Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review Samsung Android device configuration settings to determine if the mobile device is enforcing a minimum password length of six characters. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device password requirements section, verify the "minimum password length" is set to "6". On the Samsung Android device, do the following: 1. Open Settings >> Lock screen >> Screen lock type. 2. Enter current password. 3. Tap "PIN". 4. Verify the text "PIN must contain at least", followed by a value of at least "6 digits", appears above the PIN entry. If on the management tool the "minimum password length" is not set to "6", or on the Samsung Android device the text "PIN must contain at least" is followed by a value of less than "6 digits", this is a finding.
Configure Samsung Android to enforce a minimum password length of six characters. On the management tool, in the device password requirements section, set the "minimum password length" to "6".
Review Samsung Android configuration settings to determine if the mobile device is prohibiting passwords with more than two repeating or sequential characters. This validation procedure is performed on both the management tool and the Samsung Android device. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. **** Method #1: Require Numeric(Complex) password. On the management tool, in the device password requirements section, verify that "minimum password quality" is set to "Numeric (Complex)". On the Samsung Android device, do the following: 1. Open Settings >> Lock screen >> Screen lock type. 2. Enter current password. 3. Tap "PIN". 4. Enter a password with an invalid sequence and verify that text "Consecutive or repeating numbers are not allowed" is displayed above the PIN entry. If on the management tool the "minimum password quality" is not set to "Numeric (Complex)", or on the Samsung Android device the text "Consecutive or repeating numbers are not allowed" is not displayed, this is a finding. **** Method #2: Require Numeric password with KPE password constraints. On the management tool, do the following: 1. In the device password requirements section, verify the "minimum password quality" is set to "Numeric". 2. In the KPE device password section, verify that "maximum sequential characters" is "2" or less. 3. In the KPE device password section, verify that "maximum sequential numbers" is "2" or less. On the Samsung Android device, do the following: 1. Open Settings. 2. Tap "Lock screen". 3. Tap "Screen lock type". 4. Enter current password. 5. Tap "Password". 6. Verify that passwords with two or more sequential numbers are not accepted. If on the management tool "minimum password quality" is not set to "Numeric" or "maximum sequential characters" or "maximum sequential numbers" is more than "2", or on the Samsung Android device a password with two or more sequential characters or numbers is accepted, this is a finding. **** Note: Alphabetic, Alphanumeric, and Complex are also acceptable selections but these selections will cause the user to select a complex password, which is not required by the STIG.
Configure Samsung Android to prevent passwords from containing more than two repeating or sequential characters. Do one of the following: - Method #1: Require Numeric(Complex) password. - Method #2: Require Numeric password with KPE password constraints. **** Method #1: Require Numeric(Complex) password. On the management tool, in the device password requirements section, set the "minimum password quality" to "Numeric (Complex)". **** Method #2: Require Numeric password with KPE password constraints. On the management tool, do the following: 1. In the device password requirements section, set the "minimum password quality" to "Numeric". 2. In the KPE device password section, set the "maximum sequential numbers" to "2". **** Note: Alphabetic, Alphanumeric, and Complex are also acceptable selections but will cause the user to select a complex password, which is not required by the STIG.
Review Samsung Android configuration settings to determine if the mobile device is enforcing a screen-lock policy that will lock the display after a period of inactivity. This requirement is met by enforcing a secure "Screen lock type". This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device password requirements section, verify the "minimum password quality" is set to one of the following: "Something", "Numeric", "Numeric(Complex)", "Alphabetic", "Alphanumeric", or "Complex". On the Samsung Android device, do the following: 1. Open Settings >> Lock screen >> Screen lock type. 2. Enter current password. 3. Verify that "Swipe" and "None" are unavailable for selection. If on the management tool the "minimum password quality" is set to "Unspecified", or on the Samsung Android device the Screen lock types "Swipe" or "None" are available for selection, this is a finding.
Configure Samsung Android to enable a screen-lock policy that will lock the display after a period of inactivity. This requirement is met by enforcing a secure "Screen lock type". On the management tool, in the device password requirements section, set the "minimum password quality" to one of the following: "Something", "Numeric", "Numeric(Complex)", "Alphabetic", "Alphanumeric", or "Complex".
Review Samsung Android configuration settings to determine if the mobile device has the screen lock timeout set to 15 minutes or less. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device password requirements section, verify the "max time to screen lock" is set to "15 minutes" or less. On the Samsung Android device, do the following: 1. Open Settings >> Display >> Screen timeout. 2. Verify that the listed Screen timeout values are 15 minutes or less. If on the management tool the "max time to screen lock" is not set to "15 minutes" or less, or on the Samsung Android device the listed Screen timeout values include durations of more than 15 minutes, this is a finding.
Configure Samsung Android to lock the device display after 15 minutes (or less) of inactivity. On the management tool, in the device password requirements section, set the "max time to screen lock" to "15 minutes" or less.
Review Samsung Android configuration settings to determine if the mobile device has the maximum number of consecutive failed authentication attempts set at 10 or less. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device password requirements section, verify the "max password failures for local wipe" is set to "10" attempts or less. On the Samsung Android device, do the following: 1. Open Settings >> Biometrics and security >> Other security settings >> Managed device info. 2. Verify "Failed password attempts before deleting all device data" is set to "10" attempts or less. If on the management tool the "max password failures for local wipe" is not set to "10" attempts or less, or on the Samsung Android device the "Failed password attempts before deleting all device data" is not set to "10" attempts or less, this is a finding.
Configure Samsung Android to allow only 10 or fewer consecutive failed authentication attempts. On the management tool, in the device password requirements section, set the "max password failures for local wipe" to "10" attempts or less.
Review Samsung Android configuration settings to determine if the mobile device has only approved application repositories (DoD-approved commercial app repository, management tool server, and/or mobile application store). This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "installs from unknown sources" is set to "Disallow". On the Samsung Android device, do the following: 1. Open Settings >> Apps >> (Overflow menu) >> Special access >> Install unknown apps. 2. Tap (Overflow menu) >> Show system apps. 3. Ensure that each app listed has the status "Disabled" under the app name or that no apps are listed. If on the management tool "installs from unknown sources" is not set to "Disallow", or on the Samsung Android device an app is listed with a status other than "Disabled", this is a finding. Note: Google Play must not be disabled. Disabling Google play will cause system instability and critical updates will not be received.
Configure Samsung Android to disable unauthorized application repositories. On the management tool, in the device restrictions section, set "installs from unknown sources" to "Disallow". Note: Google Play must not be disabled. Disabling Google Play will cause system instability and critical updates will not be received.
Review the Samsung Android Work Environment configuration setting to determine if the mobile device has an application whitelist configured. Verify that all applications listed on the whitelist have been approved by the Approving Official (AO). This validation procedure is performed only on the management tool Administration Console. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. **** Method #1: Use managed Google Play [not available for KPE(Legacy) deployments]. On the management tool, in the Work Environment app catalog for managed Google Play, verify that only AO-approved apps are available. If on the management tool the Work Environment app catalog for managed Google Play includes non-AO-approved apps, this is a finding. **** Method #2: Use KPE app installation whitelisting. On the management tool, in the Work Environment KPE restrictions section, verify that only AO-approved apps are listed in the "app installation whitelist". If on the management tool the Work Environment "app installation whitelist" contains non-AO-approved apps, this is a finding.
Configure Samsung Android Work Environment to use an application whitelist. The application whitelist does not control user access to/execution of all core and preinstalled applications, and guidance for doing so is covered in KNOX-10-009300. Do one of the following: - Method #1: Use managed Google Play [not available for KPE(Legacy) deployments]. - Method #2: Use KPE app installation whitelisting. **** Method #1: Use managed Google Play [not available for KPE(Legacy) deployments]. On the management tool, in the Work Environment app catalog for managed Google Play, add each AO-approved app to be available. **** Method #2: Use KPE app installation whitelisting. On the management tool, in the Work Environment KPE restrictions section, add each AO-approved app to the "app installation whitelist". Note: Refer to the management tool documentation to determine the following: - If an application installation blacklist is also required to be configured when enforcing an "app installation whitelist"; and - If the management tool supports adding apps to the "app installation whitelist" by package name and/or digital signature or supports a combination of the two.
Review Samsung Android Work Environment configuration setting to determine if the application whitelist is configured to not include applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services); - transmit MD diagnostic data to non-DoD servers; - voice assistant application if available when MD is locked; - voice dialing application if available when MD is locked; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers. The application whitelist does not control user access to/execution of all core and preinstalled applications, and guidance for doing so is covered in KNOX-10-009300. This validation procedure is performed only on the management tool Administration Console. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. **** Method #1: Use managed Google Play [not available for KPE(Legacy) deployments]. On the management tool, in the Work Environment app catalog for managed Google Play, for each approved app, verify the app details and privacy policy to ensure the app does not include prohibited characteristics. If on the management tool the Work Environment app catalog for managed Google Play includes apps with unauthorized characteristics, this is a finding. **** Method #2: Use KPE app installation whitelisting. On the management tool, in the Work Environment KPE restrictions section, for each approved app on the "app installation whitelist", review the app details and privacy policy to ensure the app does not include prohibited characteristics. If on the management tool the Work Environment "app installation whitelist" includes apps with unauthorized characteristics, this is a finding.
Configure Samsung Android Work Environment to use an application whitelist to not include applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services); - transmit MD diagnostic data to non-DoD servers; - voice assistant application if available when MD is locked; - voice dialing application if available when MD is locked; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers. The application whitelist does not control user access to/execution of all core and preinstalled applications, and guidance for doing so is covered in KNOX-10-009300. Do one of the following: - Method #1: Use managed Google Play [not available for KPE(Legacy) deployments]. - Method #2: Use KPE app installation whitelisting. **** Method #1: Use managed Google Play [not available for KPE(Legacy) deployments]. On the management tool, in the Work Environment app catalog for managed Google Play, before adding an app, review the app details and privacy policy to ensure the app does not include prohibited characteristics. **** Method #2: Use KPE app installation whitelisting. On the management tool, in the Work Environment KPE restrictions section, before adding an app to the "app installation whitelist", review the app details and privacy policy to ensure the app does not include prohibited characteristics. Note: Refer to the management tool documentation to determine the following: - If an application installation blacklist is also required to be configured when enforcing an "app installation whitelist"; and - If the management tool supports adding apps to the "app installation whitelist" by package name and/or digital signature or supports a combination of the two.
Review Samsung Android configuration settings to determine if all Bluetooth profiles are disabled except for HSP, HFP, SPP, A2DP, AVRCP, and PBAP. Confirm if Method #1, #2, or #3 is used at the Samsung device site and follow the appropriate procedure. Method #2 or #3 must be used if the management tool supports management of Bluetooth profiles. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: AO decision: Allow Bluetooth and train users to connect only authorized Bluetooth devices. On the management tool, in the device restrictions section, verify "Bluetooth" is set to "Allow". On the Samsung Android device, do the following: 1. Open Settings >> Connections >> Bluetooth. 2. Verify only Bluetooth devices that use DoD-approved profiles are listed. If on the management tool "Bluetooth" is not set to "Allow", or on the Samsung Android device Bluetooth devices that use non-DoD-approved profiles are listed, this is a finding. **** Method #2: AO decision: Disallow use of Bluetooth. On the management tool, in the device restrictions section, verify that "Bluetooth" is set to "Disallow". On the Samsung Android device, do the following: 1. Open Settings >> Connections >> Bluetooth. 2. Verify that Bluetooth is "Off" and cannot be toggled to "On". If on the management tool "Bluetooth" is not set to "Disallow", or on the Samsung Android device Bluetooth is not "Off" or can be toggled "On", this is a finding. **** Method #3: Use KPE Bluetooth UUID Whitelisting to allow only DoD-approved profiles. On the management tool, in the device KPE Bluetooth section, verify that only DoD-approved profile UUIDs are listed in the "Bluetooth UUID whitelist": - HFP (HFP_AG_UUID, HFP_UUID) - HSP (HSP_AG_UUID, HSP_UUID) - SPP (SPP_UUID) - A2DP (A2DP_ADVAUDIODIST_UUID, A2DP_AUDIOSINK_UUID, A2DP_AUDIOSOURCE_UUID) - AVRCP (AVRCP_CONTROLLER_UUID, AVRCP_TARGET_UUID) - PBAP (PBAP_PSE_UUID, PBAP_UUID) On the Samsung Android device, do the following: 1. Open Settings >> Connections >> Bluetooth. 2. Verify only Bluetooth devices that use DoD-approved profiles are listed. If on the management tool the "Bluetooth UUID whitelist" contains non-DoD-approved profile UUIDs, or on the Samsung Android device Bluetooth devices that use non-DoD-approved profiles are listed, this is a finding.
Configure Samsung Android to disable all Bluetooth profiles except for HSP, HFP, SPP, A2DP, AVRCP, and PBAP. Do one of the following (Method #2 or #3 must be used if the management tool supports management of Bluetooth profiles): - Method #1: AO decision: Allow Bluetooth and train users to connect only authorized Bluetooth devices. - Method #2: AO decision: Disallow use of Bluetooth. - Method #3: Use KPE Bluetooth UUID Whitelisting to allow only DoD-approved profiles. **** Method #1: AO decision: Allow Bluetooth and train users to connect only authorized Bluetooth devices. On the management tool, in the device restrictions section, set "Bluetooth" to "Allow". Note: Training is covered in KNOX-10-009900. **** Method #2: AO decision: Disallow use of Bluetooth. On the management tool, in the device restrictions section, set "Bluetooth" to "Disallow". **** Method #3: Use KPE Bluetooth UUID Whitelisting to allow only DoD-approved profiles. On the management tool, in the device KPE Bluetooth section, add each DoD-approved profile UUID to the "Bluetooth UUID whitelist": - HFP (HFP_AG_UUID, HFP_UUID) - HSP (HSP_AG_UUID, HSP_UUID) - SPP (SPP_UUID) - A2DP (A2DP_ADVAUDIODIST_UUID, A2DP_AUDIOSINK_UUID, A2DP_AUDIOSOURCE_UUID) - AVRCP (AVRCP_CONTROLLER_UUID, AVRCP_TARGET_UUID) - PBAP (PBAP_PSE_UUID, PBAP_UUID)
Review Samsung Android configuration settings to determine if Samsung Android displays (Work Environment) notifications on the lock screen. Notifications of incoming phone calls are acceptable even when the device is locked. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: Disable unredacted notifications on the Keyguard (COBO or COPE). On the management tool, in the Work Environment restrictions section, verify that "Unredacted Notifications" is set to "Disallow". For COPE: On the Samsung Android device, do the following: 1. Open Settings >> Work profile >> Notification and data. 2. Verify that "Show notification content" is disabled. For COBO: On the Samsung Android device, do the following: 1. Open Settings >> Lock screen. 2. Verify that "Notifications" are disabled. If on the management tool "Unredacted Notifications" is not set to "Disallow", or on the Samsung Android device "Show notification content" is not disabled, this is a finding. **** Method #2: Use KPE notification sanitization for notifications (COPE only). On the management tool, in the Work Environment KPE RCP section, verify that "Show detailed notifications" is set to "Disallow". On the Samsung Android device, do the following: 1. Open Settings >> Work profile >> Notification and data. 2. Verify that "Show notification content" is disabled. If on the management tool "Show detailed notifications" is not set to "Disallow", or on the Samsung Android device "Show notification content" is not disabled, this is a finding.
Configure Samsung Android to not display (Work Environment) notifications when the device is locked. Do one of the following: - Method #1: Disable unredacted notifications on the Keyguard (COBO or COPE). - Method #2: Use KPE notification sanitization for notifications (COPE only). **** Method #1: Disable unredacted notifications on the Keyguard (COBO or COPE). On the management tool, in the Work Environment restrictions section, set "Unredacted Notifications" to "Disallow". **** Method #2: Use KPE notification sanitization for notifications (COPE only). On the management tool, in the Work Environment KPE RCP section, set "Show detailed notifications" to "Disallow".
If the mobile device does not support removable media, this requirement is not applicable. Review Samsung Android configuration settings to determine if data in the mobile device is removable storage media is encrypted, or alternatively, the use of removable storage media is disabled. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: Disable SD card (if not using SD card). On the management tool, in the device restrictions section, verify that "SD Card" is set to "Disable". On the Samsung Android device, verify that a Micro SD card cannot be mounted. If on the management tool "SD Card" is not set to "Disable", or on the Samsung Android device a microSD card can be mounted, this is a finding. **** Method #2: Enable data-at-rest protection. On the management tool, in the device KPE encryption section, verify that "External storage encryption" is set to "Enable". On the Samsung Android device, do the following: 1. Insert a freshly formatted microSD card. 2. Verify that a prompt appears to encrypt the microSD card. 3. Perform the encryption. 4. Remove and reinsert the microSD card and verify that a notification appears stating that the mounted microSD card is encrypted. If on the management tool "External storage encryption" is not set to "Enable", or on the Samsung Android device a microSD card can be used without first being encrypted, this is a finding.
Configure Samsung Android to enable data-at-rest protection for removable media, or alternatively, disable the use of removable storage media. Do one of the following: - Method #1: Disable SD card (if not using SD card). - Method #2: Enable data-at-rest protection. **** Method #1: Disable SD card (if not using SD card). On the management tool, in the device restrictions section, set "SD Card" to "Disable". **** Method #2: Enable data-at-rest protection. On the management tool, in the device KPE encryption section, set "External storage encryption" to "Enable".
Review Samsung Android configuration settings to determine if Trust Agents are disabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "Trust Agents" are set to "Disable". On the Samsung Android device, do the following: 1. Open Settings >> Biometrics and security >> Other security settings >> Trust agents. 2. Verify that all listed Trust Agents are disabled and cannot be enabled. If on the management tool "Trust Agents" are not set to "Disable", or on the Samsung Android device a "Trust Agent" can be enabled, this is a finding.
Configure Samsung Android to disable Trust Agents. On the management tool, in the device restrictions section, set "Trust Agents" to "Disable".
Review Samsung Android configuration settings to determine if Face Recognition is disabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "Face" is set to "Disable". On the Samsung Android device, do the following: 1. Open Settings >> Lock screen >> Screen lock type. 2. Enter current password. 3. Verify that "Face" is disabled and cannot be enabled. If on the management tool "Face" is not set to "Disable", or on the Samsung Android device "Face" can be enabled, this is a finding.
Configure the Samsung Android to disable Face Recognition. On the management tool, in the device restrictions section, set "Face" to "Disable".
Review Samsung Android configuration settings to determine whether a developer mode is enabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. For KPE(Legacy) COPE deployments, this configuration is the default configuration. If the management tool does not provide the capability to enable/disable "debugging features", there is NO finding because the default setting cannot be changed. On the management tool, in the device restrictions section, verify that "Debugging Features" is set to "Disallow". On the Samsung Android device, do the following: 1. Open "Settings". 2. Verify "Developer options" is not listed. If on the management tool "Debugging Features" is not set to "Disallow" or on the Samsung Android device "Developer options" is listed, this is a finding.
Configure Samsung Android to disable developer modes. For KPE(Legacy) COPE deployments this configuration is the default configuration. No configuration required. On the management tool, in the device restrictions section, set the "Debugging Features" to "Disallow".
Confirm if Method #1, #2, or #3 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: Place the DoD warning banner in the user agreement signed by each Samsung Android device user (preferred method). Review the signed user agreements for several Samsung Android device users and verify that the agreement includes the required DoD warning banner text. If the required DoD warning banner text is not included in all reviewed signed user agreements, this is a finding. **** Method #2: Configure the warning banner text in the Lock screen message on each managed mobile device. On the management tool, in the device restrictions section, verify that "Lock Screen Message" is set to the DoD-mandated warning banner text. On the Samsung Android device, verify that the required DoD warning banner text is displayed on the Lock screen. If on the management tool "Lock Screen Message" is not set to the DoD-mandated warning banner text, or on the Samsung Android device the required DoD warning banner text is not displayed on the Lock screen, this is finding. **** Method #3: Configure the warning banner text in the KPE Reboot Banner on each managed mobile device. On the management tool, in the device KPE Banner section, verify that "Banner Text" is set to the DoD-managed warning banner text. On the Samsung Android device, verify that after a reboot the required DoD warning banner text is displayed. If on the management tool "Banner Text" is not set to the DoD-mandated warning banner text, or on the Samsung Android device the required DoD warning banner text is not displayed after a reboot, this is finding.
Configure the DoD warning banner by either of the following methods (required text is found in the Discussion): Do one of the following: - Method #1: Place the DoD warning banner in the user agreement signed by each Samsung Android device user (preferred method). - Method #2: Configure the warning banner text in the Lock screen message on each managed mobile device. - Method #3: Configure the warning banner text in the KPE Reboot Banner on each managed mobile device. **** Method #1: Place the DoD warning banner in the user agreement signed by each Samsung Android device user (preferred method). **** Method #2: Configure the warning banner text in the Lock screen message on each managed mobile device. On the management tool, in the device restrictions section, set "Lock Screen Message" to the DoD-mandated warning banner text. **** Method #3: Configure the warning banner text in the KPE Reboot Banner on each managed mobile device. On the management tool, in the device KPE Banner section, set "Banner Text" to the DoD-managed warning banner text.
Review Samsung Android configuration settings to determine if the mobile device has a USB mass storage mode and if it has been disabled. For KPE(AE) deployments this configuration is the default configuration. If the management tool does not provide the capability to configure "USB file transfer", there is NO finding because the default setting cannot be changed. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "USB file transfer" has been set to "Disallow". On the PC, browse the mounted Samsung Android device and verify that it does not display any folders or files. If on the management tool "USB file transfer" is not set to "Disallow", or the PC can mount and browse folders and files on the Samsung Android device, this is a finding.
Configure Samsung Android to disable USB mass storage mode. For KPE(AE) deployments this configuration is the default configuration. No configuration is required. On the management tool, in the device restrictions section, set "USB file transfer" to "Disallow".
Review Samsung Android configuration settings to determine if the capability to back up to a locally connected system has been disabled. Disabling backup to locally connected systems is implemented by the configuration policy rule "USB file transfer", which is included in KNOX-10-003400. For KPE(AE) deployments this configuration is the default configuration. If the management tool does not provide the capability to configure "USB file transfer", there is NO finding because the default setting cannot be changed. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "USB file transfer" has been set to "Disallow". On the PC, browse the mounted Samsung Android device and verify that it does not display any folders or files. If on the management tool "USB file transfer" is not set to "Disallow", or the PC can mount and browse folders and files on the Samsung Android device, this is a finding.
Configure Samsung Android to disable backup to locally connected systems. For KPE(AE) deployments this configuration is the default configuration. No configuration is required. Disabling backup to locally connected systems is implemented by the configuration policy rule "USB file transfer", which is included in KNOX-10-003400. On the management tool, in the device restrictions section, set "USB file transfer" to "Disallow".
Review Samsung Android configuration settings to determine if the capability to back up to a remote system has been disabled. This requirement is inherently met for COPE because data in a "Profile/Workspace" cannot be backed up by default. This validation procedure is applicable to COBO only. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the Work Environment restrictions section, verify that "Backup service" is set to "Disallow". On the Samsung Android device, do the following: 1. Open Settings >> Accounts and backup >> Backup and restore. 2. Verify that "Backup service not available" is listed. If on the management tool "Backup service" is not set to "Disallow", or on the Samsung Android device "Backup service not available" is not listed, this is a finding.
Configure Samsung Android Work Environment to disable backup to remote systems (including commercial clouds) (device management backup). This requirement is inherently met for COPE because data in a "Profile/Workspace" cannot be backed up by default. This guidance is applicable to COBO only. On the management tool, in the Work Environment restrictions section, set "Backup service" to "Disallow".
Review Samsung Android configuration settings to determine if the capability to back up to a remote system has been disabled. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: AE Account management On the management tool, in the Work Environment restrictions section, verify that "Account Management" is set to "Disable" for Samsung accounts, Google accounts, and each AO-approved app that uses accounts for data backup/sync. For COPE: On the Samsung Android device, do the following: 1. Open Settings >> Work profile >> Accounts. 2. Verify that accounts are grayed out, or an account cannot be added. For COBO: On the Samsung Android device, do the following: 1. Open Settings >> Accounts and backup >> Accounts. 2. Verify that accounts are grayed out, or an account cannot be added. If on the management tool "Account Management" is not set to "Disable" for Samsung accounts, Google accounts, and each AO-approved app that uses accounts for data backup/sync, or on the Samsung Android device an account can be added, this is a finding. **** Method #2: KPE Account Addition Blacklist On the management tool, do the following: 1. In the Work Environment KPE Account section, verify that "Account Addition Blacklist" is set to "Blacklist all" for: Samsung accounts and Google accounts. 2. In the Work Environment, verify that no App that uses accounts for data backup/sync is approved. For COPE: On the Samsung Android device, do the following: 1. Open Settings >> Work profile >> Accounts 2. Verify that is accounts are grayed out, or an account cannot be added. For COBO: On the Samsung Android device, do the following: 1. Open Settings >> Accounts and backup >> Accounts 2. Verify that is accounts are grayed out, or an account cannot be added. If on the management tool "Account Addition Blacklist" is not set to "Blacklist all" for Samsung accounts and Google accounts, or on the Samsung Android device an account can be added, this is a finding.
Configure Samsung Android Work Environment to disable backup to remote systems (including commercial clouds) (account management backup). Do one of the following: - Method #1: AE Account management - Method #2: KPE Account Addition Blacklist **** Method #1: AE Account management On the management tool, in the Work Environment restrictions section, set "Account Management" to "Disable" for Samsung accounts, Google accounts, and each AO-approved app that uses accounts for data backup/sync. **** Method #2: KPE Account Addition Blacklist On the management tool, do the following: 1. in the Work Environment KPE Account section, set "Account Addition Blacklist" to "Blacklist all" for Samsung accounts and Google accounts. 2. In the Work Environment, do not approve any app that uses accounts for data backup/sync.
Review Samsung Android configuration settings to determine if the mobile device has enabled authentication of personal hotspot connections to the device using a pre-shared key. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device KPE restrictions section, verify that "Unsecured hotspot" is set to "Disallow". On the Samsung Android device, do the following: 1. Open Settings >> Connections >> Mobile Hotspot and Tethering >> Mobile Hotspot >> (overflow menu) >> Configure Mobile Hotspot. 2. Tap option "Open" in the "Security" drop-down box. 3. Verify that "Save" is disabled. If on the management tool "Unsecured hotspot" is not set to "Disallow", or on the Samsung Android device "Open" can be selected in the "Security" drop-down box and the configuration can be saved, this is a finding.
Configure Samsung Android to enable authentication of personal hotspot connections to the device using a pre-shared key. On the management tool, in the device KPE restrictions section, set "Unsecured hotspot" to "Disallow".
Review Samsung Android Work Environment configuration settings to determine if the access control policy prevents groups of application processes from accessing all data stored by other groups of application processes. This procedure is for verifying that the moving of files to the Personal Environment is disabled and is applicable only to COPE only. This procedure is performed on the management tool Administration console only. This configuration is the default configuration. If the management tool does not provide the capability to configure "Move files to personal", there is NO finding because the default setting cannot be changed. On the management tool, in the Work Environment KPE RCP section, verify "Move files to personal" is set to "Disallow". If the management tool provides the capability to configure the "Move files to personal" policy and it is not set to "Disallow", this is a finding. If the management tool does not provide the capability to configure the policy, this requirement is inherently met and there is NO finding.
Configure Samsung Android Work Environment to enable the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes. This guidance is for disabling the moving of files to the Personal Environment and is applicable to COPE only. The configuration of "Move files to personal" is the default required configuration. No configuration is required. On the management tool, in the device restrictions section, set "Move files to personal" to "Disallow". Note: "Move files to workspace" may be configured if there is a DoD mission need for this feature.
Review Samsung Android Work Environment configuration settings to determine if the access control policy prevents groups of application processes from accessing all data stored by other groups of application processes. This procedure is for verifying that the sharing of clipboard data from the Work Environment to the Personal Environment is disabled and is applicable to COPE only. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: KPE RCP Sync On the management tool, in the Work Environment KPE RCP section, verify that "Sharing clipboard to personal" is set to "Disallow". On the Samsung Android device, do the following: 1. Using any Work Environment app, copy text to the clipboard. 2. Using any Personal Environment app, verify that the clipboard text cannot be pasted. If on the management tool the "Sharing clipboard to personal" is not set to "Disallow", or on the Samsung Android device the clipboard text can be pasted into a Personal Environment app, this is a finding. **** Method #2: AE Restriction On the management tool, in the Work Environment restrictions section, set "Cross profile copy/paste" to "Disallow". On the Samsung Android device, do the following: 1. Using any Work Environment app, copy text to the clipboard. 2. Using any Personal Environment app, verify that the clipboard text cannot be pasted. If on the management tool "Cross profile copy/paste" is not set to "Disallow", or on the Samsung Android device the clipboard text can be pasted into a Personal Environment app, this is a finding.
Configure Samsung Android Work Environment to enable the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes. This guidance is for disabling the sharing of clipboard data from the Work Environment to the Personal Environment and is applicable to COPE only. Do one of the following: - Method #1: KPE RCP Sync - Method #2: AE Restriction **** Method #1: KPE RCP Sync On the management tool, in the Work Environment KPE RCP section, set "Sharing clipboard to personal" to "Disallow". **** Method #2: AE Restriction On the management tool, in the Work Environment restrictions section, set "Cross profile copy/paste" to "Disallow".
Review Samsung Android Work Environment configuration settings to determine if the access control policy prevents groups of application processes from accessing all data stored by other groups of application processes. This procedure is for verifying that Calendar events created in the Work Environment are disallowed from being displayed in the Personal Environment Calendar and is applicable to COPE only. This procedure is performed on the management tool Administration console only. On the management tool, in the Work Environment KPE RCP section, verify that "Sync calendar to personal" is set to "Disallow". On the Samsung Android device, do the following: 1. Open Settings >> Work profile >> Notifications and data. 2. Verify that "Export to personal calendar" is disabled and cannot be enabled. If on the management tool the "Sync calendar to personal" is not set to "Disallow", or on the Samsung Android device "Export to personal calendar" is enabled or can be enabled, this is a finding.
Configure Samsung Android Work Environment to enable the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes. This guidance is for disallowing Calendar events created in the Work Environment from being displayed in the Personal Environment Calendar and is applicable to COPE only. On the management tool, in the Work Environment KPE RCP section, set "Sync calendar to personal" to "Disallow".
Review Samsung Android configuration settings to determine if multi-user mode is disabled. KPE(Legacy) deployments only: For KPE(AE) deployments this requirement is inherently met. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device KPE Multiuser section, verify that "Multi-user mode" is set to "Disallow". On the Samsung Android device, open Settings and verify that the "User" setting is not listed. If on the management tool "Multi-user mode" is not set to "Disallow", or on the Samsung Android device the "User" setting is available, this is a finding.
Configure Samsung Android to disable multi-user modes. KPE(Legacy) deployments only: For KPE(AE) deployments this requirement is inherently met. On the management tool, in the device KPE Multiuser section, set "Multi-user mode" to "Disallow".
Verify requirement KNOX-10-010800 (CC Mode) has been implemented. If CC Mode has not been implemented, this is a finding.
Verify CC Mode has been implemented (see requirement KNOX-10-010800).
Review Samsung Android Work Environment configuration settings to determine if users are prevented from adding personal email accounts to the work email app. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: AE Account management On the management tool, do the following: 1. in the Work Environment restrictions section, set "Account Management" to "Disable" for: Work email app. 2. Provision the user's email account on their behalf. For COPE: On the Samsung Android device, do the following: 1. Open Settings >> Work profile >> Accounts. 2. Verify that no account can be added. 3. Verify that the user's work email app has been provisioned with the work email account. For COBO: On the Samsung Android device, do the following: 1. Open Settings >> Accounts and backup >> Accounts. 2. Verify that no account can be added. 3. Verify that the user's Work email app has been provisioned with the work email account. If on the management tool "Account Management" is not set to "Disable" for the Work email app, or on the Samsung Android device an account can be added, this is a finding. **** Method #2: KPE Account Addition Blacklist. On the management tool, do the following: 1. in the Work Environment KPE Account section, set "Account Addition Blacklist" to "Blacklist all" for: Work email app. 2. Provision the user's email account on their behalf. For COPE: On the Samsung Android device, do the following: 1. Open Settings >> Work profile >> Accounts. 2. Verify that no account cannot be added. 3. Verify that the user's work email app has been provisioned with the work email account. For COBO: On the Samsung Android device, do the following: 1. Open Settings >> Accounts and backup >> Accounts. 2. Verify that no account cannot be added. 3. Verify that the user's work email app has been provisioned with the work email account. If on the management tool "Account Addition Blacklist" is not set to "Blacklist all" for the Work email app, or on the Samsung Android device an account can be added, this is a finding.
Configure the Samsung Android Work Environment to prevent users from adding personal email accounts to the work email app. Refer to the management tool documentation to determine how to provision users’ work email accounts for the work email app. Do one of the following: - Method #1: AE Account management - Method #2: KPE Account Addition Blacklist **** Method #1: AE Account management On the management tool, do the following: 1. In the Work Environment restrictions section, set "Account Management" to "Disable" for: Work email app. 2. Provision the user's email account on their behalf. **** Method #2: KPE Account Addition Blacklist On the management tool, do the following: 1. In the Work Environment KPE Account section, set "Account Addition Blacklist" to "Blacklist all" for: Work email app. 2. Provision the user's email account on their behalf.
Review Samsung Android Personal Environment configuration settings to determine if the system application disable list is enforced. This procedure is only for the Personal Environment of a COPE deployment. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: KPE(AE) enrollment The required configuration is the default configuration when the device is enrolled as a KPE(AE) deployment. On the management tool, verify that the "core app white list" contains only approved core and preinstalled apps. On the Samsung Android device, review the Personal Environment apps and confirm that apps listed in the “System Apps for disablement" table in the Supplemental document are not present. If on the management tool the "core app white list" contains non-approved core and preinstalled apps, or on the Samsung Android device non-approved apps are listed, this is a finding. **** Method #2: KPE system app disable list On the management tool, in the Personal Environment KPE application section, verify that the “system app disable list” contains all apps that have not been approved for DoD use by the Authorizing Official (AO). On the Samsung Android device, review the Personal Environment apps and confirm that none of the apps listed in the “system app disable list” are present. If on the management tool the "system app disable list" contains non-approved core and preinstalled apps, or on the Samsung Android device non-approved apps are listed, this is a finding.
Configure the Samsung Android device to enforce the system application disable list. Refer to the “System Apps for disablement" table in the Supplemental document. This guidance is only for the Personal Environment of a COPE deployment. Do one of the following: - Method #1: KPE(AE) enrollment - Method #2: KPE system app disable list **** Method #1: KPE(AE) enrollment The required configuration is the default configuration when the device is enrolled as a KPE(AE) deployment. If the device configuration is changed, use the following procedure to bring the device back into compliance: On the management tool, configure a list of approved Google core and preinstalled apps in the core app white list. **** Method #2: KPE system app disable list On the management tool, in the Personal Environment KPE application section, add all non-AO-approved system app packages to the "system app disable list".
Review Samsung Android Work Environment configuration settings to determine if the system application disable list is enforced. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: KPE(AE) enrollment The required configuration is the default configuration when the device is enrolled as a KPE(AE) deployment. On the management tool, verify that the Work Environment "core app white list" contains only approved core and preinstalled apps. On the Samsung Android device, review the Work Environment apps and confirm that apps listed in the "System Apps for disablement" table in the Supplemental document are not present. If on the management tool the "core app white list" contains non-approved core and preinstalled apps, or on the Samsung Android device non-approved apps are listed, this is a finding. **** Method #2: KPE system app disable list On the management tool, in the Work Environment KPE application section, verify that the "system app disable list" contains all apps that have not been approved for DoD use by the Authorizing Official (AO). On the Samsung Android device, review the Work Environment apps and confirm that none of the apps listed in the “system app disable list” are present. If on the management tool the "system app disable list" contains non-approved core and preinstalled apps, or on the Samsung Android device non-approved apps are listed, this is a finding.
Configure Samsung Android Work Environment to enforce the system application disable list. Refer to the “System Apps for disablement" table in the Supplemental document. Do one of the following: - Method #1: KPE(AE) enrollment - Method #2: KPE system app disable list **** Method #1: KPE(AE) enrollment The required configuration is the default configuration when the device is enrolled as a KPE(AE) deployment. If the device configuration is changed, use the following procedure to bring the device back into compliance: On the management tool, configure a list of approved Google core and preinstalled apps in the core app white list. **** Method #2: KPE system app disable list On the management tool, in the Work Environment KPE application section, add all non-AO-approved system app packages to the "system app disable list".
Review Samsung Android device configuration settings to confirm that Audit logging is enabled. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on the management tool Administration Console only. **** Method #1: KPE Audit logging On the management tool, for the device KPE audit log section, verify that "Audit log" is set to "Enable". If on the management tool the "Audit log" is not set to "Enable", this is a finding. **** Method #2: AE Audit logging On the management tool, do the following: 1. In the device restrictions section, verify that "Security logging" is set to "Enable". 2. In the device restrictions section, verify that "Network logging" is set to "Enable". If on the management tool both "Security logging" and "Network logging are not set to "Enable", this is a finding.
Configure Samsung Android to enable audit logging. Do one of the following: - Method #1: KPE Audit logging - Method #2: AE Audit logging **** Method #1: KPE Audit logging On the management tool, in the device KPE audit log section, set "Audit log" to "Enable". **** Method #2: AE Audit logging On the management tool, do the following: 1. In the device restrictions section, set "Security logging" to "Enable". 2. In the device restrictions section, set "Network logging" to "Enable".
Review Samsung Android device configuration settings to confirm that the device is enrolled in a DoD-approved use case. Confirm if Method #1, #2, #3, or #4 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: Fully managed with work profile [KPE(AE) COPE deployment] On the management tool, verify that the default enrollment is set to "Fully managed with work profile". On the Samsung Android device, do the following: 1. Open Settings >> Biometric and security >> Other security settings >> Device admin apps. 2. Verify that the management tool Agent is listed. 3. Go to the app drawer. 4. Verify that a "Personal" and "Work" tab are present. If on the management tool the default enrollment is not set as "Fully managed with work profile", or on the Samsung Android device the "Personal" and "Work" tabs are not present, or the management tool Agent is not listed, this is a finding. **** Method #2: Legacy managed with Legacy Workspace [KPE(Legacy) COPE deployment] On the management tool, verify that the default enrollment is set to "Legacy managed with Legacy Workspace". On the Samsung Android device, do the following: 1. Open Settings >> Biometric and security >> Other security settings >> Device admin apps. 2. Verify that the management tool Agent is listed. 3. Go to the app drawer. 4. Verify that a "Personal" and "Workspace" tab are present. If on the management tool the default enrollment is not set as "Legacy managed with Legacy Workspace", or on the Samsung Android device the "Personal" and "Work" tabs are not present, or the management tool Agent is not listed, this is a finding. **** Method #3: Fully managed [KPE(AE) COBO deployment] On the management tool, verify that the default enrollment is set as "Fully managed". On the Samsung Android device, do the following: 1. Open Settings >> Biometric and security >> Other security settings >> Device admin apps. 2. Verify that the management tool Agent is listed. If on the management tool the default enrollment is not set as "Fully managed", or the management tool Agent is not listed, this is a finding. **** Method #4: Legacy managed [KPE(Legacy) COBO deployment] On the management tool, verify that the default enrollment is set as "Legacy managed". On the Samsung Android device, do the following: 1. Open Settings >> Biometric and security >> Other security settings >> Device admin apps. 2. Verify that the management tool Agent is listed. If on the management tool the default enrollment is not set as "Legacy managed", or the management tool Agent is not listed, this is a finding.
Enroll the Samsung Android device in a DoD-approved use case. Do one of the following: - Method #1: Fully managed with work profile [KPE(AE) COPE deployment] - Method #2: Legacy managed with Legacy Workspace [KPE(Legacy) COPE deployment] - Method #3: Fully managed [KPE(AE) COBO deployment] - Method #4: Legacy managed [KPE(Legacy) COBO deployment] **** Method #1: Fully managed with work profile [KPE(AE) COPE deployment] On the management tool, configure the default enrollment as "Fully managed with work profile". **** Method #2: Legacy managed with Legacy Workspace [KPE(Legacy) COPE deployment] On the management tool, configure the default enrollment as "Legacy managed with Legacy Workspace". **** Method #3: Fully managed [KPE(AE) COBO deployment] On the management tool, configure the default enrollment as "Fully managed". **** Method #4: Legacy managed [KPE(Legacy) COBO deployment] On the management tool, configure the default enrollment as "Legacy managed". **** Refer to the management tool documentation to determine how to configure the device enrollment.
Review a sample of site User Agreements of Samsung device users or similar training records and training course content. Verify that Samsung device users have completed required training. The intent is that required training is renewed on a periodic basis in a time period determined by the AO. If any Samsung device user has not completed required training, this is a finding.
Have all Samsung device users complete training on the following topics. Users should acknowledge they have reviewed training via a signed User Agreement or similar written record. Training topics: - Operational security concerns introduced by unmanaged applications/unmanaged personal space including applications using global positioning system (GPS) tracking. - Need to ensure no DoD data is saved to the personal space or transmitted from a personal app (for example, from personal email). - If the Purebred key management app is used, users are responsible for maintaining positive control of their credentialed device at all times. The DoD PKI certificate policy requires subscribers to maintain positive control of the devices that contain private keys and to report any loss of control so the credentials can be revoked. Upon device retirement, turn-in, or reassignment, ensure a factory data reset is performed prior to device hand-off. Follow Mobility service provider decommissioning procedures as applicable. - How to configure the following UBE controls (users must configure the control) on the Samsung device: 1. Secure use of Calendar Alarm. 2. Local screen mirroring and MirrorLink procedures (authorized/not authorized for use). 3. Do not connect Samsung devices (either via DeX Station or dongle) to any DoD network via Ethernet connection. 4. Do not upload DoD contacts via smart call and caller ID services. 5. Disable Wi-Fi Sharing. 6. Do not configure a DoD network (work) VPN profile on any third-party VPN client installed in the personal space. - AO guidance on acceptable use and restrictions, if any, on downloading and installing personal apps and data (music, photos, etc.) in the Samsung device personal space.
Review Samsung Android Work Environment configuration settings to determine if autofill services are disabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. This policy cannot be enforced on a KPE(Legacy) deployment. On the management tool, in the Work Environment restrictions section, verify that "Autofill services" is set to "Disallow". For COPE: On the Samsung Android device, do the following: 1. Open Settings >> Work profile >> More settings >> Keyboard and input. 2. Verify that "Autofill service" is not present. For COBO: On the Samsung Android device, do the following: 1. Open Settings >> General management >> Language and input. 2. Verify that "Autofill service" is not present. If on the management tool "Autofill services" is not set to "Disallow", or on the Samsung Android device "Autofill service" is present, this is a finding.
Configure the Samsung Android Work Environment to disable autofill services. This policy cannot be enforced on a KPE(Legacy) deployment. On the management tool, in the Work Environment restrictions section, set "Autofill services" to "Disallow".
Review Samsung Android configuration settings to determine if KPE CC Mode is enabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device KPE restrictions section, verify that "CC mode" is set to "Enable". On the Samsung Android device, put the device into "Download mode" and verify that the text "Blocked by CC Mode" is displayed on the screen. If on the management tool "CC mode" is not set to "Enable", or on the Samsung Android device the text "Blocked by CC Mode" is not displayed in "Download mode", this is a finding.
Configure Samsung Android to enable KPE CC Mode. On the management tool, in the device KPE restrictions section, set "CC mode" to "Enable".
Review Samsung Android configuration settings to determine if the configuration of the date and time is disallowed. Confirm if Method #1, #2, or #3 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: Restrict user from configuring time. On the management tool, in the device restrictions section, verify that "Config Date Time" is set to "Disallow". On the Samsung Android device, do the following: 1. Open Settings >> General management >> Date and time. 2. Verify that "Automatic data and time" is on and the user cannot disable it. If on the management tool "Config Date Time" is not set to "Disallow", or on the Samsung Android device "Automatic date and time" is not set or the user can disable it, this is a finding. **** Method #2: Require Auto Time. On the management tool, in the device restrictions section, verify that "Set auto (network) time required" is set to "Required". On the Samsung Android device, do the following: 1. Open Settings >> General management >> Date and time. 2. Verify that "Automatic data and time" is on and the user cannot disable it. If on the management tool "Set auto (network) time required" is not set as "Required", or on the Samsung Android device "Automatic date and time" is not set or the user can disable it, this is a finding. **** Method #3: Disable Date/Time change (KPE). On the management tool, in the device KPE Date Time section, verify that "Date Time Change" is set to "Disable". On the Samsung Android device, do the following: 1. Open Settings >> General management >> Date and time. 2. Verify that "Automatic data and time" is on and the user cannot disable it. If on the management tool "Date Time Change" is not set to "Disable", or on the Samsung Android device "Automatic date and time" is not set or the user can disable it, this is a finding.
Configure Samsung Android to disallow configuration of the date and time. Do one of the following: - Method #1: Restrict user from configuring time. - Method #2: Require Auto Time. - Method #3: Disable Date/Time change (KPE). **** Method #1: Restrict user from configuring time. On the management tool, in the device restrictions section, set "Config Date Time" to "Disallow". **** Method #2: Require Auto Time. On the management tool, in the device restrictions section, set "Set auto (network) time required" to "Required". **** Method #3: Disable Date/Time change (KPE). On the management tool, in the device KPE Date Time section, set "Date Time Change" to "Disable". Note: Each method uses a different API to accomplish the same result. Any of the methods are acceptable.
Review Samsung Android device configuration settings to determine if USB host mode exception list is configured, or alternatively, if USB host mode is disabled. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: Use USB exception list, which allows DeX usage (preferred). On the management tool, in the device KPE restrictions section, verify that "HID" is the only USB class included in the "USB host mode exception list". On the Samsung Android device, do the following: 1. Connect a micro USB-to-USB "On the Go" (OTG) adapter to the device. 2. Connect a USB thumb drive to the adapter. 3. Verify that the device cannot access the USB thumb drive. If on the management tool the "USB host mode exception list" includes a USB class other than "HID", or on the Samsung Android device the USB thumb drive can be mounted, this is a finding. **** Method #2: Disable USB host mode. On the management tool, in the device KPE restrictions section, set "USB host mode" to "Disable". On the Samsung Android device, do the following: 1. Connect a micro USB-to-USB "On the Go" (OTG) adapter to the device. 2. Connect a USB thumb drive to the adapter. 3. Verify that the device cannot access the USB thumb drive. If on the management tool the "USB host mode" is not set to "Disable", or on the Samsung Android device the USB thumb drive can be mounted, this is a finding.
Configure Samsung Android with a USB host mode exception list, or alternatively, disable the use of USB host mode. Do one of the following: - Method #1: Use USB exception list, which allows DeX usage (preferred). - Method #2: Disable USB host mode. **** Method #1: Use USB exception list, which allows DeX usage (preferred). On the management tool, in the device KPE restrictions section, add the "HID" USB class to the "USB host mode exception list". **** Method #2: Disable USB host mode. On the management tool, in the device KPE restrictions section, set "USB host mode" to "Disable".
Review Samsung Android Work Environment configuration settings to determine if Share Via List is disallowed. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the Work Environment KPE restrictions section, verify that "Share Via List" is set to "Disallow". On the Samsung Android device, attempt to share by long pressing a file in the Work Environment and tapping "Share". If on the management tool "Share Via List" is not set to "Disallow", or on the Samsung Android device the user is able to share, this is a finding.
Configure Samsung Android Work Environment to disallow Share Via List. On the management tool, in the Work Environment KPE restrictions section, set "Share Via List" to "Disallow". Note: Disabling Share Via List will also disable functionality such as Gallery Sharing and Direct Sharing.
Review Samsung Android Work Environment configuration settings to verify that outgoing beam is disallowed. This requirement is inherently met for COPE as outgoing beam in a "Profile/Workspace" cannot be initiated. This validation procedure is applicable to COBO only. This procedure is performed on both the MDM Administration console and the Samsung Android device. On the MDM console, in the Work Environment restrictions section, verify that "disallow outgoing beam" is selected. On the Samsung Android device, open a picture, contact, or web page and put it back to back with an unlocked outgoing beam-enabled device. Verify that outgoing beam cannot be started. If on the MDM console "outgoing beam" is not set to "disallow", or on the Samsung Android device the user is able to successfully start outgoing beam, this is a finding.
Configure Samsung Android to disallow outgoing beam. This requirement is inherently met for COPE as outgoing beam in a "Profile/Workspace" cannot be initiated. This guidance is applicable to COBO only. On the MDM console, in the Work Environment restrictions section, set "outgoing beam" to "disallow".
Review Samsung Android device configuration settings to confirm that Wi-Fi Sharing is disabled. Mobile Hotspot must be enabled in order to enable Wi-Fi Sharing. If the AO has not approved Mobile Hotspot, and it has been verified as disabled on the management tool, the following guidance is not applicable. This setting cannot be managed by the management tool Administrator and is a User Based Enforcement (UBE) requirement. On the Samsung Android device, do the following: 1. Open Settings >> Connections >> Mobile Hotspot and Tethering >> Mobile hotspot. 2. Verify that “Wi-Fi sharing” is disabled. If on the Samsung Android device “Wi-Fi sharing” is enabled, this is a finding.
Configure Samsung Android to disable Wi-Fi Sharing. Mobile Hotspot must be enabled in order to enable Wi-Fi Sharing. If the AO has not approved Mobile Hotspot, and it has been disabled on the management tool, the following guidance is not applicable. On the Samsung Android device, do the following: 1. Open Settings >> Connections >> Mobile Hotspot and Tethering >> Mobile hotspot. 2. Disable “Wi-Fi sharing” if it is enabled.
Review Samsung Android Work Environment configuration settings to determine if Certificate Revocation checking is enabled. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on the management tool Administration Console only. **** Method #1: CRL checking On the management tool, in the Work profile KPE certificate section, verify that "Revocation check" is set to "enable for all apps". If on the management tool "Revocation check" is not set to "enable for all apps", this is a finding. **** Method #2: OCSP with CRL fallback On the management tool, do the following: 1. In the Work profile KPE certificate section, verify that "Revocation check" is set to "enable for all apps". 2. In the Work profile KPE restrictions section, verify that "OCSP check" is set to "enable for all apps". If on the management tool "Revocation check" is not set to "enable for all apps" or if "OCSP check" is not set to "enable for all apps", this is a finding.
Configure Samsung Android Work Environment to enable Certificate Revocation checking. Do one of the following: - Method #1: CRL checking - Method #2: OCSP with CRL fallback **** Method #1: CRL checking On the management tool, in the Work profile KPE certificate section, set "Revocation check" to "enable for all apps". Refer to the management tool documentation to determine how to configure Revocation checking to "enable for all apps". Some may, for example, allow a wildcard string: "*". **** Method #2: OCSP with CRL fallback On the management tool, do the following: 1. In the Work profile KPE certificate section, set "Revocation check" to "enable for all apps". 2. In the Work profile KPE restrictions section, set "OCSP check" to "enable for all apps". Refer to the management tool documentation to determine how to configure Revocation and OCSP checking to "enable for all apps". Some may, for example, allow a wildcard string: "*".
Review Samsung Android Work Environment configuration settings to determine if the DoD root and intermediate PKI certificates are installed. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. The current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://cyber.mil/pki-pke (for NIPRNet). **** Method #1: Use AE Key management. On the management tool, in the Work Environment certificate section, verify that the DoD root and intermediate PKI certificates are installed. On the Samsung Android device, do the following: 1. Open Settings >> Biometrics and security >> Other security settings >> View security certificates. 2. In the User tab, verify that the DoD root and intermediate PKI certificates are listed in the Work Environment. If on the management tool the DoD root and intermediate PKI certificates are not listed in the Work Environment, or on the Samsung Android device the DoD root and intermediate PKI certificates are not listed in the Work Environment, this is a finding. **** Method #2: Use KPE Key management. On the management tool, in the Work Environment KPE certificate section, verify that the DoD root and intermediate PKI certificates are installed. On the Samsung Android device, do the following: 1. Open Settings >> Biometrics and security >> Other security settings >> View security certificates. 2. In the User tab, verify that the DoD root and intermediate PKI certificates are listed in the Work Environment. If on the management tool the DoD root and intermediate PKI certificates are not listed in the Work Environment, or on the Samsung Android device the DoD root and intermediate PKI certificates are not listed in the Work Environment, this is a finding.
Configure the Samsung Android Work Environment to install DoD root and intermediate PKI certificates. Do one of the following: - Method #1: Use AE Key management. - Method #2: Use KPE Key management. The current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://cyber.mil/pki-pke (for NIPRNet). **** Method #1: Use AE Key management. On the management tool, in the Work Environment certificate section, install the DoD root and intermediate PKI certificates. **** Method #2: Use KPE Key management. On the management tool, in the Work Environment KPE certificate section, install the DoD root and intermediate PKI certificates.
Review Samsung Android Work Environment configuration settings to determine if the user is unable to remove DoD root and intermediate PKI certificates. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: Disallow user from configuring any credential. On the management tool, in the Work Environment restrictions section, verify that "Config credentials" is set to "Disallow". On the Samsung Android device, do the following: 1. Open Settings >> Biometrics and security >> Other security settings >> View security certificates. 2. In the System tab, verify that no listed certificate in the Work Environment can be untrusted. 3. In the User tab, verify that no listed certificate in the Work Environment can be removed. If on the management tool the device "Config credentials" is not set to "Disallow", or on the Samsung Android device a certificate can be untrusted or removed, this is a finding. **** Method #2: Disallow user from removing certificates. On the management tool, in the device KPE restrictions section, verify "User Remove Certificates" is set to "Disallow". On the Samsung Android device, do the following: 1. Open Settings >> Biometrics and security >> Other security settings >> View security certificates. 2. In the System tab, verify that no listed certificate in the Work Environment can be untrusted. 3. In the User tab, verify that no listed certificate in the Work Environment can be removed. If on the management tool the device "User Remove Certificates" is not set to "Disallow", or on the Samsung Android device a certificate can be untrusted or removed, this is a finding.
Configure Samsung Android Work Environment to prevent a user from removing DoD root and intermediate PKI certificates. Do one of the following: - Method #1: Disallow user from configuring any credential. - Method #2: Disallow user from removing certificates. **** Method #1: Disallow user from configuring any credential. On the management tool, in the Work Environment restrictions section, set "Config credentials" to "Disallow". **** Method #2: Disallow user from removing certificates. On the management tool, in the Work Environment KPE restrictions section, set "User Remove Certificates" to "Disallow".
Review Samsung Android device configuration settings to confirm that the most recently released version of Samsung Android is installed. This procedure is performed on both the management tool and the Samsung Android device. In the management tool management console, review the version of Samsung Android installed on a sample of managed devices. This procedure will vary depending on the management tool product. See the notes below to determine the latest available OS version. On the Samsung Android device, to see the installed OS version: 1. Open Settings. 2. Tap "About phone". 3. Tap "Software information". If the installed version of Android OS on any reviewed Samsung devices is not the latest released by the wireless carrier, this is a finding. Note: Some wireless carriers list the version of the latest Android OS release by mobile device model online: ATT: https://www.att.com/devicehowto/dsm.html#!/popular/make/Samsung T-Mobile: https://support.t-mobile.com/docs/DOC-34510 Verizon Wireless: https://www.verizonwireless.com/support/software-updates/ Google Android OS patch website: https://source.android.com/security/bulletin/ Samsung Android OS patch website: https://security.samsungmobile.com/securityUpdate.smsb
Install the latest released version of Samsung Android OS on all managed Samsung devices. Note: In most cases, OS updates are released by the wireless carrier (for example, Sprint, T-Mobile, Verizon Wireless, and ATT).
Review Samsung Android device configuration settings to determine if the user is required to present the Password Authentication Factor prior to decryption of protected data, encrypted DEKs, KEKs, and [selection: long-term trusted channel key material, all software-based key storage, no other keys] at startup. Confirm if Method #1 or #2 is used for the Samsung Android device and follow the appropriate procedure. This procedure is performed on the Samsung Android device only. This setting cannot be managed by the management tool Administrator and is a UBE requirement. **** Method #1: For Samsung Android devices that implement FDE: enable "Secure Startup". On the Samsung Android device, do the following: 1. Open Settings >> Biometrics and security >> Other security settings >> Secure Startup. 2. Verify that "Require password when device powers on" is already selected and that "Do not require" is not selected. If on the Samsung Android device "Do not require" is selected, this is a finding. **** Method #2: For Samsung Android devices that implement FBE: enable "Strong Protection". On the Samsung Android device, do the following: 1. Open Settings >> Biometrics and security >> Other security settings. 2. Verify that "Strong Protection" is enabled. If on the Samsung Android device "Strong Protection" is not enabled, this is a finding.
Configure Samsung Android to require the user to present the Password Authentication Factor prior to decryption of protected data, encrypted DEKs, KEKs, and [selection: long-term trusted channel key material, all software-based key storage, no other keys] at startup. Do one of the following: - Method #1: For Samsung Android devices that implement FDE: enable "Secure Startup". - Method #2: For Samsung Android devices that implement FBE: enable "Strong Protection". **** Method #1: For Samsung Android devices that implement FDE: enable "Secure Startup". On the Samsung Android device, do the following: 1. Open Settings >> Biometrics and security >> Other security settings. 2. Tap "Secure Startup". 3. Tap option "Require password when device powers on". 4. Tap "Apply". 5. Enter current password. **** Method #2: For Samsung Android devices that implement FBE: enable "Strong Protection". Strong Protection is enabled by default. On the Samsung Android device, do the following: 1. Open Settings >> Biometrics and security >> Other security settings. 2. Tap "Strong Protection". 3. Tap to enable. 4. Enter current password.
Verify there are no installations of Samsung Android 10 at the site. If Samsung Android 10 is being used at the site, this is a finding.
Remove all installations of Samsung Android 10.