Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Samsung Android OS 5 with Knox 2.0 Security Technical Implementation Guide

  • Version/Release: V1R3
  • Published: 2016-02-24
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
b
All mobile operating system cryptography supporting DoD functionality must be FIPS 140-2 validated.
SC-13 - Medium - CCI-001145 - V-61153 - SV-75633r1_rule
RMF Control
SC-13
Severity
Medium
CCI
CCI-001145
Version
KNOX-30-000100
Vuln IDs
  • V-61153
Rule IDs
  • SV-75633r1_rule
Unapproved cryptographic algorithms cannot be relied upon to provide confidentiality or integrity, and DoD data could be compromised as a result. The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS 140-2 validation provides assurance that the relevant cryptography has been implemented correctly. FIPS 140-2 validation is also a strict requirement for use of cryptography in the Federal Government for protecting unclassified data. SFR ID: FCS
Checks: C-62109r1_chk

Note: This validation procedure is identical to the one for KNOX-39-015600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to AOs. This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "CC Mode" settings in the "Android Restrictions" rule. 2. Verify the value is enabled. Note: If the MDM does not support CC Mode, ask the MDM Administrator if the Samsung APK has been installed and CC Mode enabled. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "About Device". 3. Verify the value of "Security software version" displays "Enforced". If the CC mode setting is not enabled, or if the "Security software version" on the device does not display "Enforced", this is a finding.

Fix: F-67013r1_fix

Configure the mobile operating system to use a FIPS 140-2 validated cryptographic module. Configure the operating system to enable CC mode. On the MDM Administration Console, enable the "CC mode" setting in the "Android Restrictions" rule. If this setting is not available on the console, install the CC mode APK, and enable CC mode from this application. This APK will be made available by Samsung.

c
The Samsung Knox for Android platform must protect data at rest on built-in storage media.
SC-28 - High - CCI-001199 - V-61157 - SV-75637r1_rule
RMF Control
SC-28
Severity
High
CCI
CCI-001199
Version
KNOX-30-004400
Vuln IDs
  • V-61157
Rule IDs
  • SV-75637r1_rule
The MOS must ensure the data being written to the mobile device's built-in storage media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read storage media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running. SFR ID: FMT_SMF_EXT.1.1 #25
Checks: C-62113r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Storage Encryption" check box in the "Android Restrictions" rule. (**) 2. Verify the "Storage Encryption" check box is selected. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Security". 3. Verify "Encrypt device" is grayed out and "Encrypted" is displayed. 4. Select "Encrypt external SD card". 5. Verify "The encryption policy has been applied" is displayed at the bottom of the screen. Note: If no SD card is inserted, Step 5 should display "SD card is not inserted" at the bottom of the screen. If the specified encryption settings are not set to the appropriate values, this is a finding. (**) On some MDM vendor consoles, "Storage Encryption" enables both internal and external storage encryption.

Fix: F-67017r3_fix

Configure the MOS to enable data-at-rest protection for built-in storage media. Configure the OS to encrypt all data at rest on the mobile device. On the MDM Administration Console, check the "Storage Encryption" check box in the "Android Restrictions" rule.

c
The Samsung Knox for Android platform must protect data at rest on removable storage media.
SC-28 - High - CCI-001199 - V-61159 - SV-75639r1_rule
RMF Control
SC-28
Severity
High
CCI
CCI-001199
Version
KNOX-30-004410
Vuln IDs
  • V-61159
Rule IDs
  • SV-75639r1_rule
The MOS must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read removable media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running. SFR ID: FMT_SMF_EXT.1.1 #26
Checks: C-62115r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Storage Encryption" and "External Storage Encryption" check box in the "Android Restrictions" rule. (**) 2. Verify the "Storage Encryption" and "External Storage Encryption" check box are selected. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Security". 3. Verify "Encrypt device" is grayed out and "Encrypted" is displayed. 4. Select "Encrypt external SD card". 5. Verify "The encryption policy has been applied" is displayed at the bottom of the screen. Note: If no SD card is inserted, Step 5 should display "SD card is not inserted" at the bottom of the screen. If the specified encryption settings are not set to the appropriate values, this is a finding. (**) On some MDM vendor consoles, "Storage Encryption" enables both internal and external storage encryption.

Fix: F-67019r1_fix

Configure the MOS to enable data-at-rest protection for removable media. Configure the OS to encrypt all data at rest on the mobile device. On the MDM Administration Console, select the "Storage Encryption" and "External Storage Encryption" check box in the "Android Restrictions" rule.

a
The Samsung Knox for Android platform must enforce a minimum password length of 6 characters.
IA-5 - Low - CCI-000205 - V-61161 - SV-75641r1_rule
RMF Control
IA-5
Severity
Low
CCI
CCI-000205
Version
KNOX-34-008700
Vuln IDs
  • V-61161
Rule IDs
  • SV-75641r1_rule
Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise. SFR ID: FMT_SMF_EXT.1.1 #01a
Checks: C-62117r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Min Length" setting in the "Android Password Restrictions" rule. 2. Verify the value of the setting is the same or greater than the required length. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Lock screen". 3. Select "Screen lock". 4. Enter current password. 5. Select Password. 6. Attempt to enter a password with fewer characters than the required length. 7. Verify the password is not accepted. If the configured value of the "Min Length" setting is less than the required length or if device accepts a password of less than the required length, this is a finding. (**) When device encryption is enabled, Samsung Knox for Android automatically enforces a minimum length 6.

Fix: F-67021r1_fix

Configure the MOS to enforce a minimum password length of 6 characters. On the MDM Administration Console, set the "Min Length" value to 6 or greater in the "Android Password Restrictions" rule. (**) When device encryption is enabled (always enabled by the DoD configuration), Samsung Knox for Android automatically enforces a minimum length 6.

a
The Samsung Knox for Android platform must not allow more than 10 consecutive failed authentication attempts.
AC-7 - Low - CCI-000044 - V-61163 - SV-75643r1_rule
RMF Control
AC-7
Severity
Low
CCI
CCI-000044
Version
KNOX-34-008900
Vuln IDs
  • V-61163
Rule IDs
  • SV-75643r1_rule
The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on the device. Setting a limit on the number of attempts mitigates this risk. Setting the limit at 10 gives authorized users the ability to make a few mistakes when entering the password but still provides adequate protection against dictionary or brute force attacks on the password. SFR ID: FMT_SMF_EXT.1.1 #02
Checks: C-62119r1_chk

This validation procedure is performed only on the MDM Administration Console. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Maximum Failed Attempts" field in the "Android Password Restrictions" rule for the device unlock password. 2. Verify the value of the setting is 10 or less. This configuration is not available on the Samsung Knox for Android device. If the "Maximum Failed Attempts" field in the "Android Password Restrictions" rule for the device unlock password is not set to 10 or less, this is a finding.

Fix: F-67023r1_fix

Configure the MOS to allow only 10 or less consecutive failed authentication attempts. On the MDM Administration Console, set the "Maximum Failed Attempts" to 10 or less in the "Android Password Restrictions" rule for the device unlock password.

b
The Samsung Knox for Android platform must lock the display after 15 minutes (or less) of inactivity.
AC-11 - Medium - CCI-000057 - V-61165 - SV-75645r1_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
KNOX-34-012100
Vuln IDs
  • V-61165
Rule IDs
  • SV-75645r1_rule
The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum timeout period of 15 minutes has been selected to balance functionality and security; shorter timeout periods may be appropriate depending on the risks posed to the mobile device. SFR ID: FMT_SMF_EXT.1.1 #01b
Checks: C-62121r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Max Time to Lock" setting in the "Android Password Restrictions" rule. 2. Verify the value of the setting is 15 minutes or less. On the Samsung Knox for Android device: 1. Unlock the device. 2. Refrain from performing any activity on the device for 15 minutes. 3. Verify the device requires the user to enter the device unlock password to access the device. Note: Max time to lock is the sum of the display screen timeout and the lock screen delay on the device. On MDM configuration, the device makes a choice for these settings so that the sum is 15 minutes or less. If the user does not have to unlock the device after 15 minutes of inactivity, this is a finding.

Fix: F-67025r1_fix

Configure the MOS to lock the device display after 15 minutes (or less) of inactivity. On the MDM Administration Console, configure the "Max Time to Lock" option to 15 minutes in the "Android Password Restrictions" rule.

b
The Samsung Knox for Android container must implement the management setting: Lock the container display after 15 minutes (or less) of inactivity.
CM-6 - Medium - CCI-000366 - V-61167 - SV-75647r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-34-012110
Vuln IDs
  • V-61167
Rule IDs
  • SV-75647r1_rule
The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum timeout period of 15 minutes has been selected to balance functionality and security; shorter timeout periods may be appropriate, depending on the risks posed to the mobile device. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62123r1_chk

This check procedure is performed on both the MDM Administration Console and the Samsung Knox device. Check that the appropriate setting is configured on the MDM Administration Console. 1. Ask the MDM administrator to display the "Max Time to Lock" setting in the "Android Knox Container -> Container Password Restrictions" rule. 2. Verify the value of the setting is the organization-defined value (15 min) or less. On the Samsung Knox for Android device: 1. Open the Knox Container. 2. Refrain from using the Knox Container for 15 min. 3. Verify the selected value is organization-defined value (15 min) or less. If the selected value is larger than 15 min, or if the Knox Container does not lock after 15 min, this is a finding.

Fix: F-67027r1_fix

Configure the OS to initiate a session lock after a time period of inactivity. Configure the mobile operating system to lock the device after no more than 15 minutes of inactivity. On the MDM Console, set the "Max Time to Lock" to organization-defined value (15 min) in the "Android Knox Container -> Container Password Restrictions" rule.

b
The Samsung Knox for Android platform must enforce an application installation policy by specifying one or more authorized application repositories: Disable Google Play.
CM-6 - Medium - CCI-000366 - V-61169 - SV-75649r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-35-009000
Vuln IDs
  • V-61169
Rule IDs
  • SV-75649r1_rule
Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DoD data accessible by these unauthorized/malicious applications. SFR ID: FMT_SMF_EXT.1.1 #10a
Checks: C-62125r1_chk

Configuring an application installation policy on Samsung Knox for Android by specifying an application repository involves two steps: (1) Disabling Google Play, (2) Disabling unknown application sources. This validation procedure covers the first of these steps. It is performed on both the MDM Administration Console and the Samsung Knox for Android device. On the MDM Administration Console: 1. Ask the MDM administrator to display the "Enable Google Play" setting in the "Android Restrictions" rule. 2. Verify it is disabled. On the Samsung Knox for Android device: 1. Attempt to locate the "Google Play" application. 2. Verify it is not present on the device. If the "Enable Google Play" is not disabled, or if a user can successfully launch Google Play on the device, this is a finding.

Fix: F-67029r1_fix

Configure the MOS to disable unauthorized application repositories. Configure the OS to disable Google Play. On the MDM Administration Console, disable "Enable Google Play" in the "Android Restrictions" rule.

b
The Samsung Knox for Android platform must enforce an application installation policy by specifying one or more authorized application repositories: Disable unknown sources.
CM-6 - Medium - CCI-000366 - V-61171 - SV-75651r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-35-009010
Vuln IDs
  • V-61171
Rule IDs
  • SV-75651r1_rule
Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DoD data accessible by these unauthorized/malicious applications. SFR ID: FMT_SMF_EXT.1.1 #10a
Checks: C-62127r1_chk

Configuring an application installation policy on Samsung Knox for Android by specifying an application repository involves two steps: (1) Disabling Google Play, (2) Disabling unknown application sources. This validation procedure covers the second of these steps. It is performed on both the MDM Administration Console and the Samsung Knox for Android device. On the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow Unknown Sources" settings in the "Android Restrictions" rule. 2. Verify it is disabled. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Security". 3. Attempt to enable "Unknown sources". 4. Verify it cannot be enabled. If the "Enable Google Play" setting is not disabled, or if a user can successfully enable "Unknown sources" on the device, this is a finding.

Fix: F-67031r1_fix

Configure the MOS to disable unauthorized application repositories. Configure the mobile operating system to disable application installations from unknown sources. On the MDM Administration Console, disable "Allow Unknown Sources" in the "Android Restrictions" rule.

b
The Samsung Knox for Android platform must enforce an application installation policy by specifying an application whitelist.
CM-6 - Medium - CCI-000366 - V-61173 - SV-75653r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-35-009100
Vuln IDs
  • V-61173
Rule IDs
  • SV-75653r1_rule
Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the operating system (OS) by the OS vendor) and pre-installed applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. SFR ID: FMT_SMF_EXT.1.1 #10b
Checks: C-62129r1_chk

This validation procedure is performed on the MDM Administration Console. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the list of white-listed applications in the "Android Applications" rule. 2. Verify the list of white-listed applications has been approved by the Approving official (AO). Note: Refer to the Supplemental document for additional information. Note: This list can be empty if no applications have been approved. If any of the applications on white-listed applications on the MDM Administration Console have not been approved by the AO, this is a finding.

Fix: F-67033r1_fix

Configure the MOS to use an application whitelist. On the MDM Administration Console, configure the list of white-listed applications in the "Android Applications" rule and ensure only AO-approved applications are on the list. Note: This list can be empty if no applications have been approved. Note: Refer to the Supplemental document for additional information.

b
The Samsung Knox for Android platform must not allow use of developer modes.
CM-7 - Medium - CCI-000381 - V-61175 - SV-75655r1_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
KNOX-35-020000
Vuln IDs
  • V-61175
Rule IDs
  • SV-75655r1_rule
Developer modes expose features of the MOS that are not available during standard operation. An adversary may leverage vulnerability inherent in a developer mode to compromise the confidentiality, integrity, and availability of DoD-sensitive information. Disabling developer modes mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #24
Checks: C-62131r1_chk

This check procedure is performed on both the MDM Administration Console and the Samsung Knox device. Check that the appropriate setting is configured on the MDM Administration Console. 1. Ask the MDM administrator to display the "Disable Developer Mode" settings in the "Android Restrictions" rule. 2. Verify that the "Disable Developer Mode" setting is enabled. Note: Disabling Developer Mode will also disable USB Debugging and Mock locations. On the Samsung Knox for Android Device: 1. Open the device settings. 2. Select "Developer options". (**) 3. Attempt to enable "Developer options". If the "Disable Developer Mode" setting in the MDM console is disabled, or if the user is able to enable "Developer options" on the device, this is a finding. Note: The "Developer Modes" configuration setting may not be available in older MDM consoles. Disabling USB Debugging and Mock Locations also disables developer modes on the mobile device. (**) "Developer options" is initially hidden to users. To unhide this menu item, 1. Open the device settings. 2. Select "About phone". 3. Rapidly tap on "Build number" multiple times until device displays the developer options menu item.

Fix: F-67035r1_fix

Configure the MOS to disable developer modes. Configure the platform to disable Developer Mode. On the MDM Administration Console, enable the "Disable Developer Mode" setting in the "Android Restrictions" rule.

b
The Samsung Knox for Android platform must implement the management setting: Install DoD root and intermediate PKI certificates on the device.
CM-6 - Medium - CCI-000366 - V-61177 - SV-75657r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-35-020600
Vuln IDs
  • V-61177
Rule IDs
  • SV-75657r1_rule
DoD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the root and intermediate certificates are not available, an adversary could falsely sign a certificate in such a way that it could not be detected. Providing access to the DoD root and intermediate PKI certificates greatly diminishes the risk of this attack. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62133r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. The current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://iase.disa.mil/pki-pke (for NIPRNet) or http://iase.rel.disa.smil.mil/pki-pke/function_pages/tools.html (for SIPRNet). Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the list of server authentication certificates in the "Android Certificate Configuration" rule. 2. Verify the DoD root and intermediate PKI certificates are present. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Security". 3. Select "Trusted Credentials". 4. Review Certificate Authorities listed under the "System" and "User" tabs. 5. Verify the presence of the DoD root and intermediate certificates. If the DoD root and intermediate certificates are not present in the MDM Console whitelist or on the device, this is a finding.

Fix: F-67037r1_fix

Install DoD root and intermediate certificates on the device. On the MDM Console, add the PEM encoded representations of the DoD root and intermediate certificates to the certificate whitelist in the "Android Certificate Configuration" rule. The current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://iase.disa.mil/pki-pke (for NIPRNet) or http://iase.rel.disa.smil.mil/pki-pke/function_pages/tools.html (for SIPRNet).

b
The Samsung Knox for Android platform must implement the management setting: Disable Allow New Admin Install.
CM-6 - Medium - CCI-000366 - V-61179 - SV-75659r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-35-021000
Vuln IDs
  • V-61179
Rule IDs
  • SV-75659r2_rule
An application with administrator permissions (e.g., MDM agent) is allowed to configure policies on the device. If a user is allowed to install another MDM agent on the device, then this will allow another MDM administrator (assuming it has the proper Knox licenses) the ability to configure potentially conflicting policies on the device that may not meet DoD security requirements. Although an MDM cannot disable another MDM's policies or remove another MDM from the device, there is the potential of creating policies that could conflict with enterprise policies. Therefore, other applications requesting administrator permissions should be blocked from installation. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62135r2_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow New Admin Install" setting in the "Android Restrictions" rule. 2. Verify the setting is disabled. Note: With some MDM consoles, this policy is automatically configured when the user enrolls with the MDM. Note: Android Device Manager must be deactivated if activated in order for this rule to be enforced on the device. This can only be done manually on the device by going to Settings >> Security >> Other security settings >> Phone adminstrators and checking that the setting is off for Android Device Manager. On the Samsung Knox for Android device: 1. Attempt to install an application that requires admin permissions. 2. Verify that the application is blocked from being installed. If the "Allow New Admin Install" setting in the MDM console is enabled, or if the user is able to install another application requiring admin permissions on the device, this is a finding.

Fix: F-67039r1_fix

Configure the mobile operating system to disallow new admin installations. On the MDM Administration Console, disable the "Allow New Admin Install" setting in the "Android Restrictions" rule.

b
The Samsung Knox for Android platform must implement the management setting: Configure application install blacklist.
CM-6 - Medium - CCI-000366 - V-61181 - SV-75661r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-35-021100
Vuln IDs
  • V-61181
Rule IDs
  • SV-75661r1_rule
Blacklisting all applications is required so that only white-listed applications can be installed on the device. Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist and blacklist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62137r1_chk

This validation procedure is performed on the MDM Administration Console. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Application install blacklist" setting in the "Android Applications" rule. 2. Verify the setting is configured to include all applications (specified by the wildcard string ".*"). If the "Application install blacklist" setting in the MDM console does not include all applications, this is a finding.

Fix: F-67041r1_fix

Configure the mobile operating system to add all applications to the install blacklist. On the MDM Administration Console, add all applications to the "Application install blacklist" setting in the "Android Applications" rule.

b
The Samsung Knox for Android platform whitelist must not include applications with the following characteristics: All pre-installed (core) applications not approved for DoD use by the Approving Official (AO).
CM-6 - Medium - CCI-000366 - V-61183 - SV-75663r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-35-021200
Vuln IDs
  • V-61183
Rule IDs
  • SV-75663r1_rule
Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. SFR ID: FMT_SMF_EXT.1.1 #10b
Checks: C-62139r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule. 2. Verify the list contains all pre-installed (core) applications not approved for DoD use by the Approving Official (AO). Note: Refer to the Supplemental document for additional information. If the "Application disable list" configuration is not properly configured, or if the user is able to launch the applications on the list, this is a finding. Note: Core applications are pre-installed on the device and include applications integrated into the Android OS by Google and applications added to the OS load by Samsung or by the carrier.

Fix: F-67043r1_fix

Configure the MOS application whitelist to exclude applications with the following characteristics: -all pre-installed (core) applications not approved for DoD use by the Approving Official (AO). Configure the mobile operating system to disable pre-installed applications not approved for DoD use. On the MDM Administration Console, add all pre-installed applications not approved for DoD to the "Application disable list" setting in the "Android Applications" rule. Note: Refer to the Supplemental document for additional information.

b
The Samsung Knox for Android platform whitelist must not include applications with the following characteristics: Allows synchronization of data or applications between devices associated with user.
CM-6 - Medium - CCI-000366 - V-61185 - SV-75665r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-35-021225
Vuln IDs
  • V-61185
Rule IDs
  • SV-75665r1_rule
Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. SFR ID: FMT_SMF_EXT.1.1 #10b
Checks: C-62141r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule. 2. Verify the list contains all pre-installed applications which allow synchronization of data or applications between devices associated with user. Note: The following applications are known to be pre-installed applications which allow synchronization of data or applications between devices associated with user, but other applications can be found on other devices: Google Drive, Dropbox, Verizon Cloud, AT&T Locker, Microsoft OneDrive, and Microsoft OneNote. Note: Refer to the Supplemental document for additional information. If the "Application disable list" configuration is not properly configured, or if the user is able to launch the applications on the list, this is a finding.

Fix: F-67045r1_fix

Configure the MOS application whitelist to exclude applications with the following characteristics: -allows synchronization of data or applications between devices associated with user Configure the mobile operating system to disable all pre-installed applications which allow synchronization of data or applications between devices associated with user. On the MDM Administration Console, add all pre-installed applications which allow synchronization of data or applications between devices associated with user to the "Application disable list" setting in the "Android Applications" rule. Note: Refer to the Supplemental document for additional information.

b
The Samsung Knox for Android platform whitelist must not include applications with the following characteristics: Payment processing.
CM-6 - Medium - CCI-000366 - V-61187 - SV-75667r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-35-021250
Vuln IDs
  • V-61187
Rule IDs
  • SV-75667r1_rule
Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. SFR ID: FMT_SMF_EXT.1.1 #10b
Checks: C-62143r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule. 2. Verify the list contains all pre-installed payment processing applications. Note: The following applications are known to be pre-installed payment processing applications, but other applications can be found on other devices: Wallet, Isis Wallet, Softcard. Note: Refer to the Supplemental document for additional information. If the "Application disable list" configuration is not properly configured, or if the user is able to launch the applications on the list, this is a finding.

Fix: F-67047r1_fix

Configure the MOS application whitelist to exclude applications with the following characteristics: -payment processing Configure the mobile operating system to disable pre-installed payment processing applications. On the MDM Administration Console, add all pre-installed payment processing applications to the "Application disable list" setting in the "Android Applications" rule. Note: Refer to the Supplemental document for additional information.

b
The Samsung Knox for Android platform whitelist must not include applications with the following characteristics: Back up MD data to non-DoD cloud servers (including user and application access to cloud backup services).
CM-6 - Medium - CCI-000366 - V-61189 - SV-75669r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-35-021275
Vuln IDs
  • V-61189
Rule IDs
  • SV-75669r1_rule
Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. SFR ID: FMT_SMF_EXT.1.1 #10b
Checks: C-62145r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule. 2. Verify the list contains all pre-installed applications which backup MD data to non-DoD cloud servers (including user and application access to cloud backup services). Note: The following applications are known to be pre-installed public cloud applications, but other applications can be found on other devices: Google Drive, Dropbox, Verizon Cloud, AT&T Locker, Microsoft OneDrive, and Microsoft OneNote. Note: The following applications allows a user to configure a Samsung Account on the device which allows the user to backup files (including S Health data) to Samsung servers, as well as download applications from Samsung Apps (Galaxy Apps) store: Samsung Account application. Note: Refer to the Supplemental document for additional information. If the "Application disable list" configuration is not properly configured, or if the user is able to launch the applications on the list, this is a finding.

Fix: F-67049r2_fix

Configure the MOS application whitelist to exclude applications with the following characteristics: -backup MD data to non-DoD cloud servers (including user and application access to cloud backup services) Configure the mobile operating system to disable pre-installed applications which backup MD data to non-DoD cloud servers (including user and application access to cloud backup services). On the MDM Administration Console, add all pre-installed applications which backup MD data to non-DoD cloud servers (including user and application access to cloud backup services) to the "Application disable list" setting in the "Android Applications" rule. Note: Refer to the Supplemental document for additional information.

b
The Samsung Knox for Android platform must not allow backup to remote systems.
CM-6 - Medium - CCI-000366 - V-61191 - SV-75671r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-35-021300
Vuln IDs
  • V-61191
Rule IDs
  • SV-75671r1_rule
Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the MOS. Where the remote backup involves a cloud-based solution, the backup capability is often used to synchronize data across multiple devices. In this case, DoD devices may synchronize DoD-sensitive information to a user's personal device or other unauthorized computers that are vulnerable to breach. Disallowing remote backup mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #40
Checks: C-62147r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow Google Backup" and "Google Auto Sync" settings in the "Android Restrictions" rule. 2. Verify the settings are disabled. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Backup and reset". 3. Verify "Back up my data" is disabled and cannot be enabled. and 1. Open the device settings. 2. Select Accounts. 3. Configure a Google account. 4. Select the configured Google account. 5. Verify that all sync check boxes are unselected. If the "Allow Google Backup" or “Google Auto Sync" setting is enabled, or if the user is able to enable the settings on the device, or if the "Application disable list" configuration in the MDM console does not contain all pre-installed public cloud backup applications, or if the user is able to successfully launch an application on this list, this is a finding.

Fix: F-67051r1_fix

Configure the MOS to disable backup to remote systems (including commercial clouds). Configure the mobile device to disable backups to Google servers, disable Google Auto Sync, and disable all pre-installed public cloud backup applications. On the MDM Administration Console, disable the "Allow Google backup" and "Google Auto Sync" settings in the "Android Restrictions" rule.

a
The Samsung Knox for Android platform must disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Google Crash Report.
CM-7 - Low - CCI-000381 - V-61193 - SV-75673r1_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
KNOX-35-021400
Vuln IDs
  • V-61193
Rule IDs
  • SV-75673r1_rule
Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real world field behavior and improve the product based on that information. Unfortunately, it can also reveal information about what DoD users are doing with the systems and what causes them to fail. An adversary embedded within the software development team or elsewhere could use the information acquired to breach mobile operating system security. Disabling automatic transfer of such information mitigates this risk. SFR ID: FMT_SMF_EXT.1.1#45
Checks: C-62149r1_chk

Disabling automatic transfer of diagnostic data to an external device on Samsung Knox for Android involves three steps: (1) Disable Google Crash report, (2) Configure a KNOX on premise license, and (3) Disable Report diagnostic info. This validation procedure covers the first of these steps. This validation procedure is performed on the MDM Administration Console. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Google Crash Report" setting in the "Android Restrictions" rule. 2. Verify the setting is disabled. If the "Google Crash Report" configuration in the MDM console is enabled, this is a finding.

Fix: F-67053r1_fix

Configure the MOS to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. Configure the mobile operating system to disable Google Crash Report. On the MDM Administration Console, disable the "Google Crash Report" setting in the "Android Restrictions" rule.

b
The Samsung Knox for Android platform must implement the management setting: Disable USB host storage.
CM-6 - Medium - CCI-000366 - V-61195 - SV-75675r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-35-021600
Vuln IDs
  • V-61195
Rule IDs
  • SV-75675r1_rule
The USB host storage feature allows the device to connect to select USB devices (e.g., USB flash drives, USB mouse, USB keyboard) using a micro USB to USB adapter cable. A user can copy sensitive DoD information to external USB storage unencrypted, resulting in compromise of DoD data. Disabling this feature mitigates the risk of compromising sensitive DoD data. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62151r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "USB host storage" setting in the "Android Restrictions" rule. 2. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Connect a Micro USB to USB OTG adaptor to the device. 2. Connect a USB thumb drive to the adaptor. 3. Verify the device cannot access the USB thumb drive. If the "USB host storage" configuration in the MDM console is enabled, or if the user is able to access the USB thumb drive from the device, this is a finding.

Fix: F-67055r1_fix

Configure the mobile operating system to disable USB host storage. On the MDM Administration Console, disable the "USB host storage" setting in the "Android Restrictions" rule.

a
The Samsung Knox for Android platform must not allow passwords that include more than two repeating or sequential characters.
CM-6 - Low - CCI-000366 - V-61197 - SV-75677r1_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
KNOX-35-021900
Vuln IDs
  • V-61197
Rule IDs
  • SV-75677r1_rule
Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or sequential characters are significantly easier to guess than those that do not contain repeating or sequential characters. Therefore, disallowing repeating or sequential characters increases password strength and decreases risk. SFR ID: FMT_SMF_EXT.1.1 #01b
Checks: C-62153r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Max Sequential Characters" and "Max Sequential Numbers" settings in the "Android Password Restrictions" rule. 2. Verify the value of the setting is the same or less than the required length. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Lock screen". 3. Select "Screen lock". 4. Enter current password. 5. Select Password. 6. Attempt to enter a password that contains sequential characters or sequential numbers of length greater than the required length. 7. Verify the password is not accepted. If the configured values of the "Max Sequential Character" and "Max Sequential Number" settings are greater than the required length, or if device accepts a password that contains sequential characters or sequential numbers of length greater than the required length, this is a finding. Note: On some MDM servers there may only be one configuration setting ("Max Sequential Characters") since this API actually disables both sequential and repeating characters.

Fix: F-67057r1_fix

Configure the MOS to prevent passwords from containing more than two repeating or sequential characters. On the MDM Administration Console, set the "Max Sequential Characters" and "Max Sequential Numbers" values to 2 in the "Android Password Restrictions" rule.

b
The Samsung Knox for Android platform must be configured to disable multi-user modes.
CM-6 - Medium - CCI-000366 - V-61199 - SV-75679r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-35-022500
Vuln IDs
  • V-61199
Rule IDs
  • SV-75679r2_rule
By default the enterprise administrator will install and enroll MDM on the device's owner user space. Since some policies configured by the MDM will only apply to the owner space, the user can bypass some of these policies by creating and switching to a guest user space. This can potentially result in compromise of the device and DoD data via installation of malicious applications. Disabling this feature will mitigate this risk. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62155r2_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow multi-user mode" settings in the "Android Restrictions" rule. 2. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Open the device settings. 2. Attempt to add a user in the "User" setting. 3. Verify that the "User" setting is not available or verify that a new user cannot be added and set up. If the "Allow multi-user mode" setting is enabled, or if the user is able to add a user and set up a new user, this is a finding.

Fix: F-67059r1_fix

Configure the mobile operating system to disable multi-user modes. On the MDM Administration Console, disable the "Allow multi-user mode" setting in the "Android Restrictions" rule.

b
The Samsung Knox for Android platform must implement the management setting: Disable S Voice.
CM-6 - Medium - CCI-000366 - V-61201 - SV-75681r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-35-022800
Vuln IDs
  • V-61201
Rule IDs
  • SV-75681r1_rule
On MOS devices, users (may be able to) access the device's contact database or calendar to obtain phone numbers and other information using a human voice even when the mobile device is locked. Often this information is personally identifiable information (PII), which is considered sensitive. It could also be used by an adversary to profile the user or engage in social engineering to obtain further information from other unsuspecting users. Disabling access to the contact database and calendar in these situations mitigates the risk of this attack. The AO may waive this requirement with written notice if the operational environment requires this capability. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62157r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Enable S Voice" settings in the "Android Restrictions" rule. 2. Verify the value is disabled. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Applications". 3. Verify the S Voice application cannot be selected. If the "Enable S Voice" setting is enabled, or if the S Voice application can be launched or configured, this is a finding.

Fix: F-67061r1_fix

Configure the operating system to disable S Voice. On the MDM Administration Console, disable the "Enable S Voice" setting in the "Android Restrictions" rule.

b
The Samsung Knox for Android platform must implement the management setting: Disable NFC.
CM-6 - Medium - CCI-000366 - V-61203 - SV-75683r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-35-023100
Vuln IDs
  • V-61203
Rule IDs
  • SV-75683r1_rule
NFC is a wireless technology that transmits small amounts of information from the device to the NFC reader. Any data transmitted can be potentially compromised. Disabling this feature mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62159r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow NFC" setting in the "Android Restrictions" rule. 2. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Open device settings. 2. Select "NFC". 3. Verify the setting is disabled. If the "Allow NFC" configuration in the MDM console is enabled, or if the setting is enabled on the device, this is a finding.

Fix: F-67063r1_fix

Configure the mobile operating system to disable NFC. On the MDM Administration Console, disable the "Allow NFC" setting in the "Android Restrictions" rule.

b
The Samsung Knox for Android platform must implement the management setting: Disable Nearby devices.
CM-6 - Medium - CCI-000366 - V-61205 - SV-75685r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-35-023500
Vuln IDs
  • V-61205
Rule IDs
  • SV-75685r1_rule
The Nearby devices feature allows the user to share files with other devices that are connected on the same Wi-Fi access point using the DLNA technology. Even though the user must allow requests from other devices, this feature can potentially result in unauthorized access to and compromise of sensitive DoD files. Disabling this feature will mitigate this risk. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62161r1_chk

This validation procedure is performed on the Samsung Knox for Android device. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Nearby devices". 3. Verify this is disabled. If setting is enabled and cannot be disabled, this is a finding. Note: This setting cannot be managed by the MDM administrator and is a User Based Enforcement (UBE) requirement.

Fix: F-67065r1_fix

Configure the mobile operating system to disable nearby devices.

b
The Samsung Knox for Android platform must not allow a USB mass storage mode.
CM-7 - Medium - CCI-000381 - V-61207 - SV-75687r1_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
KNOX-35-023600
Vuln IDs
  • V-61207
Rule IDs
  • SV-75687r1_rule
USB mass storage mode enables the transfer of data and software from one device to another. This software can include malware. When USB mass storage is enabled on a mobile device, it becomes a potential vector for malware and unauthorized data exfiltration. Prohibiting USB mass storage mode mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #39
Checks: C-62163r1_chk

This validation procedure is performed on both the MDM Administration Console and the PC. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Disable USB Media Player" check box in the "Android Restrictions" rule. 2. Verify the "Disable USB Media Player" check box is selected. Note: Disabling USB Media Player will also disable USB MTP, USB mass storage, USB vendor protocol (KIES). On the Samsung Knox for Android device: 1. Connect the device to a PC USB connection. Note: Do not use a DoD network-managed PC for this test! On the PC: 1. Verify the device is not shown in the PC finder. If the specified setting is not set to the appropriate value, or if the device is shown in the PC finder, this is a finding.

Fix: F-67067r1_fix

Configure the MOS to disable USB mass storage mode. On the MDM Administration Console, select the "Disable USB Media Player" check box in the "Android Restrictions" rule.

b
The Samsung Knox for Android platform must be configured to disable automatic updates of system software.
CM-6 - Medium - CCI-000366 - V-61209 - SV-75689r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-35-023700
Vuln IDs
  • V-61209
Rule IDs
  • SV-75689r1_rule
FOTA allows the user to download and install firmware updates over-the-air. These updates can include OS upgrades, security patches, bug fixes, new features and applications. Since the updates are controlled by the carriers, DoD will not have an opportunity to review and update policies prior to update availability to end users. Disabling FOTA will mitigate the risk of allowing users access to applications that could compromise DoD sensitive data. After reviewing the update and adjusting any necessary policies (i.e., disabling applications determined to pose risk), the administrator can re-enable FOTA. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62165r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow FOTA" setting in the "Android Restrictions" rule. 2. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Open device settings. 2. Select "About device". 3. Attempt to select "Software update". Note: Location of this menu can vary between models. If the "Allow FOTA" configuration in the MDM console is enabled, or if the user is able to successfully select software update, this is a finding. Note: After reviewing the update and adjusting any necessary policies (i.e. disabling applications determined to pose risk), the administrator can re-enable FOTA.

Fix: F-67069r1_fix

Configure the mobile operating system to disable automatic updates of system software. Configure the mobile operating system to disable FOTA. On the MDM Administration Console, disable the "Allow FOTA" setting in the "Android Restrictions" rule.

b
The Samsung Knox for Android platform must not display notifications when the device is locked.
AC-14 - Medium - CCI-000062 - V-61211 - SV-75691r1_rule
RMF Control
AC-14
Severity
Medium
CCI
CCI-000062
Version
KNOX-35-024000
Vuln IDs
  • V-61211
Rule IDs
  • SV-75691r1_rule
Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifications can contain sensitive information. When they are available on the lock screen, an adversary can see them merely by being in close physical proximity to the device. Configuring the MOS to not send notifications to the lock screen mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #21
Checks: C-62167r1_chk

This check procedure is performed on both the MDM Administration Console and the Samsung Knox device. Check that the appropriate setting is configured on the MDM Administration Console. 1. Ask the MDM administrator to display the "Notifications on lock screen" settings in the "Android Restrictions" rule. 2. Verify that the "Hide content" or "Do not show notification" setting is enabled and "Show content" setting is disabled. On the Samsung Knox for Android Device: 1. Open the device settings. 2. Select "Notifications". 3. Select "Notifications on lock screen". 4. Attempt to enable "Show content". If the "Show content" setting in the MDM console is enabled, or if the user is able to enable "Show content" on the device, this is a finding.

Fix: F-67071r1_fix

Configure the MOS to not display notifications when the device is locked. Configure the platform to disable notifications on the lock screen or hide notification details on the lock screen. On the MDM Administration Console, enable the "Hide content" or "Do not show notification" and disable "Show content" in the "Notifications on lock screen" setting in the "Android Restrictions" rule.

b
The Samsung Knox for Android platform must not allow backup to locally connected systems.
AC-20 - Medium - CCI-000097 - V-61213 - SV-75693r1_rule
RMF Control
AC-20
Severity
Medium
CCI
CCI-000097
Version
KNOX-35-024200
Vuln IDs
  • V-61213
Rule IDs
  • SV-75693r1_rule
Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed up to an external system (either locally connected or cloud-based), many if not all of these mechanisms are no longer present. This leaves the backed up data vulnerable to attack. Disabling backup to external systems mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #40
Checks: C-62169r1_chk

This validation procedure is performed on both the MDM Administration Console and the PC. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Disable USB Media Player" check box in the "Android Restrictions" rule. 2. Verify the "Disable USB Media Player" check box is selected. Note: Disabling USB Media Player will also disable USB MTP, USB mass storage, USB vendor protocol (KIES). On the Samsung Knox for Android device: 1. Connect the device to a PC USB connection. Note: Do not use a DoD network-managed PC for this test! On the PC: 1. Install and launch Samsung KIES on the PC. 2. Verify the device does not connect with the Samsung KIES program. If the specified setting is not set to the appropriate value, or if the device is connects with the Samsung KIES program, this is a finding.

Fix: F-67073r1_fix

Configure the MOS to disable backup to locally connected systems. Configure the mobile operating system to disable USB KIES. On the MDM Administration Console, select the "Disable USB Media Player" check box in the "Android Restrictions" rule. Note: Disabling USB Media Player will also disable USB MTP, USB mass storage, USB vendor protocol (KIES).

a
The Samsung Knox for Android platform must enable VPN protection.
CM-6 - Low - CCI-000366 - V-61215 - SV-75695r1_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
KNOX-35-024500
Vuln IDs
  • V-61215
Rule IDs
  • SV-75695r1_rule
A key characteristic of a mobile device is that they typically will communicate wirelessly and are often expected to reside in locations outside the physical security perimeter of a DoD facility. In these circumstances, the threat of eavesdropping is substantial. Virtual private networks (VPNs) provide confidentiality and integrity protection for data transmitted over untrusted media (e.g., air) and networks (e.g., the Internet). They also provide authentication services to ensure that only authorized users are able to use them. Consequently, enabling VPN protection counters threats to communications to and from mobile devices. SFR ID: FMT_SMF_EXT.1.1 #03
Checks: C-62171r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the list of configured VPN profiles in the "VPN profiles" rule. 2. Verify the list includes the organization VPN profile. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "More connection settings". 3. Select "VPN". 4. Verify the list includes the organization VPN profile. If the organization VPN profile is not included in either list, this is a finding.

Fix: F-67075r1_fix

Configure the MOS to enable VPN protection. Configure the mobile operating system with the organization VPN profile. On the MDM Administration Console, configure the organization VPN profile in the "VPN profiles" rule.

b
The Samsung Knox for Android platform must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor (e.g., using a fingerprint), unless mechanism is DoD approved.
CM-6 - Medium - CCI-000366 - V-61217 - SV-75697r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-35-024600
Vuln IDs
  • V-61217
Rule IDs
  • SV-75697r1_rule
The fingerprint reader can be used to authenticate the user in order to unlock the mobile device. At this time, no biometric reader has been approved for DoD use on mobile devices. This technology would allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of non-password authentication mechanisms, users are forced to use passcodes that meet DoD passcode requirements. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62173r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Minimum Password Complexity" setting in the "Android Restrictions" rule. 2. Verify the settings are Alphanumeric. 3. Ask the MDM administrator to display the "Enable Fingerprint for Lock screen authentication" setting in the "Android Restrictions" rule. 4. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Lock screen and security". 3. Select "Lock screen type". 4. Verify "Swipe", "Pattern", "PIN", "Fingerprints", "None" are disabled (grayed out) and cannot be enabled. If Fingerprint for Lock screen authentications enabled, or if Minimum Password Complexity is not configured to Alphanumeric, or if the user is able to enable the settings on the device, this is a finding.

Fix: F-67077r1_fix

Configure the MOS to not allow authentication mechanisms other than a Password Authentication Factor where the authentication provides user access to protected data Configure the mobile operating system to configure Minimum Password Complexity and disable finger print for the lock screen password. On the MDM Administration Console, configure "Minimum Password Complexity" to Alphanumeric and disable "Enable Fingerprint for Lock screen authentication" setting in the "Android Restrictions" rule.

b
The Samsung Knox for Android platform must be configured to disable VPN split-tunneling (if the MD provides a configurable control for FDP_IFC_EXT.1.1).
CM-6 - Medium - CCI-000366 - V-61219 - SV-75699r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-35-024700
Vuln IDs
  • V-61219
Rule IDs
  • SV-75699r1_rule
Spilt-tunneling allows multiple simultaneous remote connections to the mobile device. Without VPN split-tunneling disabled, malicious applications can covertly off-load device data to a third-party server or set up a trusted tunnel between a non-DoD third-party server and a DoD network, providing a vector to attack the network. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62175r1_chk

Note: This validation procedure is identical to the one for KNOX-39-015600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to AOs. This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "CC Mode" settings in the "Android Restrictions" rule. 2. Verify the value is enabled. Note: If the MDM does not support CC Mode, ask the MDM Administrator if the Samsung APK has been installed and CC Mode enabled. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "About Device". 3. Verify the value of "Security software version" displays "Enforced". If the CC mode setting is not enabled, or if the "Security software version" on the device does not display "Enforced", this is a finding.

Fix: F-67079r1_fix

Configure the mobile operating system to disable VPN split-tunneling (if the MD provides a configurable control). Configure the operating system to enable CC mode. On the MDM Administration Console, enable the "CC mode" setting in the "Android Restrictions" rule. If this setting is not available on the console, install the CC mode APK, and enable CC mode from this application. This APK will be made available by Samsung.

b
The Samsung Knox for Android platform must be configured to enable the access control policy that prevents [groups of application processes] from accessing [all] data stored by other [groups of application processes].
CM-6 - Medium - CCI-000366 - V-61221 - SV-75701r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-35-024800
Vuln IDs
  • V-61221
Rule IDs
  • SV-75701r1_rule
The access control policy restricts processes and applications in one processing environment (container) from accessing data in another. Exceptions should only be allowed under the administrator control to protect sensitive DoD data from exposure. SFR ID: FMT_SMF_EXT.1.1 #45, FDP_ACF_EXT.1.2
Checks: C-62177r1_chk

Note: This validation procedure is identical to the one for KNOX-39-015400. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to AOs. This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Android Knox Container" rule. 2. Verify the existence of this rule. 3. Pushing this rule to the device that does not have a container installed will result in creation of the container. On the Samsung Knox for Android device: 1. From the device home screen, pull down the notification bar. 2. Verify the existence of the KNOX icon. 3. If available on the MDM agent, verify the container rule in the list of rules received by the MDM agent. If the MDM Administrator cannot configure the "Android Knox Container" rule, or if the KNOX icon is not present in the notification bar, or if the container rule is not found in the MDM agent rule list (MDM vendor-specific check), this is a finding.

Fix: F-67081r1_fix

On the MDM Administration Console, create the "Android Knox Container" rule and push this rule to the device.

b
The Samsung Knox for Android platform must implement the management setting: Disable Admin Remove.
CM-6 - Medium - CCI-000366 - V-61223 - SV-75703r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-35-028400
Vuln IDs
  • V-61223
Rule IDs
  • SV-75703r1_rule
Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately. For these reasons, a user must not be allowed to remove the MDM from the device. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62179r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow Admin Remove" settings in the "Android Restrictions" rule. 2. Verify the value is disabled. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Lock screen and security". 3. Select "Other security settings". 4. Select "Device administrators". 5. Verify the enterprise MDM agent is on and cannot be turned off. If the "Allow Admin Remove" setting is enabled, or if the MDM agent on the device can be turned off, this is a finding.

Fix: F-67083r1_fix

Configure the operating system to disable admin removal by the user. On the MDM Administration Console, disable the "Allow Admin Remove" setting in the "Android Restrictions" rule.

b
The Samsung Knox for Android platform must implement the management setting: Enable Certificate Revocation Status Check.
CM-6 - Medium - CCI-000366 - V-61225 - SV-75705r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-35-028500
Vuln IDs
  • V-61225
Rule IDs
  • SV-75705r1_rule
A CRL allows a certificate issuer to revoke a certificate for any reason, including improperly issued certificates and compromise of the private keys. Checking the revocation status of the certificate mitigates the risk associated with using a compromised certificate. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62181r1_chk

This validation procedure is performed on the MDM Administration Console. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Enable Certificate Revocation Status (CRL) Check" settings in the "Android Restrictions" rule. 2. Verify the value is enabled and configured for all applications. If the setting is disabled, this is a finding.

Fix: F-67085r1_fix

Configure the operating system to configure certification revocation status checking (CRL). On the MDM Administration Console, "Enable Certificate Revocation Status (CRL) Check" settings for all applications in the "Android Restrictions" rule.

b
The Samsung Knox for Android platform must disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Disable Enable Smart Lock.
CM-6 - Medium - CCI-000366 - V-61227 - SV-75707r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-35-030000
Vuln IDs
  • V-61227
Rule IDs
  • SV-75707r1_rule
The fingerprint reader can be used to authenticate the user in order to unlock the mobile device. At this time, no biometric reader has been approved for DoD use on mobile devices. This technology would allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of non-password authentication mechanisms, users are forced to use passcodes that meet DoD passcode requirements. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62183r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Minimum Password Complexity" setting in the "Android Restrictions" rule. 2. Verify the settings are Alphanumeric. 3. Ask the MDM administrator to display the "Enable Smart Lock" setting in the "Android Restrictions" rule. 4. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Lock screen and security". 3. Select "Secure lock settings". 4. Verify "Smart Lock" is disabled (grayed out) and cannot be enabled. If "Smart Lock" is enabled or if the user is able to enable the settings on the device, this is a finding.

Fix: F-67087r1_fix

Configure the MOS to not allow authentication mechanisms other than a Password Authentication Factor where the authentication provides user access to protected data Configure the mobile operating system to disable Smart Lock. On the MDM Administration Console, disable "Enable Smart Lock" setting in the "Android Restrictions" rule.

a
The Samsung Knox for Android platform must disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Configure a KNOX on-premise license.
CM-7 - Low - CCI-000381 - V-61229 - SV-75709r1_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
KNOX-35-030100
Vuln IDs
  • V-61229
Rule IDs
  • SV-75709r1_rule
Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real world field behavior and improve the product based on that information. Unfortunately, it can also reveal information about what DoD users are doing with the systems and what causes them to fail. An adversary embedded within the software development team or elsewhere could use the information acquired to breach mobile operating system security. Disabling automatic transfer of such information mitigates this risk. SFR ID: FMT_SMF_EXT.1.1#45
Checks: C-62185r1_chk

Disabling automatic transfer of diagnostic data to an external device on Samsung Knox for Android involves three steps: (1) Disable Google Crash report, (2) Configure a KNOX on premise license, and (3) Disable Report diagnostic info. This validation procedure covers the second of these steps. This validation procedure is performed on the MDM Administration Console. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Knox License" settings in the "Knox Management" rule. 2. Verify the correct DoD-issued Knox license is configured. If the correct DoD-issued Knox license is not configured in the "Knox License" setting this is a finding.

Fix: F-67089r1_fix

Configure the MOS to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. Configure the DoD-issued Knox license. On the MDM Administration Console configure the DoD-issued Knox license in the "Knox Management" rule.

a
The Samsung Knox for Android platform must disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Report diagnostic info.
CM-7 - Low - CCI-000381 - V-61231 - SV-75711r1_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
KNOX-35-030200
Vuln IDs
  • V-61231
Rule IDs
  • SV-75711r1_rule
Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real world field behavior and improve the product based on that information. Unfortunately, it can also reveal information about what DoD users are doing with the systems and what causes them to fail. An adversary embedded within the software development team or elsewhere could use the information acquired to breach mobile operating system security. Disabling automatic transfer of such information mitigates this risk. SFR ID: FMT_SMF_EXT.1.1#45
Checks: C-62187r1_chk

Disabling automatic transfer of diagnostic data to an external device on Samsung Knox for Android involves three steps: (1) Disable Google Crash report, (2) Configure a KNOX on premise license, and (3) Disable Report diagnostic info. This validation procedure covers the third of these steps. This validation procedure is performed on the Samsung Knox for Android device. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Privacy and safety" or "About device". 3. Verify Report diagnostic info setting is not checked. If the setting is checked (enabled), this is a finding. (Note: This setting cannot be managed by the MDM administrator and is a User Based Enforcement (UBE) requirement.)

Fix: F-67091r1_fix

Configure the MOS to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. Configure the mobile operating system to disable Report diagnostic info. On the Samsung Knox for Android device uncheck the Report diagnostic info setting.

a
The Samsung Knox for Android platform must display the DoD advisory warning message at start-up or each time the user unlocks the device.
AC-8 - Low - CCI-000048 - V-61233 - SV-75713r1_rule
RMF Control
AC-8
Severity
Low
CCI
CCI-000048
Version
KNOX-36-009700
Vuln IDs
  • V-61233
Rule IDs
  • SV-75713r1_rule
The mobile operating system is required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Required banners help ensure that DoD can audit and monitor the activities of mobile device users without legal restriction. System use notification messages can be displayed when individuals first access or unlock the mobile device. The banner shall be implemented as a "click-through" banner at device unlock (to the extent permitted by the operating system). A "click through" banner prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating “OK.” The approved DoD text must be used exactly as required in the KS referenced in DoDI 8500.01. For devices accommodating banners of 1300 characters, the banner text is: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. For devices with severe character limitations, the banner text is: I've read & consent to terms in IS user agreem't. The administrator must configure the banner text exactly as written without any changes. SFR ID: FMT_SMF_EXT.1.1 #36
Checks: C-62189r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Enable DoD Banner" check box and "Banner Text" field in the "Android Restrictions" rule. 2. Verify the "Enable DoD Banner" check box is selected. 3. Verify the correct DoD-specified warning text is displayed in the Banner Text field or the field is blank. Note: The default device banner matches the required DoD banner. If the DoD banner is enabled without entering any text, the device will display a default text. On the Samsung Knox for Android device: 1. Reboot the device. 2. Verify the device displays the DoD banner. 3. Verify the DoD banner is set to one of the authorized messages. If the specified setting is not set to the appropriate value, or the device does not display the DoD banner on reboot, this is a finding.

Fix: F-67093r1_fix

Configure the MOS to display the DoD-mandated warning banner text. On the MDM Administration Console, select the "Enable DoD Banner" check box, and enter the correct text in the "Banner Text" field in the "Android Restrictions" rule. (**) On some MDM vendor consoles, the logon banner automatically is displayed upon reboot while the device is MDM enrolled. On these consoles, this control is not configurable through the MDM server or on the device.

b
The Samsung Knox for Android platform must implement the management setting: Disable Manual Date Time Changes.
CM-6 - Medium - CCI-000366 - V-61235 - SV-75715r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-38-012600
Vuln IDs
  • V-61235
Rule IDs
  • SV-75715r1_rule
Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. Periodically synchronizing internal clocks with an authoritative time source is needed in order to correctly correlate the timing of events that occur across the enterprise. The three authoritative time sources for mobile operating systems are an authoritative time server that is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network (NIPRNet or SIPRNet), or the Global Positioning System (GPS), or the wireless carrier. Time stamps generated by the audit system in mobile operating systems shall include both date and time. The time may be expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62191r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Disable Manual Date Time Changes" check box in the "Android Restrictions" rule. 2. Verify the check box is selected. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Date and time". 3. Verify the "Automatic date and time" check box is checked. 4. Verify a user cannot deselect the "Automatic date and time" check box. If either the "Disable Manual Date Time Changes" check box is not checked on the MDM administration console; or the "Automatic date and time" check box is not selected on the device; or if it is possible to deselect this option on the device, this is a finding.

Fix: F-67095r1_fix

Configure the mobile operating system to synchronize the internal clock at least once every 24 hours with an authoritative time server or the Global Positioning System. On the MDM Console, select the "Disable Manual Date Time Changes" check box in the "Android Restrictions" rule.

b
The Samsung Knox for Android container must implement the management setting: Configure to enforce a minimum password length of 4 characters.
CM-6 - Medium - CCI-000366 - V-61237 - SV-75717r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-39-014900
Vuln IDs
  • V-61237
Rule IDs
  • SV-75717r1_rule
Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62193r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Min Length" setting in the "Android Knox Container -> Container Password Restrictions" rule. 2. Verify the value of the setting is the same or greater than the required length. On the Samsung Knox for Android device: 1. Open the Knox Container. 2. Select "Knox Settings". 3. Select "Change password". 4. Enter current password. 5. Attempt to enter a password with fewer characters than the required length. 6. Verify the password is not accepted. If the configured value of the "Min Length" setting is less than the required length, or if Samsung Knox for Android accepts a container password with fewer characters than the required length, this is a finding. Note: This configuration setting will allow users to implement fingerprint unlock for the container, which is approved for use. However, this approval does not extend to fingerprint unlock for the Samsung device or any other DoD mobile device. The use of a password to move between container and personal areas is only required if the password is needed to provide data separation between the two processing environments. For the Samsung devices, the password is required to enable the container and implement data separation.

Fix: F-67097r1_fix

Configure the mobile device to enforce a minimum password length of 4 characters. On the MDM Console, set the "Min Length" value to 4 or greater in the "Android Knox Container -> Container Password Restrictions" rule.

b
The Samsung Knox for Android container must implement the management setting: Disable sharing of calendar information outside the container.
CM-6 - Medium - CCI-000366 - V-61239 - SV-75719r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-39-015100
Vuln IDs
  • V-61239
Rule IDs
  • SV-75719r1_rule
Calendar events can include potentially DoD-sensitive data such as names, contacts, dates and times, and locations. If made available outside the container this information will be accessible to personal applications, resulting in potential compromise of DoD data. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62195r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow Export Calendar to Personal Mode" setting in the "Android Knox Container -> Container Restrictions" rule. 2. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Open the Knox container. 2. Select "Knox Settings". 3. Select "Share data". 4. Verify "Export to Personal Mode - Calendar" is disabled and attempt to enable this setting. If the "Allow Export Calendar to Personal Mode" configuration in the MDM console is enabled, or if the user is able to successfully enable this setting, this is a finding.

Fix: F-67099r1_fix

Configure the mobile operating system to disable sharing of calendar information outside the container. On the MDM Administration Console, disable the "Allow Export Calendar to Personal Mode" setting in the "Android Knox Container -> Container Restrictions" rule.

a
The Samsung Knox for Android container must implement the management setting: Configure to prohibit more than 10 consecutive failed authentication attempts.
CM-6 - Low - CCI-000366 - V-61241 - SV-75721r1_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
KNOX-39-015200
Vuln IDs
  • V-61241
Rule IDs
  • SV-75721r1_rule
Users must not be able to override the system policy on the maximum number of consecutive failed authentication attempts because this could allow them to raise the maximum, thus giving adversaries more chances to guess/brute force passwords, which increases the risk of the mobile device being compromised. Therefore, only administrators should have the authority to set consecutive failed authentication attempt policies. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62197r1_chk

This validation procedure is performed on the MDM Administration Console only. Check whether the device lock screen setting is configured on the MDM server. 1. Ask the MDM administrator to display the "Maximum Failed Attempts" field in the "Android Knox Container -> Container Password Restrictions" rule. 2. Verify the value of the setting is 10 or less. If there is no value configured for the "Maximum Failed Attempts" field, or if it is greater than 10, this is a finding.

Fix: F-67101r1_fix

Configure the mobile operating system to allow only 10 or less consecutive failed authentication attempts. On the MDM Administration Console, set the "Maximum Failed Attempts" to the organization-defined value in the "Android Knox Container -> Container Password Restrictions" rule.

b
The Samsung Knox for Android container must implement the management setting: Disable sharing of contact information outside the container.
CM-6 - Medium - CCI-000366 - V-61243 - SV-75723r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-39-015250
Vuln IDs
  • V-61243
Rule IDs
  • SV-75723r1_rule
Contacts can include DoD-sensitive data and PII of DoD employees including names, numbers, addresses, and email addresses. If made available outside the container this information will be accessible to personal applications, resulting in potential compromise of DoD data. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62199r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow Export Contact to Personal Mode" setting in the "Android Knox Container -> Container Restrictions" rule. 2. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Open the Knox container. 2. Select "Knox Settings". 3. Select "Share data". 4. Verify "Export to Personal Mode - Contact" is disabled and attempt to enable this setting. If the "Allow Export Contact to Personal Mode" configuration in the MDM console is enabled, or if the user is able to successfully enable this setting, this is a finding.

Fix: F-67103r1_fix

Configure the mobile operating system to disable sharing of contact information outside the container. On the MDM Administration Console, disable the "Allow Export Contact to Personal Mode" setting in the "Android Knox Container -> Container Restrictions" rule.

b
The Samsung Knox for Android container must implement the management setting: Disable sharing of notification details outside the container.
CM-6 - Medium - CCI-000366 - V-61245 - SV-75725r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-39-015300
Vuln IDs
  • V-61245
Rule IDs
  • SV-75725r1_rule
Application notifications can include DoD-sensitive data. If made available outside the container this information will be accessible to personal applications, resulting in potential compromise of DoD data. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62201r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow Show detailed notifications" setting in the "Android Knox Container -> Container Restrictions" rule. 2. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Open the Knox container. 2. Select "Knox Settings". 3. Verify "Show detailed notifications" is disabled and attempt to enable this setting. If the "Allow Show detailed notifications" configuration in the MDM console is enabled, or if the user is able to successfully enable this setting, this is a finding.

Fix: F-67105r1_fix

Configure the mobile operating system to disable sharing of notification details outside the container. On the MDM Administration Console, disable the "Allow Show detailed notifications" setting in the "Android Knox Container -> Container Restrictions" rule.

b
The Samsung Knox for Android container must be configured to implement the management setting: Enable container.
CM-6 - Medium - CCI-000366 - V-61247 - SV-75727r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-39-015400
Vuln IDs
  • V-61247
Rule IDs
  • SV-75727r1_rule
The container must be enabled by the administrator/MDM or the container's protections will not apply to the mobile device. This will cause the mobile device's apps and data to be at significantly higher risk of compromise because they are not protected by encryption, isolation, etc. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62203r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Android Knox Container" rule. 2. Verify the existence of this rule. 3. Pushing this rule to the device that does not have a container installed will result in creation of the container. On the Samsung Knox for Android device: 1. From the device home screen, pull down the notification bar. 2. Verify the existence of the KNOX icon. 3. If available on the MDM agent, verify the container rule in the list of rules received by the MDM agent. If the MDM Administrator cannot configure the "Android Knox Container" rule, or if the KNOX icon is not present in the notification bar, or if the container rule is not found in the MDM agent rule list (MDM vendor-specific check), this is a finding.

Fix: F-67107r1_fix

On the MDM Administration Console, create the "Android Knox Container" rule and push this rule to the device.

b
The Samsung Knox for Android platform must implement the management setting: Enable CC mode.
CM-6 - Medium - CCI-000366 - V-61249 - SV-75729r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-39-015600
Vuln IDs
  • V-61249
Rule IDs
  • SV-75729r1_rule
CC mode implements several security controls required by the Mobile Device Functional Protection Profile (MDFPP). If CC mode is not implemented, DoD data is more at risk of being compromised, and the MD is more at risk of being compromised if lost or stolen. CC mode implements the following controls: - enables the OpenSSL FIPS crypto library - sets the password failure settings to wipe the device to 5 (5 failed consecutive attempts will wipe the device) - disables ODIN mode (download mode) SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62205r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "CC Mode" settings in the "Android Restrictions" rule. 2. Verify the value is enabled. Note: If the MDM does not support CC Mode, ask the MDM Administrator if the Samsung APK has been installed and CC Mode enabled. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "About Device". 3. Verify the value of "Security software version" displays "Enforced". If the CC mode setting is not enabled, or if the "Security software version" on the device does not display "Enforced", this is a finding.

Fix: F-67109r1_fix

Configure the operating system to enable CC mode. On the MDM Administration Console, enable the "CC mode" setting in the "Android Restrictions" rule. If this setting is not available on the console, install the CC mode APK, and enable CC mode from this application. This APK will be made available by Samsung.

b
The Samsung Knox for Android platform must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-free Profile), and SPP (Serial Port Profile).
CM-6 - Medium - CCI-000366 - V-61251 - SV-75731r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-39-015700
Vuln IDs
  • V-61251
Rule IDs
  • SV-75731r1_rule
Some Bluetooth profiles provide the capability for remote transfer of sensitive DoD data without encryption or otherwise do not meet DoD IT security policies and therefore should be disabled. SFR ID: FMT_SMF_EXT.1.1 #20
Checks: C-62207r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Bluetooth Profiles" settings in the "Android Restrictions" rule. 2. Verify the only profiles allowed are HSP, HFP, and SPP. On the Samsung Knox for Android device: 1. Attempt to pair a Bluetooth peripheral that uses profiles other than HSP, HFP, and SPP (e.g., a Bluetooth keyboard). 2. Verify the Bluetooth peripheral does not pair with the Samsung Knox for Android device. If the Bluetooth profiles other than HSP, HFP, and SPP are configured to be allowed, or if the device is able to pair with a Bluetooth keyboard, this is a finding.

Fix: F-67111r1_fix

Configure the MOS to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-free Profile), and SPP (Serial Port Profile). On the MDM Administration Console, configure the "Bluetooth Profiles" setting to only allow HSP, HFP, and SPP in the "Android Restrictions" rule.

b
The Samsung Knox for Android container must enforce an application installation policy by specifying an application whitelist.
CM-6 - Medium - CCI-000366 - V-61253 - SV-75733r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-39-020100
Vuln IDs
  • V-61253
Rule IDs
  • SV-75733r1_rule
Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the operating system (OS) by the OS vendor) and pre-installed applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. SFR ID: FMT_SMF_EXT.1.1 #10b
Checks: C-62209r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the list of white-listed applications in the "Android Knox Container -> Container Applications" rule. 2. Verify the list of white-listed applications have been approved by the Approving official (AO). Note: Refer to the Supplemental document for additional information. Note: This list can be empty if no applications have been approved. On the Samsung Knox for Android device: 1. Open the Knox Container. 2. Attempt to install an application that is not in the application whitelist. If any of the applications on white-listed applications on the MDM Administration Console have not been approved by the AO, or the device allows the user to successfully install the application, this is a finding.

Fix: F-67113r1_fix

Configure the mobile device to use an application whitelist. On the MDM Administration Console, configure the list of white-listed applications in the "Android Knox Container -> Container Applications" rule and ensure only AO-approved applications are on the list. Note: This list can be empty if no applications have been approved. Note: Refer to the Supplemental document for additional information.

b
The Samsung Knox for Android container must implement the management setting: Configure application install blacklist.
CM-6 - Medium - CCI-000366 - V-61255 - SV-75735r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-39-020300
Vuln IDs
  • V-61255
Rule IDs
  • SV-75735r1_rule
Blacklisting all applications is required so that only white-listed applications can be installed on the device. Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist and blacklist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62211r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Application install blacklist" setting in the "Android Knox Container -> Container Application" rule. 2. Verify the setting is configured to all applications (specified by the wildcard string ".*"). On the Samsung Knox for Android device: 1. Attempt to install any application that is not configured in the application install whitelist. 2. Verify that the application is blocked from being installed. If the "Application install blacklist" configuration in the MDM console has the wrong value, or if the user is able to install the application, this is a finding.

Fix: F-67115r1_fix

Configure the mobile operating system to add all applications to the install blacklist. On the MDM Administration Console, add all applications to the "Application install blacklist" setting in the "Android Knox Container -> Container Application" rule.

b
The Samsung Knox for Android container must implement the management setting: Disable Move Applications to Container.
CM-6 - Medium - CCI-000366 - V-61257 - SV-75737r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-39-020400
Vuln IDs
  • V-61257
Rule IDs
  • SV-75737r1_rule
Applications determined to be acceptable for personal use outside the container might not be acceptable for use within the container. The Move Applications to Container feature allows users to install personal side applications into the container, resulting in potential compromise of DoD data. Disabling this feature mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62213r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Move Applications to Container" setting in the "Android Knox Container -> Container Restrictions" rule. 2. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Open the Knox Container. 2. Select "Knox Settings". 3. Verify "Select apps to install" cannot be selected. If the "Move Applications to Container" configuration in the MDM console is enabled, or if the user is able to select "Select apps to install", this is a finding.

Fix: F-67117r1_fix

Configure the mobile operating system to disable Move Applications to Container. On the MDM Administration Console, disable the "Move Applications to Container" setting in the "Android Knox Container -> Container Application" rule.

b
The Samsung Knox for Android container must implement the management setting: Disable Move Files from Container to Personal.
CM-6 - Medium - CCI-000366 - V-61259 - SV-75739r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-39-020500
Vuln IDs
  • V-61259
Rule IDs
  • SV-75739r1_rule
Allowing movement of files between the container and personal side will result in both personal data and sensitive DoD data being placed in the same space. This can potentially result in DoD data being transmitted to non-authorized recipients via personal email accounts or social applications, or transmission of malicious files to DoD accounts. Disabling this feature mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62215r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Move Files from Container to Personal" setting in the "Android Knox Container -> Container Restrictions" rule. 2. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Open the Knox Container. 2. Select "My Files" application. 3. Select a file by long pressing a selection. 4. Select settings. 5. Select "Move to Personal mode". 6. Verify that this operation is blocked. If the "Move Files from Container to Personal" configuration in the MDM console is enabled, or if the user is able to successfully move the selected file to the personal space, this is a finding.

Fix: F-67119r1_fix

Configure the mobile operating system to disable Move Files from Container to Personal. On the MDM Administration Console, disable the "Move Files from Container to Personal" setting in the "Android Knox Container -> Container Restrictions" rule.

b
The Samsung Knox for Android container must implement the management setting: Configure application disable list.
CM-6 - Medium - CCI-000366 - V-61261 - SV-75741r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-39-020700
Vuln IDs
  • V-61261
Rule IDs
  • SV-75741r1_rule
Applications from various sources (including the vendor, the carrier, and Google) are installed on the device at the time of manufacture. Core apps are apps preinstalled by Google. Third-party preinstalled apps included apps from the vendor and carrier. Some of the applications can compromise DoD data or upload user's information to non-DoD approved servers. A user must be blocked from using such applications that exhibit behavior that can result in compromise of DoD data or DoD user information. The site administrator must analyze all pre-installed applications on the device and block all applications not approved for DoD use by configuring the application disable list. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62217r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Knox Container -> Container Application" rule. 2. Verify the list contains all core and pre-installed applications not approved for DoD use by the Approving Official (AO). Note: Refer to the Supplemental document for additional information. On the Samsung Knox for Android device: 1. Open the Knox container. 2. Attempt to launch an application that is included on the disable list. Note: This application should not be visible. If the "Application disable list" configuration in the MDM console does not contain all core and pre-installed applications not approved by DoD, or if the user is able to successfully launch an application on this list, this is a finding. Note: Core applications are apps installed in the operating system by the OS developer. In addition, third-party pre-installed apps are included in the OS build by the device vendor or wireless carrier.

Fix: F-67121r1_fix

Configure the mobile operating system to disable all pre-installed container applications that are not DoD-approved. On the MDM Administration Console, add all pre-installed container applications that are not DoD-approved to the "Application disable list" setting in the "Android Knox Container -> Container Application" rule. Note: Refer to the Supplemental document for additional information.

b
The Samsung Knox for Android container must implement the management setting: Disable automatic completion of browser text input.
CM-6 - Medium - CCI-000366 - V-61263 - SV-75743r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-39-021000
Vuln IDs
  • V-61263
Rule IDs
  • SV-75743r1_rule
The auto-fill functionality in the web browser allows the user to complete a form that contains sensitive information, such as PII, without previous knowledge of the information. By allowing the use of an auto-fill functionality, an adversary who learns a user's MOS device password, or who otherwise is able to unlock the device, may be able to further breach other systems by relying on the auto-fill feature to provide information unknown to the adversary. By disabling the auto-fill functionality, the risk of an adversary gaining further information about the device's user or comprising other systems is significantly mitigated. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62219r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow browser auto-fill" setting in the "Android Knox Container -> Container Restrictions" rule. 2. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Open the Knox container. 2. Launch the browser application. 3. Select the application's setting menu. 4. Select "Auto fill forms". 5. Verify "Auto fill forms" is disabled and attempt to enable this setting. If the "Allow browser auto-fill" configuration in the MDM console is enabled, or if the user is able to successfully enable this setting, this is a finding.

Fix: F-67123r1_fix

Configure the mobile operating system to disable browser auto-fill for the container browser application. On the MDM Administration Console, disable the "Allow browser auto-fill" setting in the "Android Knox Container -> Container Restrictions" rule.

a
The Samsung Knox for Android container must not allow passwords that include more than two repeating or sequential characters.
CM-6 - Low - CCI-000366 - V-61265 - SV-75745r1_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
KNOX-39-021100
Vuln IDs
  • V-61265
Rule IDs
  • SV-75745r1_rule
Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or sequential characters are significantly easier to guess than those that do not contain repeating or sequential characters. Therefore, disallowing repeating or sequential characters increases password strength and decreases risk. SFR ID: FMT_SMF_EXT.1.1 #01b
Checks: C-62221r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Max Sequential Characters" and "Max Sequential Numbers" settings in the "Android Knox Container -> Container Password Restrictions" rule. 2. Verify the value of the setting is the same or less than the required length. On the Samsung Knox for Android device: 1. Open the Knox Container. 2. Select "Knox Settings". 3. Select "Unlock method". 4. Enter current password. 5. Select Password. 6. Attempt to enter a password that contains sequential characters or sequential numbers of length greater than the required length. 7. Verify the password is not accepted. If the configured values of the "Max Sequential Character" and "Max Sequential Number" settings are greater than the required length, or if device accepts a password that contains sequential characters or sequential numbers of length greater than the required length, this is a finding.

Fix: F-67125r1_fix

Configure the mobile device to enforce a password that does not contain more than two sequential or repeating characters or numbers. On the MDM Administration Console, set the "Max Sequential Characters" and "Max Sequential Numbers" values to 2 in the "Android Knox Container -> Container Password Restrictions" rule.

b
The Samsung Knox for Android container must implement the management setting: Account whitelist.
CM-6 - Medium - CCI-000366 - V-61267 - SV-75747r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-39-021200
Vuln IDs
  • V-61267
Rule IDs
  • SV-75747r1_rule
Whitelisting of authorized email accounts (POP3, IMAP, EAS) prevents a user from configuring a personal email account that could be used to forward sensitive DoD data to unauthorized recipients. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62223r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Account whitelist" setting in the "Container Accounts" rule. 2. Verify the whitelist only contains DoD-approved email domains (for example, mail.mil). Note: Proper configuration of Account blacklist is required for this configuration to function correctly. On the Samsung Knox for Android device: 1. Open the Knox Container. 2. Open Settings. 3. Select Accounts. 4. Select Add account. 5. Select Email (and repeat for Microsoft Exchange ActiveSync) and attempt to add an email account with a DoD-approved domain. 6. Verify that the email account can be added. 7. Attempt to add an email account with a domain not approved by DoD. 8. Verify that the email account cannot be added. If the "Account whitelist" is not properly configured, or if the user is able to successfully configure the email account with a domain not approved by DoD, or if the user is not able to install the DoD-approved email account, this is a finding.

Fix: F-67127r1_fix

Configure the mobile operating system to add DoD-approved email domains to the account whitelist. On the MDM Administration Console, add all DoD-approved email domains to the "Account whitelist" setting in the "Container Accounts" rule. Note: Recommended to add ".*@mail.mil"

b
The Samsung Knox for Android container must implement the management setting: Account blacklist.
CM-6 - Medium - CCI-000366 - V-61269 - SV-75749r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-39-021300
Vuln IDs
  • V-61269
Rule IDs
  • SV-75749r1_rule
Blacklisting all email accounts is required so that only white-listed accounts can be configured. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62225r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Account blacklist" setting in the "Container Accounts" rule. 2. Verify the setting is configured to all email domains not approved by DoD. Note: All email domains is specified by the wildcard string ".*" On the Samsung Knox for Android device: 1. Open the Knox Container. 2. Open Settings. 3. Select Accounts. 4. Select Add account. 5. Select Email (and repeat for Microsoft Exchange ActiveSync) and attempt to add an email account with a non-approved domain. 6. Verify that the email account cannot be added. If the "Account blacklist" is not properly configured, or if the user is able to successfully configure the non-DoD approved email account, this is a finding.

Fix: F-67129r1_fix

Configure the mobile operating system to add email domains not approved by DoD to the account blacklist. On the MDM Administration Console, add all email domains not approved by DoD to the "Account blacklist" setting in the "Container Accounts" rule.

b
The Samsung Knox for Android container must implement the management setting: Configure minimum password complexity.
CM-6 - Medium - CCI-000366 - V-61271 - SV-75751r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-39-022000
Vuln IDs
  • V-61271
Rule IDs
  • SV-75751r1_rule
Authentication mechanisms other than a Password Authentication Factor often provide convenience to users, but many of these mechanisms have known vulnerabilities. Configuring a minimum password complexity mitigates the risk associated with a weak authentication factor. SFR ID: FMT_SMF_EXT.1.1 #45
Checks: C-62227r1_chk

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Minimum Complexity" setting in the "Android Knox Container -> Container Password Restrictions" rule. 2. Verify the value of the setting is Alphanumeric. On the Samsung Knox for Android device: 1. Open the Knox Container. 2. Select "Knox Settings". 3. Select "Unlock method". 4. Enter current password. 5. Verify PIN and Pattern are grayed out and cannot be selected. If the configured value of the "Min Complexity" setting is not Alphanumeric, or if the user is able to select PIN or Pattern, this is a finding. Note: This configuration setting will allow users to implement fingerprint unlock for the container, which is approved for use. However, this approval does not extend to fingerprint unlock for the Samsung device or any other DoD mobile device.

Fix: F-67131r1_fix

Configure the mobile device to enforce a minimum password complexity of alphanumeric. On the MDM Console, set the "Min Complexity" value to Alphanumeric in the "Android Knox Container -> Container Password Restrictions" rule.