, which is not required by the STIG.

Fix: F-44428r680219_fix

Configure Samsung Android to prevent passwords from containing more than two repeating or sequential characters. Do one of the following: - Method #1: Require Numeric(Complex) password. - Method #2: Require Numeric password with KPE password constraints. **** Method #1: Require Numeric(Complex) password. On the management tool, in the device password requirements section, set the "minimum password quality" to "Numeric (Complex)". **** Method #2: Require Numeric password with KPE password constraints. On the management tool, do the following: 1. In the device password requirements section, set the "minimum password quality" to "Numeric". 2. In the KPE device password section, set the "maximum sequential numbers" to "2". **** Note: Alphabetic, Alphanumeric, and Complex are also acceptable selections but will cause the user to select a complex password, which is not required by the STIG.

b
Samsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity.
AC-11 - Medium - CCI-000057 - V-241194 - SV-241194r680223_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
KNOX-10-000300
Vuln IDs
  • V-241194
  • V-99917
Rule IDs
  • SV-241194r680223_rule
  • SV-109021
The screen-lock timeout helps protect the device from unauthorized access. Devices without a screen-lock timeout provide an opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device and possibly access to DoD networks. SFR ID: FMT_SMF_EXT.1.1 #2a
Checks: C-44470r680221_chk

Review Samsung Android configuration settings to determine if the mobile device is enforcing a screen-lock policy that will lock the display after a period of inactivity. This requirement is met by enforcing a secure "Screen lock type". This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device password requirements section, verify the "minimum password quality" is set to one of the following: "Something", "Numeric", "Numeric(Complex)", "Alphabetic", "Alphanumeric", or "Complex". On the Samsung Android device, do the following: 1. Open Settings >> Lock screen >> Screen lock type. 2. Enter current password. 3. Verify that "Swipe" and "None" are unavailable for selection. If on the management tool the "minimum password quality" is set to "Unspecified", or on the Samsung Android device the Screen lock types "Swipe" or "None" are available for selection, this is a finding.

Fix: F-44429r680222_fix

Configure Samsung Android to enable a screen-lock policy that will lock the display after a period of inactivity. This requirement is met by enforcing a secure "Screen lock type". On the management tool, in the device password requirements section, set the "minimum password quality" to one of the following: "Something", "Numeric", "Numeric(Complex)", "Alphabetic", "Alphanumeric", or "Complex".

b
Samsung Android must be configured to lock the display after 15 minutes (or less) of inactivity.
AC-11 - Medium - CCI-000057 - V-241195 - SV-241195r680226_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
KNOX-10-000400
Vuln IDs
  • V-241195
  • V-99919
Rule IDs
  • SV-241195r680226_rule
  • SV-109023
The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum timeout period of 15 minutes has been selected to balance functionality and security; shorter timeout periods may be appropriate depending on the risks posed to the mobile device. SFR ID: FMT_SMF_EXT.1.1 #2b
Checks: C-44471r680224_chk

Review Samsung Android configuration settings to determine if the mobile device has the screen lock timeout set to 15 minutes or less. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device password requirements section, verify the "max time to screen lock" is set to "15 minutes" or less. On the Samsung Android device, do the following: 1. Open Settings >> Display >> Screen timeout. 2. Verify that the listed Screen timeout values are 15 minutes or less. If on the management tool the "max time to screen lock" is not set to "15 minutes" or less, or on the Samsung Android device the listed Screen timeout values include durations of more than 15 minutes, this is a finding.

Fix: F-44430r680225_fix

Configure Samsung Android to lock the device display after 15 minutes (or less) of inactivity. On the management tool, in the device password requirements section, set the "max time to screen lock" to "15 minutes" or less.

b
Samsung Android must be configured to not allow more than 10 consecutive failed authentication attempts.
AC-7 - Medium - CCI-000044 - V-241196 - SV-241196r680229_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
KNOX-10-000500
Vuln IDs
  • V-241196
  • V-99921
Rule IDs
  • SV-241196r680229_rule
  • SV-109025
The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on the device. Setting a limit on the number of attempts mitigates this risk. Setting the limit at 10 or less gives authorized users the ability to make a few mistakes when entering the password but still provides adequate protection against dictionary or brute force attacks on the password. SFR ID: FMT_SMF_EXT.1.1 #2c, FIA_AFL_EXT.1.5
Checks: C-44472r680227_chk

Review Samsung Android configuration settings to determine if the mobile device has the maximum number of consecutive failed authentication attempts set at 10 or less. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device password requirements section, verify the "max password failures for local wipe" is set to "10" attempts or less. On the Samsung Android device, do the following: 1. Open Settings >> Biometrics and security >> Other security settings >> Managed device info. 2. Verify "Failed password attempts before deleting all device data" is set to "10" attempts or less. If on the management tool the "max password failures for local wipe" is not set to "10" attempts or less, or on the Samsung Android device the "Failed password attempts before deleting all device data" is not set to "10" attempts or less, this is a finding.

Fix: F-44431r680228_fix

Configure Samsung Android to allow only 10 or fewer consecutive failed authentication attempts. On the management tool, in the device password requirements section, set the "max password failures for local wipe" to "10" attempts or less.

b
Samsung Android must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including DoD-approved commercial app repository, management tool server, or mobile application store.
CM-6 - Medium - CCI-000366 - V-241197 - SV-241197r852765_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-000800
Vuln IDs
  • V-241197
  • V-99923
Rule IDs
  • SV-241197r852765_rule
  • SV-109027
Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DoD data accessible by these unauthorized/malicious applications. SFR ID: FMT_SMF_EXT.1.1 #8a
Checks: C-44473r680230_chk

Review Samsung Android configuration settings to determine if the mobile device has only approved application repositories (DoD-approved commercial app repository, management tool server, and/or mobile application store). This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "installs from unknown sources" is set to "Disallow". On the Samsung Android device, do the following: 1. Open Settings >> Apps >> (Overflow menu) >> Special access >> Install unknown apps. 2. Tap (Overflow menu) >> Show system apps. 3. Ensure that each app listed has the status "Disabled" under the app name or that no apps are listed. If on the management tool "installs from unknown sources" is not set to "Disallow", or on the Samsung Android device an app is listed with a status other than "Disabled", this is a finding. Note: Google Play must not be disabled. Disabling Google play will cause system instability and critical updates will not be received.

Fix: F-44432r680231_fix

Configure Samsung Android to disable unauthorized application repositories. On the management tool, in the device restrictions section, set "installs from unknown sources" to "Disallow". Note: Google Play must not be disabled. Disabling Google Play will cause system instability and critical updates will not be received.

b
Samsung Android Work Environment must be configured to enforce an application installation policy by specifying an application whitelist that restricts applications by the following characteristics: names.
CM-6 - Medium - CCI-000366 - V-241198 - SV-241198r852766_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-001000
Vuln IDs
  • V-241198
  • V-99925
Rule IDs
  • SV-241198r852766_rule
  • SV-109029
The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications, or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. Core application: Any application integrated into the OS by the OS or MD vendors. Pre-installed application: Additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier. Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the OS by the OS vendor) and pre-installed applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. SFR ID: FMT_SMF_EXT.1.1 #8b
Checks: C-44474r680233_chk

Review the Samsung Android Work Environment configuration setting to determine if the mobile device has an application whitelist configured. Verify that all applications listed on the whitelist have been approved by the Approving Official (AO). This validation procedure is performed only on the management tool Administration Console. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. **** Method #1: Use managed Google Play [not available for KPE(Legacy) deployments]. On the management tool, in the Work Environment app catalog for managed Google Play, verify that only AO-approved apps are available. If on the management tool the Work Environment app catalog for managed Google Play includes non-AO-approved apps, this is a finding. **** Method #2: Use KPE app installation whitelisting. On the management tool, in the Work Environment KPE restrictions section, verify that only AO-approved apps are listed in the "app installation whitelist". If on the management tool the Work Environment "app installation whitelist" contains non-AO-approved apps, this is a finding.

Fix: F-44433r680234_fix

Configure Samsung Android Work Environment to use an application whitelist. The application whitelist does not control user access to/execution of all core and preinstalled applications, and guidance for doing so is covered in KNOX-10-009300. Do one of the following: - Method #1: Use managed Google Play [not available for KPE(Legacy) deployments]. - Method #2: Use KPE app installation whitelisting. **** Method #1: Use managed Google Play [not available for KPE(Legacy) deployments]. On the management tool, in the Work Environment app catalog for managed Google Play, add each AO-approved app to be available. **** Method #2: Use KPE app installation whitelisting. On the management tool, in the Work Environment KPE restrictions section, add each AO-approved app to the "app installation whitelist". Note: Refer to the management tool documentation to determine the following: - If an application installation blacklist is also required to be configured when enforcing an "app installation whitelist"; and - If the management tool supports adding apps to the "app installation whitelist" by package name and/or digital signature or supports a combination of the two.

b
The Samsung Android Work Environment whitelist must be configured to not include applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services); - transmit MD diagnostic data to non-DoD servers; - voice assistant application if available when MD is locked; - voice dialing application if available when MD is locked; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
CM-6 - Medium - CCI-000366 - V-241199 - SV-241199r852767_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-001100
Vuln IDs
  • V-241199
  • V-99927
Rule IDs
  • SV-241199r852767_rule
  • SV-109031
Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. Applications with the listed characteristics have features that can cause the compromise of sensitive DoD data or have features with no known application in the DoD environment. Application note: The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications, or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. Core application: Any application integrated into the OS by the OS or MD vendors. Pre-installed application: Additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier. SFR ID: FMT_SMF_EXT.1.1 #8b
Checks: C-44475r680236_chk

Review Samsung Android Work Environment configuration setting to determine if the application whitelist is configured to not include applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services); - transmit MD diagnostic data to non-DoD servers; - voice assistant application if available when MD is locked; - voice dialing application if available when MD is locked; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers. The application whitelist does not control user access to/execution of all core and preinstalled applications, and guidance for doing so is covered in KNOX-10-009300. This validation procedure is performed only on the management tool Administration Console. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. **** Method #1: Use managed Google Play [not available for KPE(Legacy) deployments]. On the management tool, in the Work Environment app catalog for managed Google Play, for each approved app, verify the app details and privacy policy to ensure the app does not include prohibited characteristics. If on the management tool the Work Environment app catalog for managed Google Play includes apps with unauthorized characteristics, this is a finding. **** Method #2: Use KPE app installation whitelisting. On the management tool, in the Work Environment KPE restrictions section, for each approved app on the "app installation whitelist", review the app details and privacy policy to ensure the app does not include prohibited characteristics. If on the management tool the Work Environment "app installation whitelist" includes apps with unauthorized characteristics, this is a finding.

Fix: F-44434r680237_fix

Configure Samsung Android Work Environment to use an application whitelist to not include applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services); - transmit MD diagnostic data to non-DoD servers; - voice assistant application if available when MD is locked; - voice dialing application if available when MD is locked; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers. The application whitelist does not control user access to/execution of all core and preinstalled applications, and guidance for doing so is covered in KNOX-10-009300. Do one of the following: - Method #1: Use managed Google Play [not available for KPE(Legacy) deployments]. - Method #2: Use KPE app installation whitelisting. **** Method #1: Use managed Google Play [not available for KPE(Legacy) deployments]. On the management tool, in the Work Environment app catalog for managed Google Play, before adding an app, review the app details and privacy policy to ensure the app does not include prohibited characteristics. **** Method #2: Use KPE app installation whitelisting. On the management tool, in the Work Environment KPE restrictions section, before adding an app to the "app installation whitelist", review the app details and privacy policy to ensure the app does not include prohibited characteristics. Note: Refer to the management tool documentation to determine the following: - If an application installation blacklist is also required to be configured when enforcing an "app installation whitelist"; and - If the management tool supports adding apps to the "app installation whitelist" by package name and/or digital signature or supports a combination of the two.

a
Samsung Android must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (HandsFree Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile).
CM-6 - Low - CCI-000366 - V-241200 - SV-241200r852768_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
KNOX-10-001300
Vuln IDs
  • V-241200
  • V-99929
Rule IDs
  • SV-241200r852768_rule
  • SV-109033
Some Bluetooth profiles provide the capability for remote transfer of sensitive DoD data without encryption or otherwise do not meet DoD IT security policies and therefore should be disabled. SFR ID: FMT_SMF_EXT.1.1 #18h
Checks: C-44476r680239_chk

Review Samsung Android configuration settings to determine if all Bluetooth profiles are disabled except for HSP, HFP, SPP, A2DP, AVRCP, and PBAP. Confirm if Method #1, #2, or #3 is used at the Samsung device site and follow the appropriate procedure. Method #2 or #3 must be used if the management tool supports management of Bluetooth profiles. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: AO decision: Allow Bluetooth and train users to connect only authorized Bluetooth devices. On the management tool, in the device restrictions section, verify "Bluetooth" is set to "Allow". On the Samsung Android device, do the following: 1. Open Settings >> Connections >> Bluetooth. 2. Verify only Bluetooth devices that use DoD-approved profiles are listed. If on the management tool "Bluetooth" is not set to "Allow", or on the Samsung Android device Bluetooth devices that use non-DoD-approved profiles are listed, this is a finding. **** Method #2: AO decision: Disallow use of Bluetooth. On the management tool, in the device restrictions section, verify that "Bluetooth" is set to "Disallow". On the Samsung Android device, do the following: 1. Open Settings >> Connections >> Bluetooth. 2. Verify that Bluetooth is "Off" and cannot be toggled to "On". If on the management tool "Bluetooth" is not set to "Disallow", or on the Samsung Android device Bluetooth is not "Off" or can be toggled "On", this is a finding. **** Method #3: Use KPE Bluetooth UUID Whitelisting to allow only DoD-approved profiles. On the management tool, in the device KPE Bluetooth section, verify that only DoD-approved profile UUIDs are listed in the "Bluetooth UUID whitelist": - HFP (HFP_AG_UUID, HFP_UUID) - HSP (HSP_AG_UUID, HSP_UUID) - SPP (SPP_UUID) - A2DP (A2DP_ADVAUDIODIST_UUID, A2DP_AUDIOSINK_UUID, A2DP_AUDIOSOURCE_UUID) - AVRCP (AVRCP_CONTROLLER_UUID, AVRCP_TARGET_UUID) - PBAP (PBAP_PSE_UUID, PBAP_UUID) On the Samsung Android device, do the following: 1. Open Settings >> Connections >> Bluetooth. 2. Verify only Bluetooth devices that use DoD-approved profiles are listed. If on the management tool the "Bluetooth UUID whitelist" contains non-DoD-approved profile UUIDs, or on the Samsung Android device Bluetooth devices that use non-DoD-approved profiles are listed, this is a finding.

Fix: F-44435r680240_fix

Configure Samsung Android to disable all Bluetooth profiles except for HSP, HFP, SPP, A2DP, AVRCP, and PBAP. Do one of the following (Method #2 or #3 must be used if the management tool supports management of Bluetooth profiles): - Method #1: AO decision: Allow Bluetooth and train users to connect only authorized Bluetooth devices. - Method #2: AO decision: Disallow use of Bluetooth. - Method #3: Use KPE Bluetooth UUID Whitelisting to allow only DoD-approved profiles. **** Method #1: AO decision: Allow Bluetooth and train users to connect only authorized Bluetooth devices. On the management tool, in the device restrictions section, set "Bluetooth" to "Allow". Note: Training is covered in KNOX-10-009900. **** Method #2: AO decision: Disallow use of Bluetooth. On the management tool, in the device restrictions section, set "Bluetooth" to "Disallow". **** Method #3: Use KPE Bluetooth UUID Whitelisting to allow only DoD-approved profiles. On the management tool, in the device KPE Bluetooth section, add each DoD-approved profile UUID to the "Bluetooth UUID whitelist": - HFP (HFP_AG_UUID, HFP_UUID) - HSP (HSP_AG_UUID, HSP_UUID) - SPP (SPP_UUID) - A2DP (A2DP_ADVAUDIODIST_UUID, A2DP_AUDIOSINK_UUID, A2DP_AUDIOSOURCE_UUID) - AVRCP (AVRCP_CONTROLLER_UUID, AVRCP_TARGET_UUID) - PBAP (PBAP_PSE_UUID, PBAP_UUID)

b
Samsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: all notifications.
CM-6 - Medium - CCI-000366 - V-241201 - SV-241201r916595_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-001500
Vuln IDs
  • V-241201
  • V-99931
Rule IDs
  • SV-241201r916595_rule
  • SV-109035
Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifications can contain sensitive information. When they are available on the lock screen, an adversary can see them merely by being in close physical proximity to the device. Configuring the MOS to not send notifications to the lock screen mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #19
Checks: C-44477r680242_chk

Review Samsung Android configuration settings to determine if Samsung Android displays (Work Environment) notifications on the lock screen. Notifications of incoming phone calls are acceptable even when the device is locked. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: Disable unredacted notifications on the Keyguard (COBO or COPE). On the management tool, in the Work Environment restrictions section, verify that "Unredacted Notifications" is set to "Disallow". For COPE: On the Samsung Android device, do the following: 1. Open Settings >> Work profile >> Notification and data. 2. Verify that "Show notification content" is disabled. For COBO: On the Samsung Android device, do the following: 1. Open Settings >> Lock screen. 2. Verify that "Notifications" are disabled. If on the management tool "Unredacted Notifications" is not set to "Disallow", or on the Samsung Android device "Show notification content" is not disabled, this is a finding. **** Method #2: Use KPE notification sanitization for notifications (COPE only). On the management tool, in the Work Environment KPE RCP section, verify that "Show detailed notifications" is set to "Disallow". On the Samsung Android device, do the following: 1. Open Settings >> Work profile >> Notification and data. 2. Verify that "Show notification content" is disabled. If on the management tool "Show detailed notifications" is not set to "Disallow", or on the Samsung Android device "Show notification content" is not disabled, this is a finding.

Fix: F-44436r680243_fix

Configure Samsung Android to not display (Work Environment) notifications when the device is locked. Do one of the following: - Method #1: Disable unredacted notifications on the Keyguard (COBO or COPE). - Method #2: Use KPE notification sanitization for notifications (COPE only). **** Method #1: Disable unredacted notifications on the Keyguard (COBO or COPE). On the management tool, in the Work Environment restrictions section, set "Unredacted Notifications" to "Disallow". **** Method #2: Use KPE notification sanitization for notifications (COPE only). On the management tool, in the Work Environment KPE RCP section, set "Show detailed notifications" to "Disallow".

c
Samsung Android must be configured to enable encryption for data at rest on removable storage media or alternatively, the use of removable storage media must be disabled.
SC-28 - High - CCI-001199 - V-241202 - SV-241202r680247_rule
RMF Control
SC-28
Severity
High
CCI
CCI-001199
Version
KNOX-10-001900
Vuln IDs
  • V-241202
  • V-99933
Rule IDs
  • SV-241202r680247_rule
  • SV-109037
The MOS must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read removable media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running. SFR ID: FMT_SMF_EXT.1.1 #21, #47f
Checks: C-44478r680245_chk

If the mobile device does not support removable media, this requirement is not applicable. Review Samsung Android configuration settings to determine if data in the mobile device is removable storage media is encrypted, or alternatively, the use of removable storage media is disabled. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: Disable SD card (if not using SD card). On the management tool, in the device restrictions section, verify that "SD Card" is set to "Disable". On the Samsung Android device, verify that a Micro SD card cannot be mounted. If on the management tool "SD Card" is not set to "Disable", or on the Samsung Android device a microSD card can be mounted, this is a finding. **** Method #2: Enable data-at-rest protection. On the management tool, in the device KPE encryption section, verify that "External storage encryption" is set to "Enable". On the Samsung Android device, do the following: 1. Insert a freshly formatted microSD card. 2. Verify that a prompt appears to encrypt the microSD card. 3. Perform the encryption. 4. Remove and reinsert the microSD card and verify that a notification appears stating that the mounted microSD card is encrypted. If on the management tool "External storage encryption" is not set to "Enable", or on the Samsung Android device a microSD card can be used without first being encrypted, this is a finding.

Fix: F-44437r680246_fix

Configure Samsung Android to enable data-at-rest protection for removable media, or alternatively, disable the use of removable storage media. Do one of the following: - Method #1: Disable SD card (if not using SD card). - Method #2: Enable data-at-rest protection. **** Method #1: Disable SD card (if not using SD card). On the management tool, in the device restrictions section, set "SD Card" to "Disable". **** Method #2: Enable data-at-rest protection. On the management tool, in the device KPE encryption section, set "External storage encryption" to "Enable".

b
Samsung Android must be configured to disable trust agents. Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the product Common Criteria evaluation.
CM-6 - Medium - CCI-000366 - V-241203 - SV-241203r680250_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-002100
Vuln IDs
  • V-241203
  • V-99935
Rule IDs
  • SV-241203r680250_rule
  • SV-109039
The fingerprint reader can be used to authenticate the user in order to unlock the mobile device. At this time, no mobile device biometric reader has been evaluated as meeting the security requirements of the MDFPP or been approved for DoD use on mobile devices. This technology could allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of non-password authentication mechanisms, users are forced to use passcodes that meet DoD passcode requirements. SFR ID: FMT_SMF_EXT.1.1 #23, FIA_UAU.5.1
Checks: C-44479r680248_chk

Review Samsung Android configuration settings to determine if Trust Agents are disabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "Trust Agents" are set to "Disable". On the Samsung Android device, do the following: 1. Open Settings >> Biometrics and security >> Other security settings >> Trust agents. 2. Verify that all listed Trust Agents are disabled and cannot be enabled. If on the management tool "Trust Agents" are not set to "Disable", or on the Samsung Android device a "Trust Agent" can be enabled, this is a finding.

Fix: F-44438r680249_fix

Configure Samsung Android to disable Trust Agents. On the management tool, in the device restrictions section, set "Trust Agents" to "Disable".

b
Samsung Android must be configured to disable Face Recognition. Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the product Common Criteria evaluation.
CM-6 - Medium - CCI-000366 - V-241204 - SV-241204r680253_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-002200
Vuln IDs
  • V-241204
  • V-99937
Rule IDs
  • SV-241204r680253_rule
  • SV-109041
The fingerprint reader can be used to authenticate the user in order to unlock the mobile device. At this time, no mobile device biometric reader has been evaluated as meeting the security requirements of the MDFPP or been approved for DoD use on mobile devices. This technology could allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of non-password authentication mechanisms, users are forced to use passcodes that meet DoD passcode requirements. SFR ID: FMT_SMF_EXT.1.1 #23, FIA_UAU.5.1
Checks: C-44480r680251_chk

Review Samsung Android configuration settings to determine if Face Recognition is disabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "Face" is set to "Disable". On the Samsung Android device, do the following: 1. Open Settings >> Lock screen >> Screen lock type. 2. Enter current password. 3. Verify that "Face" is disabled and cannot be enabled. If on the management tool "Face" is not set to "Disable", or on the Samsung Android device "Face" can be enabled, this is a finding.

Fix: F-44439r680252_fix

Configure the Samsung Android to disable Face Recognition. On the management tool, in the device restrictions section, set "Face" to "Disable".

b
Samsung Android must be configured to disable developer modes.
CM-7 - Medium - CCI-000381 - V-241205 - SV-241205r680256_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
KNOX-10-002700
Vuln IDs
  • V-241205
  • V-99939
Rule IDs
  • SV-241205r680256_rule
  • SV-109043
Developer modes expose features of the MOS that are not available during standard operation. An adversary may leverage a vulnerability inherent in a developer mode to compromise the confidentiality, integrity, and availability of DoD sensitive information. Disabling developer modes mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #26
Checks: C-44481r680254_chk

Review Samsung Android configuration settings to determine whether a developer mode is enabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. For KPE(Legacy) COPE deployments, this configuration is the default configuration. If the management tool does not provide the capability to enable/disable "debugging features", there is NO finding because the default setting cannot be changed. On the management tool, in the device restrictions section, verify that "Debugging Features" is set to "Disallow". On the Samsung Android device, do the following: 1. Open "Settings". 2. Verify "Developer options" is not listed. If on the management tool "Debugging Features" is not set to "Disallow" or on the Samsung Android device "Developer options" is listed, this is a finding.

Fix: F-44440r680255_fix

Configure Samsung Android to disable developer modes. For KPE(Legacy) COPE deployments this configuration is the default configuration. No configuration required. On the management tool, in the device restrictions section, set the "Debugging Features" to "Disallow".

a
Samsung Android must be configured to display the DoD advisory warning message at start-up or each time the user unlocks the device.
AC-8 - Low - CCI-000048 - V-241206 - SV-241206r680259_rule
RMF Control
AC-8
Severity
Low
CCI
CCI-000048
Version
KNOX-10-003300
Vuln IDs
  • V-241206
  • V-99941
Rule IDs
  • SV-241206r680259_rule
  • SV-109045
The mobile operating system is required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Required banners help ensure that DoD can audit and monitor the activities of mobile device users without legal restriction. System use notification messages can be displayed when individuals first access or unlock the mobile device. The banner must be implemented as a "click-through" banner at device unlock (to the extent permitted by the operating system). A "click-through" banner prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK". The approved DoD text must be used exactly as required in the KS referenced in DoDI 8500.01. For devices accommodating banners of 1300 characters, the banner text is: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. For devices with severe character limitations, the banner text is: I've read & consent to terms in IS user agreem't. The administrator must configure the banner text exactly as written without any changes. SFR ID: FMT_SMF_EXT.1.1 #36
Checks: C-44482r680257_chk

Confirm if Method #1, #2, or #3 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: Place the DoD warning banner in the user agreement signed by each Samsung Android device user (preferred method). Review the signed user agreements for several Samsung Android device users and verify that the agreement includes the required DoD warning banner text. If the required DoD warning banner text is not included in all reviewed signed user agreements, this is a finding. **** Method #2: Configure the warning banner text in the Lock screen message on each managed mobile device. On the management tool, in the device restrictions section, verify that "Lock Screen Message" is set to the DoD-mandated warning banner text. On the Samsung Android device, verify that the required DoD warning banner text is displayed on the Lock screen. If on the management tool "Lock Screen Message" is not set to the DoD-mandated warning banner text, or on the Samsung Android device the required DoD warning banner text is not displayed on the Lock screen, this is finding. **** Method #3: Configure the warning banner text in the KPE Reboot Banner on each managed mobile device. On the management tool, in the device KPE Banner section, verify that "Banner Text" is set to the DoD-managed warning banner text. On the Samsung Android device, verify that after a reboot the required DoD warning banner text is displayed. If on the management tool "Banner Text" is not set to the DoD-mandated warning banner text, or on the Samsung Android device the required DoD warning banner text is not displayed after a reboot, this is finding.

Fix: F-44441r680258_fix

Configure the DoD warning banner by either of the following methods (required text is found in the Discussion): Do one of the following: - Method #1: Place the DoD warning banner in the user agreement signed by each Samsung Android device user (preferred method). - Method #2: Configure the warning banner text in the Lock screen message on each managed mobile device. - Method #3: Configure the warning banner text in the KPE Reboot Banner on each managed mobile device. **** Method #1: Place the DoD warning banner in the user agreement signed by each Samsung Android device user (preferred method). **** Method #2: Configure the warning banner text in the Lock screen message on each managed mobile device. On the management tool, in the device restrictions section, set "Lock Screen Message" to the DoD-mandated warning banner text. **** Method #3: Configure the warning banner text in the KPE Reboot Banner on each managed mobile device. On the management tool, in the device KPE Banner section, set "Banner Text" to the DoD-managed warning banner text.

b
Samsung Android must be configured to disable USB mass storage mode.
CM-7 - Medium - CCI-000381 - V-241207 - SV-241207r680262_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
KNOX-10-003400
Vuln IDs
  • V-241207
  • V-99943
Rule IDs
  • SV-241207r680262_rule
  • SV-109047
USB mass storage mode enables the transfer of data and software from one device to another. This software can include malware. When USB mass storage is enabled on a mobile device, it becomes a potential vector for malware and unauthorized data exfiltration. Prohibiting USB mass storage mode mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #39a
Checks: C-44483r680260_chk

Review Samsung Android configuration settings to determine if the mobile device has a USB mass storage mode and if it has been disabled. For KPE(AE) deployments this configuration is the default configuration. If the management tool does not provide the capability to configure "USB file transfer", there is NO finding because the default setting cannot be changed. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "USB file transfer" has been set to "Disallow". On the PC, browse the mounted Samsung Android device and verify that it does not display any folders or files. If on the management tool "USB file transfer" is not set to "Disallow", or the PC can mount and browse folders and files on the Samsung Android device, this is a finding.

Fix: F-44442r680261_fix

Configure Samsung Android to disable USB mass storage mode. For KPE(AE) deployments this configuration is the default configuration. No configuration is required. On the management tool, in the device restrictions section, set "USB file transfer" to "Disallow".

b
Samsung Android must be configured to not allow backup of all applications, configuration data to locally connected systems.
AC-20 - Medium - CCI-000097 - V-241208 - SV-241208r680265_rule
RMF Control
AC-20
Severity
Medium
CCI
CCI-000097
Version
KNOX-10-003600
Vuln IDs
  • V-241208
  • V-99945
Rule IDs
  • SV-241208r680265_rule
  • SV-109049
Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed up to an external system (either locally connected or cloud-based), many if not all of these mechanisms are no longer present. This leaves the backed-up data vulnerable to attack. Disabling backup to external systems mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #40
Checks: C-44484r680263_chk

Review Samsung Android configuration settings to determine if the capability to back up to a locally connected system has been disabled. Disabling backup to locally connected systems is implemented by the configuration policy rule "USB file transfer", which is included in KNOX-10-003400. For KPE(AE) deployments this configuration is the default configuration. If the management tool does not provide the capability to configure "USB file transfer", there is NO finding because the default setting cannot be changed. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "USB file transfer" has been set to "Disallow". On the PC, browse the mounted Samsung Android device and verify that it does not display any folders or files. If on the management tool "USB file transfer" is not set to "Disallow", or the PC can mount and browse folders and files on the Samsung Android device, this is a finding.

Fix: F-44443r680264_fix

Configure Samsung Android to disable backup to locally connected systems. For KPE(AE) deployments this configuration is the default configuration. No configuration is required. Disabling backup to locally connected systems is implemented by the configuration policy rule "USB file transfer", which is included in KNOX-10-003400. On the management tool, in the device restrictions section, set "USB file transfer" to "Disallow".

b
Samsung Android Work Environment must be configured to not allow backup of all applications, configuration data to remote systems (device management backup). - Disable Backup Services
AC-20 - Medium - CCI-002338 - V-241209 - SV-241209r852769_rule
RMF Control
AC-20
Severity
Medium
CCI
CCI-002338
Version
KNOX-10-003800
Vuln IDs
  • V-241209
  • V-99947
Rule IDs
  • SV-241209r852769_rule
  • SV-109051
Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the MOS. Where the remote backup involves a cloud-based solution, the backup capability is often used to synchronize data across multiple devices. In this case, DoD devices may synchronize DoD sensitive information to a user's personal device or other unauthorized computers that are vulnerable to breach. Disallowing remote backup mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #40
Checks: C-44485r680266_chk

Review Samsung Android configuration settings to determine if the capability to back up to a remote system has been disabled. This requirement is inherently met for COPE because data in a "Profile/Workspace" cannot be backed up by default. This validation procedure is applicable to COBO only. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the Work Environment restrictions section, verify that "Backup service" is set to "Disallow". On the Samsung Android device, do the following: 1. Open Settings >> Accounts and backup >> Backup and restore. 2. Verify that "Backup service not available" is listed. If on the management tool "Backup service" is not set to "Disallow", or on the Samsung Android device "Backup service not available" is not listed, this is a finding.

Fix: F-44444r680267_fix

Configure Samsung Android Work Environment to disable backup to remote systems (including commercial clouds) (device management backup). This requirement is inherently met for COPE because data in a "Profile/Workspace" cannot be backed up by default. This guidance is applicable to COBO only. On the management tool, in the Work Environment restrictions section, set "Backup service" to "Disallow".

b
Samsung Android Work Environment must be configured to not allow backup of all applications, configuration data to remote systems (account management backup). - Disable Data Sync
AC-20 - Medium - CCI-002338 - V-241210 - SV-241210r852770_rule
RMF Control
AC-20
Severity
Medium
CCI
CCI-002338
Version
KNOX-10-003900
Vuln IDs
  • V-241210
  • V-99949
Rule IDs
  • SV-241210r852770_rule
  • SV-109053
SFR ID: FMT_SMF_EXT.1.1 #40
Checks: C-44486r680269_chk

Review Samsung Android configuration settings to determine if the capability to back up to a remote system has been disabled. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: AE Account management On the management tool, in the Work Environment restrictions section, verify that "Account Management" is set to "Disable" for Samsung accounts, Google accounts, and each AO-approved app that uses accounts for data backup/sync. For COPE: On the Samsung Android device, do the following: 1. Open Settings >> Work profile >> Accounts. 2. Verify that accounts are grayed out, or an account cannot be added. For COBO: On the Samsung Android device, do the following: 1. Open Settings >> Accounts and backup >> Accounts. 2. Verify that accounts are grayed out, or an account cannot be added. If on the management tool "Account Management" is not set to "Disable" for Samsung accounts, Google accounts, and each AO-approved app that uses accounts for data backup/sync, or on the Samsung Android device an account can be added, this is a finding. **** Method #2: KPE Account Addition Blacklist On the management tool, do the following: 1. In the Work Environment KPE Account section, verify that "Account Addition Blacklist" is set to "Blacklist all" for: Samsung accounts and Google accounts. 2. In the Work Environment, verify that no App that uses accounts for data backup/sync is approved. For COPE: On the Samsung Android device, do the following: 1. Open Settings >> Work profile >> Accounts 2. Verify that is accounts are grayed out, or an account cannot be added. For COBO: On the Samsung Android device, do the following: 1. Open Settings >> Accounts and backup >> Accounts 2. Verify that is accounts are grayed out, or an account cannot be added. If on the management tool "Account Addition Blacklist" is not set to "Blacklist all" for Samsung accounts and Google accounts, or on the Samsung Android device an account can be added, this is a finding.

Fix: F-44445r680270_fix

Configure Samsung Android Work Environment to disable backup to remote systems (including commercial clouds) (account management backup). Do one of the following: - Method #1: AE Account management - Method #2: KPE Account Addition Blacklist **** Method #1: AE Account management On the management tool, in the Work Environment restrictions section, set "Account Management" to "Disable" for Samsung accounts, Google accounts, and each AO-approved app that uses accounts for data backup/sync. **** Method #2: KPE Account Addition Blacklist On the management tool, do the following: 1. in the Work Environment KPE Account section, set "Account Addition Blacklist" to "Blacklist all" for Samsung accounts and Google accounts. 2. In the Work Environment, do not approve any app that uses accounts for data backup/sync.

b
Samsung Android must be configured to enable authentication of personal hotspot connections to the device using a pre-shared key.
AC-17 - Medium - CCI-002314 - V-241211 - SV-241211r852771_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-002314
Version
KNOX-10-004200
Vuln IDs
  • V-241211
  • V-99951
Rule IDs
  • SV-241211r852771_rule
  • SV-109055
If no authentication is required to establish personal hotspot connections, an adversary may be able to use that device to perform attacks on other devices or networks without detection. A sophisticated adversary may also be able to exploit unknown system vulnerabilities to access information and computing resources on the device. Requiring authentication to establish personal hotspot connections mitigates this risk. Application note: If hotspot functionality is permitted, it must be authenticated via a pre-shared key. There is no requirement to enable hotspot functionality. SFR ID: FMT_SMF_EXT.1.1 #41a
Checks: C-44487r680272_chk

Review Samsung Android configuration settings to determine if the mobile device has enabled authentication of personal hotspot connections to the device using a pre-shared key. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device KPE restrictions section, verify that "Unsecured hotspot" is set to "Disallow". On the Samsung Android device, do the following: 1. Open Settings >> Connections >> Mobile Hotspot and Tethering >> Mobile Hotspot >> (overflow menu) >> Configure Mobile Hotspot. 2. Tap option "Open" in the "Security" drop-down box. 3. Verify that "Save" is disabled. If on the management tool "Unsecured hotspot" is not set to "Disallow", or on the Samsung Android device "Open" can be selected in the "Security" drop-down box and the configuration can be saved, this is a finding.

Fix: F-44446r680273_fix

Configure Samsung Android to enable authentication of personal hotspot connections to the device using a pre-shared key. On the management tool, in the device KPE restrictions section, set "Unsecured hotspot" to "Disallow".

b
Samsung Android Work Environment must be configured to disable exceptions to the access control policy that prevents application processes, groups of application processes from accessing all, private data stored by other application processes, groups of application processes. - Disable Move files to personal
CM-6 - Medium - CCI-000366 - V-241212 - SV-241212r852772_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-004600
Vuln IDs
  • V-241212
  • V-99953
Rule IDs
  • SV-241212r852772_rule
  • SV-109057
App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain access to DoD sensitive information. Data sharing restrictions mitigate this risk. If a user is allowed to make exceptions to the data sharing restriction policy, the user could enable unauthorized sharing of data, leaving it vulnerable to breach. Limiting the granting of exceptions to either the Administrator or common application developer mitigates this risk. Copy/paste of data between applications in different application processes or groups of application processes is considered an exception to the access control policy and therefore, the Administrator must be able to enable/disable the feature. Other exceptions include allowing any data or application sharing between process groups. SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2
Checks: C-44488r680275_chk

Review Samsung Android Work Environment configuration settings to determine if the access control policy prevents groups of application processes from accessing all data stored by other groups of application processes. This procedure is for verifying that the moving of files to the Personal Environment is disabled and is applicable only to COPE only. This procedure is performed on the management tool Administration console only. This configuration is the default configuration. If the management tool does not provide the capability to configure "Move files to personal", there is NO finding because the default setting cannot be changed. On the management tool, in the Work Environment KPE RCP section, verify "Move files to personal" is set to "Disallow". If the management tool provides the capability to configure the "Move files to personal" policy and it is not set to "Disallow", this is a finding. If the management tool does not provide the capability to configure the policy, this requirement is inherently met and there is NO finding.

Fix: F-44447r680276_fix

Configure Samsung Android Work Environment to enable the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes. This guidance is for disabling the moving of files to the Personal Environment and is applicable to COPE only. The configuration of "Move files to personal" is the default required configuration. No configuration is required. On the management tool, in the device restrictions section, set "Move files to personal" to "Disallow". Note: "Move files to workspace" may be configured if there is a DoD mission need for this feature.

b
Samsung Android Work Environment must be configured to disable exceptions to the access control policy that prevents application processes, groups of application processes from accessing all, private data stored by other application processes, groups of application processes. - Disable Copy and Paste data
CM-6 - Medium - CCI-000366 - V-241213 - SV-241213r852773_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-004700
Vuln IDs
  • V-241213
  • V-99955
Rule IDs
  • SV-241213r852773_rule
  • SV-109059
App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain access to DoD sensitive information. Data sharing restrictions mitigate this risk. If a user is allowed to make exceptions to the data sharing restriction policy, the user could enable unauthorized sharing of data, leaving it vulnerable to breach. Limiting the granting of exceptions to either the Administrator or common application developer mitigates this risk. Copy/paste of data between applications in different application processes or groups of application processes is considered an exception to the access control policy and therefore, the Administrator must be able to enable/disable the feature. Other exceptions include allowing any data or application sharing between process groups. SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2
Checks: C-44489r680278_chk

Review Samsung Android Work Environment configuration settings to determine if the access control policy prevents groups of application processes from accessing all data stored by other groups of application processes. This procedure is for verifying that the sharing of clipboard data from the Work Environment to the Personal Environment is disabled and is applicable to COPE only. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: KPE RCP Sync On the management tool, in the Work Environment KPE RCP section, verify that "Sharing clipboard to personal" is set to "Disallow". On the Samsung Android device, do the following: 1. Using any Work Environment app, copy text to the clipboard. 2. Using any Personal Environment app, verify that the clipboard text cannot be pasted. If on the management tool the "Sharing clipboard to personal" is not set to "Disallow", or on the Samsung Android device the clipboard text can be pasted into a Personal Environment app, this is a finding. **** Method #2: AE Restriction On the management tool, in the Work Environment restrictions section, set "Cross profile copy/paste" to "Disallow". On the Samsung Android device, do the following: 1. Using any Work Environment app, copy text to the clipboard. 2. Using any Personal Environment app, verify that the clipboard text cannot be pasted. If on the management tool "Cross profile copy/paste" is not set to "Disallow", or on the Samsung Android device the clipboard text can be pasted into a Personal Environment app, this is a finding.

Fix: F-44448r680279_fix

Configure Samsung Android Work Environment to enable the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes. This guidance is for disabling the sharing of clipboard data from the Work Environment to the Personal Environment and is applicable to COPE only. Do one of the following: - Method #1: KPE RCP Sync - Method #2: AE Restriction **** Method #1: KPE RCP Sync On the management tool, in the Work Environment KPE RCP section, set "Sharing clipboard to personal" to "Disallow". **** Method #2: AE Restriction On the management tool, in the Work Environment restrictions section, set "Cross profile copy/paste" to "Disallow".

b
Samsung Android Work Environment must be configured to disable exceptions to the access control policy that prevents application processes, groups of application processes from accessing all, private data stored by other application processes, groups of application processes. - Disable Sync Calendar to personal
CM-6 - Medium - CCI-000366 - V-241214 - SV-241214r852774_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-004800
Vuln IDs
  • V-241214
  • V-99957
Rule IDs
  • SV-241214r852774_rule
  • SV-109061
App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain access to DoD sensitive information. Data sharing restrictions mitigate this risk. If a user is allowed to make exceptions to the data sharing restriction policy, the user could enable unauthorized sharing of data, leaving it vulnerable to breach. Limiting the granting of exceptions to either the Administrator or common application developer mitigates this risk. Copy/paste of data between applications in different application processes or groups of application processes is considered an exception to the access control policy and therefore, the Administrator must be able to enable/disable the feature. Other exceptions include allowing any data or application sharing between process groups. SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2
Checks: C-44490r680281_chk

Review Samsung Android Work Environment configuration settings to determine if the access control policy prevents groups of application processes from accessing all data stored by other groups of application processes. This procedure is for verifying that Calendar events created in the Work Environment are disallowed from being displayed in the Personal Environment Calendar and is applicable to COPE only. This procedure is performed on the management tool Administration console only. On the management tool, in the Work Environment KPE RCP section, verify that "Sync calendar to personal" is set to "Disallow". On the Samsung Android device, do the following: 1. Open Settings >> Work profile >> Notifications and data. 2. Verify that "Export to personal calendar" is disabled and cannot be enabled. If on the management tool the "Sync calendar to personal" is not set to "Disallow", or on the Samsung Android device "Export to personal calendar" is enabled or can be enabled, this is a finding.

Fix: F-44449r680282_fix

Configure Samsung Android Work Environment to enable the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes. This guidance is for disallowing Calendar events created in the Work Environment from being displayed in the Personal Environment Calendar and is applicable to COPE only. On the management tool, in the Work Environment KPE RCP section, set "Sync calendar to personal" to "Disallow".

b
Samsung Android must be configured to disable multi-user modes (tablets only).
CM-6 - Medium - CCI-000366 - V-241215 - SV-241215r852775_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-005000
Vuln IDs
  • V-241215
  • V-99959
Rule IDs
  • SV-241215r852775_rule
  • SV-109063
Note: This requirement is only applicable to Samsung tablets. Multi-user mode allows multiple users to share a mobile device by providing a degree of separation between user data. To date, no mobile device with multi-user mode features meets DoD requirements for access control, data separation, and non-repudiation for user accounts. In addition, the MDFPP does not include design requirements for multi-user account services. Disabling multi-user mode mitigates the risk of not meeting DoD multi-user account security policies. SFR ID: FMT_SMF_EXT.1.1 #47b
Checks: C-44491r680284_chk

Review Samsung Android configuration settings to determine if multi-user mode is disabled. KPE(Legacy) deployments only: For KPE(AE) deployments this requirement is inherently met. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device KPE Multiuser section, verify that "Multi-user mode" is set to "Disallow". On the Samsung Android device, open Settings and verify that the "User" setting is not listed. If on the management tool "Multi-user mode" is not set to "Disallow", or on the Samsung Android device the "User" setting is available, this is a finding.

Fix: F-44450r680285_fix

Configure Samsung Android to disable multi-user modes. KPE(Legacy) deployments only: For KPE(AE) deployments this requirement is inherently met. On the management tool, in the device KPE Multiuser section, set "Multi-user mode" to "Disallow".

a
Samsung Android must [not accept the certificate] when it cannot establish a connection to determine the validity of a certificate.
IA-5 - Low - CCI-000185 - V-241216 - SV-241216r680289_rule
RMF Control
IA-5
Severity
Low
CCI
CCI-000185
Version
KNOX-10-007300
Vuln IDs
  • V-241216
  • V-99961
Rule IDs
  • SV-241216r680289_rule
  • SV-109065
Certificate-based security controls are dependent on the ability of the system to verify the validity of a certificate. If the MOS were to accept an invalid certificate, it could take unauthorized actions, resulting in unanticipated outcomes. At the same time, if the MOS were to disable functionality when it could not determine the validity of the certificate, this could result in a denial of service. Therefore, the ability to provide exceptions is appropriate to balance the tradeoff between security and functionality. Always accepting certificates when they cannot be determined to be valid is the most extreme exception policy and is not appropriate in the DoD context. Involving an Administrator or user in the exception decision mitigates this risk to some degree. SFR ID: FIA_X509_EXT_2.2
Checks: C-44492r680287_chk

Verify requirement KNOX-10-010800 (CC Mode) has been implemented. If CC Mode has not been implemented, this is a finding.

Fix: F-44451r680288_fix

Verify CC Mode has been implemented (see requirement KNOX-10-010800).

b
The Samsung Android Work Environment must be configured to prevent users from adding personal email accounts to the work email app.
CM-6 - Medium - CCI-000366 - V-241217 - SV-241217r680292_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-009000
Vuln IDs
  • V-241217
  • V-99963
Rule IDs
  • SV-241217r680292_rule
  • SV-109067
If the user is able to add a personal email account (POP3, IMAP, EAS) to the work email app, it could be used to forward sensitive DoD data to unauthorized recipients. Restricting email account addition to the Administrator or to whitelisted accounts mitigates this vulnerability. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-44493r680290_chk

Review Samsung Android Work Environment configuration settings to determine if users are prevented from adding personal email accounts to the work email app. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: AE Account management On the management tool, do the following: 1. in the Work Environment restrictions section, set "Account Management" to "Disable" for: Work email app. 2. Provision the user's email account on their behalf. For COPE: On the Samsung Android device, do the following: 1. Open Settings >> Work profile >> Accounts. 2. Verify that no account can be added. 3. Verify that the user's work email app has been provisioned with the work email account. For COBO: On the Samsung Android device, do the following: 1. Open Settings >> Accounts and backup >> Accounts. 2. Verify that no account can be added. 3. Verify that the user's Work email app has been provisioned with the work email account. If on the management tool "Account Management" is not set to "Disable" for the Work email app, or on the Samsung Android device an account can be added, this is a finding. **** Method #2: KPE Account Addition Blacklist. On the management tool, do the following: 1. in the Work Environment KPE Account section, set "Account Addition Blacklist" to "Blacklist all" for: Work email app. 2. Provision the user's email account on their behalf. For COPE: On the Samsung Android device, do the following: 1. Open Settings >> Work profile >> Accounts. 2. Verify that no account cannot be added. 3. Verify that the user's work email app has been provisioned with the work email account. For COBO: On the Samsung Android device, do the following: 1. Open Settings >> Accounts and backup >> Accounts. 2. Verify that no account cannot be added. 3. Verify that the user's work email app has been provisioned with the work email account. If on the management tool "Account Addition Blacklist" is not set to "Blacklist all" for the Work email app, or on the Samsung Android device an account can be added, this is a finding.

Fix: F-44452r680291_fix

Configure the Samsung Android Work Environment to prevent users from adding personal email accounts to the work email app. Refer to the management tool documentation to determine how to provision users’ work email accounts for the work email app. Do one of the following: - Method #1: AE Account management - Method #2: KPE Account Addition Blacklist **** Method #1: AE Account management On the management tool, do the following: 1. In the Work Environment restrictions section, set "Account Management" to "Disable" for: Work email app. 2. Provision the user's email account on their behalf. **** Method #2: KPE Account Addition Blacklist On the management tool, do the following: 1. In the Work Environment KPE Account section, set "Account Addition Blacklist" to "Blacklist all" for: Work email app. 2. Provision the user's email account on their behalf.

b
Samsung Android Personal Environment must be configured to enforce the system application disable list.
CM-6 - Medium - CCI-000366 - V-241218 - SV-241218r680295_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-009200
Vuln IDs
  • V-241218
  • V-99965
Rule IDs
  • SV-241218r680295_rule
  • SV-109069
The system application disable list controls user access/execution of all core and pre-installed applications. Core application: Any application integrated into Samsung Android by Google or Samsung. Pre-installed application: Additional non-core applications included in the Samsung Android build by Google, Samsung, or the wireless carrier. Some system applications can compromise DoD data or upload users' information to non-DoD-approved servers. A user must be blocked from using applications that exhibit behavior that can result in compromise of DoD data or DoD user information. The site Administrator must analyze all pre-installed applications on the device and disable all applications not approved for DoD use by configuring the system application disable list. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-44494r680293_chk

Review Samsung Android Personal Environment configuration settings to determine if the system application disable list is enforced. This procedure is only for the Personal Environment of a COPE deployment. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: KPE(AE) enrollment The required configuration is the default configuration when the device is enrolled as a KPE(AE) deployment. On the management tool, verify that the "core app white list" contains only approved core and preinstalled apps. On the Samsung Android device, review the Personal Environment apps and confirm that apps listed in the “System Apps for disablement" table in the Supplemental document are not present. If on the management tool the "core app white list" contains non-approved core and preinstalled apps, or on the Samsung Android device non-approved apps are listed, this is a finding. **** Method #2: KPE system app disable list On the management tool, in the Personal Environment KPE application section, verify that the “system app disable list” contains all apps that have not been approved for DoD use by the Authorizing Official (AO). On the Samsung Android device, review the Personal Environment apps and confirm that none of the apps listed in the “system app disable list” are present. If on the management tool the "system app disable list" contains non-approved core and preinstalled apps, or on the Samsung Android device non-approved apps are listed, this is a finding.

Fix: F-44453r680294_fix

Configure the Samsung Android device to enforce the system application disable list. Refer to the “System Apps for disablement" table in the Supplemental document. This guidance is only for the Personal Environment of a COPE deployment. Do one of the following: - Method #1: KPE(AE) enrollment - Method #2: KPE system app disable list **** Method #1: KPE(AE) enrollment The required configuration is the default configuration when the device is enrolled as a KPE(AE) deployment. If the device configuration is changed, use the following procedure to bring the device back into compliance: On the management tool, configure a list of approved Google core and preinstalled apps in the core app white list. **** Method #2: KPE system app disable list On the management tool, in the Personal Environment KPE application section, add all non-AO-approved system app packages to the "system app disable list".

b
Samsung Android Work Environment must be configured to enforce the system application disable list.
CM-6 - Medium - CCI-000366 - V-241219 - SV-241219r680298_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-009300
Vuln IDs
  • V-241219
  • V-99967
Rule IDs
  • SV-241219r680298_rule
  • SV-109071
The system application disable list controls user access/execution of all core and pre-installed applications. Core application: Any application integrated into Samsung Android by Google or Samsung. Pre-installed application: Additional non-core applications included in the Samsung Android build by Google, Samsung, or the wireless carrier. Some system applications can compromise DoD data or upload user's information to non-DoD-approved servers. A user must be blocked from using applications that exhibit behavior that can result in compromise of DoD data or DoD user information. The site Administrator must analyze all pre-installed applications on the device and disable all applications not approved for DoD use by configuring the system application disable list. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-44495r680296_chk

Review Samsung Android Work Environment configuration settings to determine if the system application disable list is enforced. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: KPE(AE) enrollment The required configuration is the default configuration when the device is enrolled as a KPE(AE) deployment. On the management tool, verify that the Work Environment "core app white list" contains only approved core and preinstalled apps. On the Samsung Android device, review the Work Environment apps and confirm that apps listed in the "System Apps for disablement" table in the Supplemental document are not present. If on the management tool the "core app white list" contains non-approved core and preinstalled apps, or on the Samsung Android device non-approved apps are listed, this is a finding. **** Method #2: KPE system app disable list On the management tool, in the Work Environment KPE application section, verify that the "system app disable list" contains all apps that have not been approved for DoD use by the Authorizing Official (AO). On the Samsung Android device, review the Work Environment apps and confirm that none of the apps listed in the “system app disable list” are present. If on the management tool the "system app disable list" contains non-approved core and preinstalled apps, or on the Samsung Android device non-approved apps are listed, this is a finding.

Fix: F-44454r680297_fix

Configure Samsung Android Work Environment to enforce the system application disable list. Refer to the “System Apps for disablement" table in the Supplemental document. Do one of the following: - Method #1: KPE(AE) enrollment - Method #2: KPE system app disable list **** Method #1: KPE(AE) enrollment The required configuration is the default configuration when the device is enrolled as a KPE(AE) deployment. If the device configuration is changed, use the following procedure to bring the device back into compliance: On the management tool, configure a list of approved Google core and preinstalled apps in the core app white list. **** Method #2: KPE system app disable list On the management tool, in the Work Environment KPE application section, add all non-AO-approved system app packages to the "system app disable list".

b
Samsung Android must be configured to enable audit logging.
CM-6 - Medium - CCI-000366 - V-241220 - SV-241220r680301_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-009500
Vuln IDs
  • V-241220
  • V-99969
Rule IDs
  • SV-241220r680301_rule
  • SV-109073
Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks so that breaches can either be prevented or limited in their scope. They facilitate analysis to improve performance and security. The Requirement Statement lists key events for which the system must generate an audit record. SFR ID: FAU_GEN.1.1 #8
Checks: C-44496r680299_chk

Review Samsung Android device configuration settings to confirm that Audit logging is enabled. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on the management tool Administration Console only. **** Method #1: KPE Audit logging On the management tool, for the device KPE audit log section, verify that "Audit log" is set to "Enable". If on the management tool the "Audit log" is not set to "Enable", this is a finding. **** Method #2: AE Audit logging On the management tool, do the following: 1. In the device restrictions section, verify that "Security logging" is set to "Enable". 2. In the device restrictions section, verify that "Network logging" is set to "Enable". If on the management tool both "Security logging" and "Network logging are not set to "Enable", this is a finding.

Fix: F-44455r680300_fix

Configure Samsung Android to enable audit logging. Do one of the following: - Method #1: KPE Audit logging - Method #2: AE Audit logging **** Method #1: KPE Audit logging On the management tool, in the device KPE audit log section, set "Audit log" to "Enable". **** Method #2: AE Audit logging On the management tool, do the following: 1. In the device restrictions section, set "Security logging" to "Enable". 2. In the device restrictions section, set "Network logging" to "Enable".

b
Samsung Android must be enrolled as a COPE/COBO device.
CM-6 - Medium - CCI-000366 - V-241221 - SV-241221r680304_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-009600
Vuln IDs
  • V-241221
  • V-99971
Rule IDs
  • SV-241221r680304_rule
  • SV-109075
The Knox Workspace is the designated application group for the COPE use case. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-44497r680302_chk

Review Samsung Android device configuration settings to confirm that the device is enrolled in a DoD-approved use case. Confirm if Method #1, #2, #3, or #4 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: Fully managed with work profile [KPE(AE) COPE deployment] On the management tool, verify that the default enrollment is set to "Fully managed with work profile". On the Samsung Android device, do the following: 1. Open Settings >> Biometric and security >> Other security settings >> Device admin apps. 2. Verify that the management tool Agent is listed. 3. Go to the app drawer. 4. Verify that a "Personal" and "Work" tab are present. If on the management tool the default enrollment is not set as "Fully managed with work profile", or on the Samsung Android device the "Personal" and "Work" tabs are not present, or the management tool Agent is not listed, this is a finding. **** Method #2: Legacy managed with Legacy Workspace [KPE(Legacy) COPE deployment] On the management tool, verify that the default enrollment is set to "Legacy managed with Legacy Workspace". On the Samsung Android device, do the following: 1. Open Settings >> Biometric and security >> Other security settings >> Device admin apps. 2. Verify that the management tool Agent is listed. 3. Go to the app drawer. 4. Verify that a "Personal" and "Workspace" tab are present. If on the management tool the default enrollment is not set as "Legacy managed with Legacy Workspace", or on the Samsung Android device the "Personal" and "Work" tabs are not present, or the management tool Agent is not listed, this is a finding. **** Method #3: Fully managed [KPE(AE) COBO deployment] On the management tool, verify that the default enrollment is set as "Fully managed". On the Samsung Android device, do the following: 1. Open Settings >> Biometric and security >> Other security settings >> Device admin apps. 2. Verify that the management tool Agent is listed. If on the management tool the default enrollment is not set as "Fully managed", or the management tool Agent is not listed, this is a finding. **** Method #4: Legacy managed [KPE(Legacy) COBO deployment] On the management tool, verify that the default enrollment is set as "Legacy managed". On the Samsung Android device, do the following: 1. Open Settings >> Biometric and security >> Other security settings >> Device admin apps. 2. Verify that the management tool Agent is listed. If on the management tool the default enrollment is not set as "Legacy managed", or the management tool Agent is not listed, this is a finding.

Fix: F-44456r680303_fix

Enroll the Samsung Android device in a DoD-approved use case. Do one of the following: - Method #1: Fully managed with work profile [KPE(AE) COPE deployment] - Method #2: Legacy managed with Legacy Workspace [KPE(Legacy) COPE deployment] - Method #3: Fully managed [KPE(AE) COBO deployment] - Method #4: Legacy managed [KPE(Legacy) COBO deployment] **** Method #1: Fully managed with work profile [KPE(AE) COPE deployment] On the management tool, configure the default enrollment as "Fully managed with work profile". **** Method #2: Legacy managed with Legacy Workspace [KPE(Legacy) COPE deployment] On the management tool, configure the default enrollment as "Legacy managed with Legacy Workspace". **** Method #3: Fully managed [KPE(AE) COBO deployment] On the management tool, configure the default enrollment as "Fully managed". **** Method #4: Legacy managed [KPE(Legacy) COBO deployment] On the management tool, configure the default enrollment as "Legacy managed". **** Refer to the management tool documentation to determine how to configure the device enrollment.

b
Samsung Android device users must complete required training.
CM-6 - Medium - CCI-000366 - V-241222 - SV-241222r680307_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-009900
Vuln IDs
  • V-241222
  • V-99973
Rule IDs
  • SV-241222r680307_rule
  • SV-109077
The security posture of Samsung devices requires the device user to configure several required policy rules on their device. User Based Enforcement (UBE) is required for these controls. In addition, if the Authorizing Official (AO) has approved the use of an unmanaged personal space, the user must receive training on risks. If a user is not aware of their responsibilities and does not comply with UBE requirements, the security posture of the Samsung mobile device may become compromised and DoD sensitive data may become compromised. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-44498r680305_chk

Review a sample of site User Agreements of Samsung device users or similar training records and training course content. Verify that Samsung device users have completed required training. The intent is that required training is renewed on a periodic basis in a time period determined by the AO. If any Samsung device user has not completed required training, this is a finding.

Fix: F-44457r680306_fix

Have all Samsung device users complete training on the following topics. Users should acknowledge they have reviewed training via a signed User Agreement or similar written record. Training topics: - Operational security concerns introduced by unmanaged applications/unmanaged personal space including applications using global positioning system (GPS) tracking. - Need to ensure no DoD data is saved to the personal space or transmitted from a personal app (for example, from personal email). - If the Purebred key management app is used, users are responsible for maintaining positive control of their credentialed device at all times. The DoD PKI certificate policy requires subscribers to maintain positive control of the devices that contain private keys and to report any loss of control so the credentials can be revoked. Upon device retirement, turn-in, or reassignment, ensure a factory data reset is performed prior to device hand-off. Follow Mobility service provider decommissioning procedures as applicable. - How to configure the following UBE controls (users must configure the control) on the Samsung device: 1. Secure use of Calendar Alarm. 2. Local screen mirroring and MirrorLink procedures (authorized/not authorized for use). 3. Do not connect Samsung devices (either via DeX Station or dongle) to any DoD network via Ethernet connection. 4. Do not upload DoD contacts via smart call and caller ID services. 5. Disable Wi-Fi Sharing. 6. Do not configure a DoD network (work) VPN profile on any third-party VPN client installed in the personal space. - AO guidance on acceptable use and restrictions, if any, on downloading and installing personal apps and data (music, photos, etc.) in the Samsung device personal space.

b
Samsung Android Work Environment must be configured to disable the Auto Fill services.
CM-6 - Medium - CCI-000366 - V-241223 - SV-241223r680310_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-010600
Vuln IDs
  • V-241223
  • V-99975
Rule IDs
  • SV-241223r680310_rule
  • SV-109079
The auto-fill services allow the user to complete text inputs that could contain sensitive information, such as personally identifiable information (PII), without previous knowledge of the information. By allowing the use of auto-fill services, an adversary who learns a user's Samsung Android device password, or who otherwise is able to unlock the device, may be able to further breach other systems by relying on the auto-fill services to provide information unknown to the adversary. By disabling the auto-fill services, the risk of an adversary gaining further information about the device's user or compromising other systems is significantly mitigated. Examples of apps that offer Autofill services include Samsung Pass, Google, Dashlane, LastPass, and 1Password. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-44499r680308_chk

Review Samsung Android Work Environment configuration settings to determine if autofill services are disabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. This policy cannot be enforced on a KPE(Legacy) deployment. On the management tool, in the Work Environment restrictions section, verify that "Autofill services" is set to "Disallow". For COPE: On the Samsung Android device, do the following: 1. Open Settings >> Work profile >> More settings >> Keyboard and input. 2. Verify that "Autofill service" is not present. For COBO: On the Samsung Android device, do the following: 1. Open Settings >> General management >> Language and input. 2. Verify that "Autofill service" is not present. If on the management tool "Autofill services" is not set to "Disallow", or on the Samsung Android device "Autofill service" is present, this is a finding.

Fix: F-44458r680309_fix

Configure the Samsung Android Work Environment to disable autofill services. This policy cannot be enforced on a KPE(Legacy) deployment. On the management tool, in the Work Environment restrictions section, set "Autofill services" to "Disallow".

c
Samsung Android must be configured to enable Knox CC Mode.
CM-6 - High - CCI-000366 - V-241224 - SV-241224r680313_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
KNOX-10-010800
Vuln IDs
  • V-241224
  • V-99977
Rule IDs
  • SV-241224r680313_rule
  • SV-109081
The KPE CC Mode feature is a superset of other features and behavioral changes that are mandatory MDFPP requirements. If CC mode is not implemented the device will not be operating in the NIAP-certified compliant CC Mode of operation. CC Mode implements the following behavioral/functional changes: - FOTA signature verification uses additional SHA-512 signature check. - Download Mode is disabled and all updates will occur via FOTA only. - IKEv1 operates in Main Mode only. - HTTPS audit logging in enabled. - Certificates without a Subject Alternative Name (SAN) field are rejected. - Certificates that do not pass Strict Host Name verification are rejected. - Certificates provided by servers must have the Extended Key Usage field set as Server Authentication. - Allows only authenticated Bluetooth connections. - Additional Key Zeroization is performed. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-44500r680311_chk

Review Samsung Android configuration settings to determine if KPE CC Mode is enabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device KPE restrictions section, verify that "CC mode" is set to "Enable". On the Samsung Android device, put the device into "Download mode" and verify that the text "Blocked by CC Mode" is displayed on the screen. If on the management tool "CC mode" is not set to "Enable", or on the Samsung Android device the text "Blocked by CC Mode" is not displayed in "Download mode", this is a finding.

Fix: F-44459r680312_fix

Configure Samsung Android to enable KPE CC Mode. On the management tool, in the device KPE restrictions section, set "CC mode" to "Enable".

b
Samsung Android must be configured to disallow configuration of Date Time.
CM-6 - Medium - CCI-000366 - V-241225 - SV-241225r680316_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-011000
Vuln IDs
  • V-241225
  • V-99979
Rule IDs
  • SV-241225r680316_rule
  • SV-109083
Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. Periodically synchronizing internal clocks with an authoritative time source is needed to correctly correlate the timing of events that occur across the enterprise. The three authoritative time sources for Samsung Android are an authoritative time server that is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network (NIPRNet or SIPRNet), the Global Positioning System (GPS), or the wireless carrier. Time stamps generated by the audit system in Samsung Android must include both date and time. The time may be expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-44501r680314_chk

Review Samsung Android configuration settings to determine if the configuration of the date and time is disallowed. Confirm if Method #1, #2, or #3 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: Restrict user from configuring time. On the management tool, in the device restrictions section, verify that "Config Date Time" is set to "Disallow". On the Samsung Android device, do the following: 1. Open Settings >> General management >> Date and time. 2. Verify that "Automatic data and time" is on and the user cannot disable it. If on the management tool "Config Date Time" is not set to "Disallow", or on the Samsung Android device "Automatic date and time" is not set or the user can disable it, this is a finding. **** Method #2: Require Auto Time. On the management tool, in the device restrictions section, verify that "Set auto (network) time required" is set to "Required". On the Samsung Android device, do the following: 1. Open Settings >> General management >> Date and time. 2. Verify that "Automatic data and time" is on and the user cannot disable it. If on the management tool "Set auto (network) time required" is not set as "Required", or on the Samsung Android device "Automatic date and time" is not set or the user can disable it, this is a finding. **** Method #3: Disable Date/Time change (KPE). On the management tool, in the device KPE Date Time section, verify that "Date Time Change" is set to "Disable". On the Samsung Android device, do the following: 1. Open Settings >> General management >> Date and time. 2. Verify that "Automatic data and time" is on and the user cannot disable it. If on the management tool "Date Time Change" is not set to "Disable", or on the Samsung Android device "Automatic date and time" is not set or the user can disable it, this is a finding.

Fix: F-44460r680315_fix

Configure Samsung Android to disallow configuration of the date and time. Do one of the following: - Method #1: Restrict user from configuring time. - Method #2: Require Auto Time. - Method #3: Disable Date/Time change (KPE). **** Method #1: Restrict user from configuring time. On the management tool, in the device restrictions section, set "Config Date Time" to "Disallow". **** Method #2: Require Auto Time. On the management tool, in the device restrictions section, set "Set auto (network) time required" to "Required". **** Method #3: Disable Date/Time change (KPE). On the management tool, in the device KPE Date Time section, set "Date Time Change" to "Disable". Note: Each method uses a different API to accomplish the same result. Any of the methods are acceptable.

b
Samsung Android must be configured to enforce a USB host mode exception list. Note: This configuration allows DeX mode (with input devices), which is DoD-approved for use.
CM-6 - Medium - CCI-000366 - V-241226 - SV-241226r680319_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-011200
Vuln IDs
  • V-241226
  • V-99981
Rule IDs
  • SV-241226r680319_rule
  • SV-109085
The USB host mode feature allows USB devices to connect to the device (e.g., USB flash drives, USB mouse, USB keyboard) using a micro USB to USB adapter cable. The USB host mode exception list allows selected USB devices to operate, while disallowing others, based on their USB device class. With some USB device classes, a user can copy sensitive DoD information to external USB storage unencrypted, resulting in compromise of DoD data. However, some USB device classes do not allow data to be copied, such as Human Interface Devices (HID). Disabling all USB devices except for HID mitigates the risk of compromising sensitive DoD data. This allows for DeX mode to be used, with a USB keyboard and mouse, without compromising DoD data. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-44502r680317_chk

Review Samsung Android device configuration settings to determine if USB host mode exception list is configured, or alternatively, if USB host mode is disabled. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: Use USB exception list, which allows DeX usage (preferred). On the management tool, in the device KPE restrictions section, verify that "HID" is the only USB class included in the "USB host mode exception list". On the Samsung Android device, do the following: 1. Connect a micro USB-to-USB "On the Go" (OTG) adapter to the device. 2. Connect a USB thumb drive to the adapter. 3. Verify that the device cannot access the USB thumb drive. If on the management tool the "USB host mode exception list" includes a USB class other than "HID", or on the Samsung Android device the USB thumb drive can be mounted, this is a finding. **** Method #2: Disable USB host mode. On the management tool, in the device KPE restrictions section, set "USB host mode" to "Disable". On the Samsung Android device, do the following: 1. Connect a micro USB-to-USB "On the Go" (OTG) adapter to the device. 2. Connect a USB thumb drive to the adapter. 3. Verify that the device cannot access the USB thumb drive. If on the management tool the "USB host mode" is not set to "Disable", or on the Samsung Android device the USB thumb drive can be mounted, this is a finding.

Fix: F-44461r680318_fix

Configure Samsung Android with a USB host mode exception list, or alternatively, disable the use of USB host mode. Do one of the following: - Method #1: Use USB exception list, which allows DeX usage (preferred). - Method #2: Disable USB host mode. **** Method #1: Use USB exception list, which allows DeX usage (preferred). On the management tool, in the device KPE restrictions section, add the "HID" USB class to the "USB host mode exception list". **** Method #2: Disable USB host mode. On the management tool, in the device KPE restrictions section, set "USB host mode" to "Disable".

b
Samsung Android Work Environment must be configured to enforce that Share Via List is disabled.
CM-6 - Medium - CCI-000366 - V-241227 - SV-241227r680322_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-011400
Vuln IDs
  • V-241227
  • V-99983
Rule IDs
  • SV-241227r680322_rule
  • SV-109087
The "Share Via List" feature allows the transfer of data between nearby Samsung devices via Android Beam, Wi-Fi Direct, Link Sharing, and Share to Device. If sharing were enabled, sensitive DoD data could be compromised. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-44503r680320_chk

Review Samsung Android Work Environment configuration settings to determine if Share Via List is disallowed. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the Work Environment KPE restrictions section, verify that "Share Via List" is set to "Disallow". On the Samsung Android device, attempt to share by long pressing a file in the Work Environment and tapping "Share". If on the management tool "Share Via List" is not set to "Disallow", or on the Samsung Android device the user is able to share, this is a finding.

Fix: F-44462r680321_fix

Configure Samsung Android Work Environment to disallow Share Via List. On the management tool, in the Work Environment KPE restrictions section, set "Share Via List" to "Disallow". Note: Disabling Share Via List will also disable functionality such as Gallery Sharing and Direct Sharing.

b
Samsung Android must be configured to disallow outgoing beam.
CM-6 - Medium - CCI-000366 - V-241228 - SV-241228r680325_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-011600
Vuln IDs
  • V-241228
  • V-99985
Rule IDs
  • SV-241228r680325_rule
  • SV-109089
Outgoing beam allows transfer of data through NFC and Bluetooth by touching two unlocked devices together. If it were enabled, sensitive DoD data could be transmitted. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-44504r680323_chk

Review Samsung Android Work Environment configuration settings to verify that outgoing beam is disallowed. This requirement is inherently met for COPE as outgoing beam in a "Profile/Workspace" cannot be initiated. This validation procedure is applicable to COBO only. This procedure is performed on both the MDM Administration console and the Samsung Android device. On the MDM console, in the Work Environment restrictions section, verify that "disallow outgoing beam" is selected. On the Samsung Android device, open a picture, contact, or web page and put it back to back with an unlocked outgoing beam-enabled device. Verify that outgoing beam cannot be started. If on the MDM console "outgoing beam" is not set to "disallow", or on the Samsung Android device the user is able to successfully start outgoing beam, this is a finding.

Fix: F-44463r680324_fix

Configure Samsung Android to disallow outgoing beam. This requirement is inherently met for COPE as outgoing beam in a "Profile/Workspace" cannot be initiated. This guidance is applicable to COBO only. On the MDM console, in the Work Environment restrictions section, set "outgoing beam" to "disallow".

b
Samsung Android Work Environment must be configured to enforce that Wi-Fi Sharing is disabled.
CM-6 - Medium - CCI-000366 - V-241229 - SV-241229r680328_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-011800
Vuln IDs
  • V-241229
  • V-99987
Rule IDs
  • SV-241229r680328_rule
  • SV-109091
Wi-Fi Sharing is an optional configuration of Wi-Fi Tethering/Mobile Hotspot, which allows the device to share its Wi-Fi connection with other wirelessly connected devices instead of its mobile (cellular) connection. Wi-Fi Sharing grants the "other" device access to a corporate Wi-Fi network and may possibly bypass the network access control mechanisms. This risk can be partially mitigated by requiring the use of a pre-shared key for personal hotspots. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-44505r680326_chk

Review Samsung Android device configuration settings to confirm that Wi-Fi Sharing is disabled. Mobile Hotspot must be enabled in order to enable Wi-Fi Sharing. If the AO has not approved Mobile Hotspot, and it has been verified as disabled on the management tool, the following guidance is not applicable. This setting cannot be managed by the management tool Administrator and is a User Based Enforcement (UBE) requirement. On the Samsung Android device, do the following: 1. Open Settings >> Connections >> Mobile Hotspot and Tethering >> Mobile hotspot. 2. Verify that “Wi-Fi sharing” is disabled. If on the Samsung Android device “Wi-Fi sharing” is enabled, this is a finding.

Fix: F-44464r680327_fix

Configure Samsung Android to disable Wi-Fi Sharing. Mobile Hotspot must be enabled in order to enable Wi-Fi Sharing. If the AO has not approved Mobile Hotspot, and it has been disabled on the management tool, the following guidance is not applicable. On the Samsung Android device, do the following: 1. Open Settings >> Connections >> Mobile Hotspot and Tethering >> Mobile hotspot. 2. Disable “Wi-Fi sharing” if it is enabled.

b
Samsung Android Work Environment must be configured to enable Certificate Revocation checking.
CM-6 - Medium - CCI-000366 - V-241230 - SV-241230r680331_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-012000
Vuln IDs
  • V-241230
  • V-99989
Rule IDs
  • SV-241230r680331_rule
  • SV-109093
A Certificate Revocation List (CRL) allows a certificate issuer to revoke a certificate for any reason, including improperly issued certificates and compromise of the private keys. Checking the revocation status of the certificate mitigates the risk associated with using a compromised certificate. Online Certificate Status Protocol (OCSP) is a protocol for obtaining the revocation status of a certificate. It addresses problems associated with using CRLs. When OCSP is enabled, it is used prior to CRL checking. If OCSP could not obtain a decisive response about a certificate, it will then try to use CRL checking. The OCSP response server must be listed in the certificate information under Authority Info Access. This feature must be enabled for a Samsung Android device to be in the NIAP-certified CC Mode of operation. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-44506r680329_chk

Review Samsung Android Work Environment configuration settings to determine if Certificate Revocation checking is enabled. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on the management tool Administration Console only. **** Method #1: CRL checking On the management tool, in the Work profile KPE certificate section, verify that "Revocation check" is set to "enable for all apps". If on the management tool "Revocation check" is not set to "enable for all apps", this is a finding. **** Method #2: OCSP with CRL fallback On the management tool, do the following: 1. In the Work profile KPE certificate section, verify that "Revocation check" is set to "enable for all apps". 2. In the Work profile KPE restrictions section, verify that "OCSP check" is set to "enable for all apps". If on the management tool "Revocation check" is not set to "enable for all apps" or if "OCSP check" is not set to "enable for all apps", this is a finding.

Fix: F-44465r680330_fix

Configure Samsung Android Work Environment to enable Certificate Revocation checking. Do one of the following: - Method #1: CRL checking - Method #2: OCSP with CRL fallback **** Method #1: CRL checking On the management tool, in the Work profile KPE certificate section, set "Revocation check" to "enable for all apps". Refer to the management tool documentation to determine how to configure Revocation checking to "enable for all apps". Some may, for example, allow a wildcard string: "*". **** Method #2: OCSP with CRL fallback On the management tool, do the following: 1. In the Work profile KPE certificate section, set "Revocation check" to "enable for all apps". 2. In the Work profile KPE restrictions section, set "OCSP check" to "enable for all apps". Refer to the management tool documentation to determine how to configure Revocation and OCSP checking to "enable for all apps". Some may, for example, allow a wildcard string: "*".

b
Samsung Android Work Environment must have the DoD root and intermediate PKI certificates installed.
CM-6 - Medium - CCI-000366 - V-241231 - SV-241231r680334_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-012300
Vuln IDs
  • V-241231
  • V-99991
Rule IDs
  • SV-241231r680334_rule
  • SV-109095
DoD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the root and intermediate certificates are not available, an adversary could falsely sign a certificate in such a way that it could not be detected. Providing access to the DoD root and intermediate PKI certificates greatly diminishes the risk of this attack. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-44507r680332_chk

Review Samsung Android Work Environment configuration settings to determine if the DoD root and intermediate PKI certificates are installed. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. The current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://cyber.mil/pki-pke (for NIPRNet). **** Method #1: Use AE Key management. On the management tool, in the Work Environment certificate section, verify that the DoD root and intermediate PKI certificates are installed. On the Samsung Android device, do the following: 1. Open Settings >> Biometrics and security >> Other security settings >> View security certificates. 2. In the User tab, verify that the DoD root and intermediate PKI certificates are listed in the Work Environment. If on the management tool the DoD root and intermediate PKI certificates are not listed in the Work Environment, or on the Samsung Android device the DoD root and intermediate PKI certificates are not listed in the Work Environment, this is a finding. **** Method #2: Use KPE Key management. On the management tool, in the Work Environment KPE certificate section, verify that the DoD root and intermediate PKI certificates are installed. On the Samsung Android device, do the following: 1. Open Settings >> Biometrics and security >> Other security settings >> View security certificates. 2. In the User tab, verify that the DoD root and intermediate PKI certificates are listed in the Work Environment. If on the management tool the DoD root and intermediate PKI certificates are not listed in the Work Environment, or on the Samsung Android device the DoD root and intermediate PKI certificates are not listed in the Work Environment, this is a finding.

Fix: F-44466r680333_fix

Configure the Samsung Android Work Environment to install DoD root and intermediate PKI certificates. Do one of the following: - Method #1: Use AE Key management. - Method #2: Use KPE Key management. The current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://cyber.mil/pki-pke (for NIPRNet). **** Method #1: Use AE Key management. On the management tool, in the Work Environment certificate section, install the DoD root and intermediate PKI certificates. **** Method #2: Use KPE Key management. On the management tool, in the Work Environment KPE certificate section, install the DoD root and intermediate PKI certificates.

b
Samsung Android Work Environment must allow only the Administrator (management tool) to perform the following management function: install/remove DoD root and intermediate PKI certificates.
CM-6 - Medium - CCI-000366 - V-241232 - SV-241232r680337_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-012400
Vuln IDs
  • V-241232
  • V-99993
Rule IDs
  • SV-241232r680337_rule
  • SV-109097
DoD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the user is allowed to remove root and intermediate certificates, the user could allow an adversary to falsely sign a certificate in such a way that it could not be detected. Restricting the ability to remove DoD root and intermediate PKI certificates to the Administrator mitigates this risk. SFR ID: FMT_MOF_EXT.1.2 #47
Checks: C-44508r680335_chk

Review Samsung Android Work Environment configuration settings to determine if the user is unable to remove DoD root and intermediate PKI certificates. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: Disallow user from configuring any credential. On the management tool, in the Work Environment restrictions section, verify that "Config credentials" is set to "Disallow". On the Samsung Android device, do the following: 1. Open Settings >> Biometrics and security >> Other security settings >> View security certificates. 2. In the System tab, verify that no listed certificate in the Work Environment can be untrusted. 3. In the User tab, verify that no listed certificate in the Work Environment can be removed. If on the management tool the device "Config credentials" is not set to "Disallow", or on the Samsung Android device a certificate can be untrusted or removed, this is a finding. **** Method #2: Disallow user from removing certificates. On the management tool, in the device KPE restrictions section, verify "User Remove Certificates" is set to "Disallow". On the Samsung Android device, do the following: 1. Open Settings >> Biometrics and security >> Other security settings >> View security certificates. 2. In the System tab, verify that no listed certificate in the Work Environment can be untrusted. 3. In the User tab, verify that no listed certificate in the Work Environment can be removed. If on the management tool the device "User Remove Certificates" is not set to "Disallow", or on the Samsung Android device a certificate can be untrusted or removed, this is a finding.

Fix: F-44467r680336_fix

Configure Samsung Android Work Environment to prevent a user from removing DoD root and intermediate PKI certificates. Do one of the following: - Method #1: Disallow user from configuring any credential. - Method #2: Disallow user from removing certificates. **** Method #1: Disallow user from configuring any credential. On the management tool, in the Work Environment restrictions section, set "Config credentials" to "Disallow". **** Method #2: Disallow user from removing certificates. On the management tool, in the Work Environment KPE restrictions section, set "User Remove Certificates" to "Disallow".

c
The Samsung Android device must have the latest available Samsung Android operating system (OS) installed.
CM-6 - High - CCI-000366 - V-241233 - SV-241233r680340_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
KNOX-10-012500
Vuln IDs
  • V-241233
  • V-99995
Rule IDs
  • SV-241233r680340_rule
  • SV-109099
Required security features are not available in earlier OS versions. In addition, earlier versions may have known vulnerabilities. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-44509r680338_chk

Review Samsung Android device configuration settings to confirm that the most recently released version of Samsung Android is installed. This procedure is performed on both the management tool and the Samsung Android device. In the management tool management console, review the version of Samsung Android installed on a sample of managed devices. This procedure will vary depending on the management tool product. See the notes below to determine the latest available OS version. On the Samsung Android device, to see the installed OS version: 1. Open Settings. 2. Tap "About phone". 3. Tap "Software information". If the installed version of Android OS on any reviewed Samsung devices is not the latest released by the wireless carrier, this is a finding. Note: Some wireless carriers list the version of the latest Android OS release by mobile device model online: ATT: https://www.att.com/devicehowto/dsm.html#!/popular/make/Samsung T-Mobile: https://support.t-mobile.com/docs/DOC-34510 Verizon Wireless: https://www.verizonwireless.com/support/software-updates/ Google Android OS patch website: https://source.android.com/security/bulletin/ Samsung Android OS patch website: https://security.samsungmobile.com/securityUpdate.smsb

Fix: F-44468r680339_fix

Install the latest released version of Samsung Android OS on all managed Samsung devices. Note: In most cases, OS updates are released by the wireless carrier (for example, Sprint, T-Mobile, Verizon Wireless, and ATT).

b
Samsung Android must be configured to require the user to present the Password Authentication Factor prior to decryption of protected data, encrypted DEKs, KEKs, and [selection: long-term trusted channel key material, all software-based key storage, no other keys] at startup.
CM-6 - Medium - CCI-000366 - V-241234 - SV-241234r680343_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-10-012700
Vuln IDs
  • V-241234
  • V-99997
Rule IDs
  • SV-241234r680343_rule
  • SV-109101
The intent of this requirement is to prevent decryption of protected data before the user has authorized to the device using the Password Authentication Factor. The Password Authentication Factor is also required in order to derive the key used to decrypt sensitive data, which includes software-based secure key storage. For devices with Full Disk Encryption (FDE) this is implemented by the Secure Startup feature. For devices with File Based Encryption (FBE) this is implemented by the Strong Protection feature. Secure startup/Strong Protection protects the Samsung Android device by requiring the user password to be entered before the device starts up. When enabled, the default cryptographic keys are replaced with keys derived from the user password. This feature must be enabled for a Samsung Android device to be in the NIAP-certified CC Mode of operation. SFR ID: FMT_SMF_EXT.1.1 #47, FIA_UAU_EXT.1.1
Checks: C-44510r680341_chk

Review Samsung Android device configuration settings to determine if the user is required to present the Password Authentication Factor prior to decryption of protected data, encrypted DEKs, KEKs, and [selection: long-term trusted channel key material, all software-based key storage, no other keys] at startup. Confirm if Method #1 or #2 is used for the Samsung Android device and follow the appropriate procedure. This procedure is performed on the Samsung Android device only. This setting cannot be managed by the management tool Administrator and is a UBE requirement. **** Method #1: For Samsung Android devices that implement FDE: enable "Secure Startup". On the Samsung Android device, do the following: 1. Open Settings >> Biometrics and security >> Other security settings >> Secure Startup. 2. Verify that "Require password when device powers on" is already selected and that "Do not require" is not selected. If on the Samsung Android device "Do not require" is selected, this is a finding. **** Method #2: For Samsung Android devices that implement FBE: enable "Strong Protection". On the Samsung Android device, do the following: 1. Open Settings >> Biometrics and security >> Other security settings. 2. Verify that "Strong Protection" is enabled. If on the Samsung Android device "Strong Protection" is not enabled, this is a finding.

Fix: F-44469r680342_fix

Configure Samsung Android to require the user to present the Password Authentication Factor prior to decryption of protected data, encrypted DEKs, KEKs, and [selection: long-term trusted channel key material, all software-based key storage, no other keys] at startup. Do one of the following: - Method #1: For Samsung Android devices that implement FDE: enable "Secure Startup". - Method #2: For Samsung Android devices that implement FBE: enable "Strong Protection". **** Method #1: For Samsung Android devices that implement FDE: enable "Secure Startup". On the Samsung Android device, do the following: 1. Open Settings >> Biometrics and security >> Other security settings. 2. Tap "Secure Startup". 3. Tap option "Require password when device powers on". 4. Tap "Apply". 5. Enter current password. **** Method #2: For Samsung Android devices that implement FBE: enable "Strong Protection". Strong Protection is enabled by default. On the Samsung Android device, do the following: 1. Open Settings >> Biometrics and security >> Other security settings. 2. Tap "Strong Protection". 3. Tap to enable. 4. Enter current password.

c
All Samsung Android 10 installations must be removed.
CM-6 - High - CCI-000366 - V-257252 - SV-257252r916415_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
KNOX-10-999999
Vuln IDs
  • V-257252
Rule IDs
  • SV-257252r916415_rule
Samsung Android 10 is no longer supported by Samsung and therefore may contain security vulnerabilities. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-60937r916413_chk

Verify there are no installations of Samsung Android 10 at the site. If Samsung Android 10 is being used at the site, this is a finding.

Fix: F-60878r916414_fix

Remove all installations of Samsung Android 10.