Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the list of VPN profiles in the Personal Profile and determine if any VPN profiles are listed. If so, verify the VPN profiles are not configured with a DOD network VPN profile. If any VPN profiles are installed in the Personal Profile and they have a DOD network VPN profile configured, this is a finding. Note: This setting cannot be managed by the MDM administrator and is a User-Based Enforcement (UBE) requirement.
Do not configure DOD VPN profiles in the Personal Profile. If there is a DOD VPN profile configured in the Personal Profile, remove it.
Review managed Google Android 14 device configuration settings to determine if the mobile device is enforcing a high password quality for the device and standard DOD password complexity rules for the Work Profile (at least six-character length and prevent passwords from containing more than four repeating or sequential characters). 1. Verify the device password configuration: On the EMM Console: a. Open "Lock screen" settings. b. Open "Set required password complexity on parent". c. Verify "High" is selected. 2. Verify the Work Profile password configuration: On the EMM console (for the work profile): 1. Open "Lock screen" settings. 2. Open "Password constraints". 3. Open "Minimum password quality". 4. Verify Numeric Complex, Alphabetic, Alphanumeric, or Complex is selected. 5. Open "Minimum password length". 6. Verify "6" is set for number of characters. If the device password quality is not set to High, or the Work Profile password length is not set to six characters, or the password quality is not set as required, this is a finding. Note: verifying the OneLock configuration is not required because the use of OneLock is optional.
Configure the Google Android 14 device to enforce high password quality for the device and standard DOD password complexity rules for the Work Profile (at least six-character length and prevent passwords from containing more than four repeating or sequential characters). In addition, enable OneLock so the user only must enter their device password to unlock the Work Profile. Note: enabling OneLock is optional and is a two-step process: configuration on the EMM and configuration by the user on the phone. If OneLock is not used, the user will always need to enter separate passwords to unlock the device and to unlock the Work Profile. 1. Set the password on the whole device: Set device password complexity to "HIGH" (requires (at minimum) an eight numeric character password, or six alphabetic character password, or a six alphanumeric character password). On the EMM console, do the following: a. Open "Lock screen" settings. b. Open "Set required password complexity on parent". c. Select "High". 2. Set DOD password for the Work Profile. On the EMM console, do the following: a. Open "Lock screen" settings. b. Open "Password constraints". c. Open "Minimum password quality". d. Choose Numeric Complex, Alphabetic, Alphanumeric, or Complex. e. Open "Minimum password length". f. Enter in the number of characters as "6". 3. Enable OneLock on the EMM. On the MDM console, do the following: a. Disable the following Android API: "DISALLOW_UNIFIED_PASSWORD". The exact procedure will depend on the EMM product. Note: this control may be called "Require separate challenge". 4. Train users to implement OneLock with the following User Based Enforcement (UBE): procedure: a. Open Settings >> Security & privacy >> More security settings. b. Enable "Use one lock".
Review managed Google Android 14 device configuration settings to determine if the mobile device is enforcing a screen-lock policy that will lock the display after a period of inactivity. This validation procedure is performed on both the EMM Administration Console and the managed Google Android 14 device. On the EMM Console: 1. Open "Lock screen" settings. 2. Open "Lock screen restrictions". 3. Verify that "Max time to screen lock" is set to any number desired; the units are in seconds. On the managed Google Android 14 device: 1. Open Settings >> Display. 2. Tap "Screen timeout". 3. Ensure the Screen timeout value is set to the desired value and cannot be set to a larger value. If the EMM console device policy is not set to enable a screen-lock policy that will lock the display after a period of inactivity, this is a finding.
Configure the Google Android 14 device to enable a screen-lock policy that will lock the display after a period of inactivity. On the EMM Console: 1. Open "Lock screen" settings. 2. Open "Lock screen restrictions". 3. Set "Max time to screen lock" to any number desired. Note: The units are in seconds.
Review managed Google Android device configuration settings to determine if the mobile device is enforcing a screen-lock policy that will lock the display after a period of 15 minutes or less of inactivity. Note: Google Android 14 does not support the 15-minute increment. The available allowable selection is 10 minutes, then increases to 30 minutes. Therefore, the control should be set to 10 minutes. This validation procedure is performed on both the EMM Administration Console and the Android 14 device. On the EMM Console: 1. Open "Lock screen restrictions". 2. Verify that "Max time to screen lock" is set to "600". Note: The units are in seconds. On the managed Google Android 14 device: 1. Open Settings >> Display. 2. Tap "Screen timeout". 3. Ensure the Screen timeout value is set to "600" seconds or less. If the EMM console device policy is not set to enable a screen-lock policy that will lock the display after a period of inactivity of 600 seconds or less, this is a finding.
Configure the Google Android 14 device to enable a screen-lock policy of 15 minutes for the max period of inactivity. Note: Google Android 14 does not support the 15 minute increment. The available allowable selection is 10 minutes, then increases to 30 minutes. Therefore, the control will be set to 10 minutes. On the EMM Console: 1. Open "Lock screen restrictions". 2. Set "Max time to screen lock" to "600". Note: The units are in seconds.
Review managed Google Android 14 device configuration settings to determine if the work profile has the maximum number of consecutive failed authentication attempts set at 10 or fewer. This validation procedure is performed on both the EMM Administration Console and the managed Google Android 14 device. On the EMM Console: 1. Open "Lock screen" settings. 2. Open "Lock screen restrictions". 3. Verify that "Max password failures for local wipe" is set to a number between 1 and 10. On the managed Google Android 14 device: 1. Lock the device screen. 2. Attempt to unlock the device and validate that the device autowipes the Work Profile after specified number of invalid entries. Note: Perform this verification only with a test phone set up with a production profile. 3. Attempt to unlock the Work Profile and validate that the device autowipes the Work Profile after specified number of invalid entries. Note: Perform this verification only with a test phone set up with a production profile. If the EMM console device policy is not set to the maximum number of consecutive failed authentication attempts at 10 or fewer, or if on the managed Google Android 14 device the device policy is not set to the maximum number of consecutive failed authentication attempts at 10 or fewer, this is a finding.
Configure the Google Android 14 device to allow only 10 or fewer consecutive failed authentication attempts. Note: Work Profile will be wiped. On the EMM Console: 1. Open "Lock screen" settings. 2. Open "Lock screen restrictions". 3. Set "Max password failures for local wipe" to a number between 1 and 10.
Review managed Google Android 14 device configuration settings to determine if the mobile device has only approved application repositories. This validation procedure is performed on both the EMM Administration Console and the managed Google Android 14 device. On the EMM Console: 1. Open "Set user restrictions". 2. Verify that "Disallow install unknown sources" is toggled to "ON". 3. Verify that "Disallow installs from unknown sources globally" is toggled to "ON". On the Google Android 14 device: 1. Open Settings >> Apps >> Special app access. 2. Open Install unknown apps. 3. Ensure the list of apps is blank or if an app is on the list, "Disabled" is listed under the app name. If the EMM console device policy is not set to allow connections to only approved application repositories or on the managed Google Android 14 device, the device policy is not set to allow connections to only approved application repositories, this is a finding.
Configure the Google Android 14 device to disable unauthorized application repositories. On the EMM Console: 1. Open "Set user restrictions". 2. Toggle "Disallow install unknown sources" to "ON". 3. Toggle "Disallow installs from unknown sources globally" to "ON".
Review managed Google Android 14 device configuration settings to determine if the mobile device has an application allowlist configured. Verify all applications listed on the allowlist have been approved by the Approving Official (AO). On the EMM console: 1. Go to the Android app catalog for managed Google Play. 2. Verify all selected apps are AO approved. On the managed Google Android 14 device: 1. Open the managed Google Play Store. 2. Verify that only the approved apps are visible. Note: Managed Google Play is an allowed App Store. If the EMM console list of selected managed Google Play apps includes nonapproved apps, this is a finding. Note: The application allowlist will only include approved core applications (included in the OS by the OS vendor) and pre-installed applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. For Google Android, there are no pre-installed applications.
Configure the Google Android 14 device to use an application allowlist. On the EMM Console: 1. Go to the Android app catalog for managed Google Play. 2. Select apps to be available (only approved apps). 3. Push updated policy to the device. Note: Managed Google Play is an allowed App Store.
Review managed Google Android 14 device configuration settings to determine if the mobile device has an application allowlist configured and that the application allowlist does not include applications with the following characteristics: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; - Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs, display screens (screen mirroring), or printers; and - Apps which backup their own data to a remote system. This validation procedure is performed only on the EMM Administration Console. On the EMM console: 1. Review the list of selected Managed Google Play apps. 2. Review the details and privacy policy of each selected app to ensure the app does not include prohibited characteristics. If the EMM console device policy includes applications with unauthorized characteristics, this is a finding.
Configure the Google Android 14 device application allowlist to exclude applications with the following characteristics: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; - Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs, display screens (screen mirroring), or printers; and - Apps which backup their own data to a remote system. On the EMM Console: 1. Go to the Android app catalog for managed Google Play. 2. Before selecting an app, review the app details and privacy policy to ensure the app does not include prohibited characteristics.
Review managed Google Android 14 device settings to determine if the Google Android 14 device displays (work profile) notifications on the lock screen. Notifications of incoming phone calls are acceptable even when the device is locked. This validation procedure is performed on both the EMM Administration Console and the managed Google Android 14 device. On the EMM console: 1. Open "Lock screen" settings. 2. Open "Lock screen restrictions". 3. Verify that "Disable unredacted notifications" is toggled to "ON". On the managed Google Android 14 device: 1. Go to Settings >> Display >> Lock screen. 2. Tap on "When work profile is locked". 3. Verify that "Hide sensitive work content" is selected. If the EMM console device policy allows work notifications on the lock screen, or the managed Google Android 14 device allows work notifications on the lock screen, this is a finding.
Configure the Google Android 14 device to not display (work profile) notifications when the device is locked. On the EMM console: 1. Open "Lock screen" settings. 2. Open "Lock screen restrictions". 3. Toggle "Disable unredacted notifications".
Review device configuration settings to confirm that trust agents are disabled at the same location where the DOD password is implemented (device or work profile). This procedure is performed on both the EMM Administration console and the managed Google Android 14 device. On the EMM console: 1. Open "Lock screen restrictions". 2. Select "Personal Profile". 3. Verify that "Disable trust agents" is toggled to "ON". 4. Open "Lock screen restrictions". 5. Select "Work Profile". 6. Verify that "Disable trust agents" is toggled to "ON". On the managed Google Android 14 device: 1. Open Settings. 2. Tap "Security & privacy". 3. Tap "More security settings". 4. Tap "Trust agents". 5. Verify that all listed trust agents are disabled and cannot be enabled. If on the EMM console, "disable trust agents" is not selected, or on the managed Google Android 14 device a trust agent can be enabled, this is a finding.
Configure the Google Android 14 device to disable trust agents at the same location where the DOD password is implemented (device or work profile). On the EMM console: 1. Open "Lock screen restrictions". 2. Select "Personal Profile". 3. Toggle "Disable trust agents" to "ON". 4. Open "Lock screen restrictions". 5. Select "Work Profile". 6. Toggle "Disable trust agents" to "ON".
The DOD warning banner can be displayed using the following method (required text is found in the Vulnerability Discussion): Place the DOD warning banner text in the user agreement signed by each managed Android 14 device user (preferred method). Note: It is not possible for the EMM to force a warning banner be placed on the device screen when using "work profile for employee-owned devices (BYOD)" deployment mode. Review the signed user agreements for Google Android 14 device users and verify the agreement includes the required DOD warning banner text. If the required warning banner text is not on all signed user agreements reviewed, this is a finding.
Configure the DOD warning banner by the following method (required text is found in the Vulnerability Discussion): Place the DOD warning banner text in the user agreement signed by each Google Android 14 device user (preferred method). Note: It is not possible for the EMM to force a warning banner be placed on the device screen when using "work profile for employee-owned devices (BYOD)" deployment mode.
Review managed Google Android 14 device configuration settings to determine if the capability to back up to a remote system has been disabled. Note: Since personal accounts cannot be added to the work profile (GOOG-14-710100), this control only impacts personal accounts, this setting is used to prevent violations within the work profile for backing up data. This is not applicable to the personal profile. This validation procedure is performed on both the EMM Administration Console and the managed Google Android 14 device. On the EMM console: 1. Open "Device owner management". 2. Verify "Enable backup service" is toggled to "OFF". On the managed Google Android 14 device: 1. Go to Settings >> System >> System >> Backup. 2. Select "Work". 3. Verify Backup settings is "Not available". If backup service for the work profile has not been disabled, this is a finding.
Configure the Google Android 14 device to disable backup to remote systems (including commercial clouds). On the EMM console: 1. Open "Device owner management". 2. Toggle "Enable backup service" to "OFF".
Review documentation on the managed Google Android 14 device and inspect the configuration on the Google Android device to verify the access control policy that prevents [selection: application processes] from accessing [selection: all] data stored by other [selection: application processes] is enabled. This validation procedure is performed only on the EMM Administration Console. On the EMM console: 1. Open "User restrictions". 2. Open "Set user restrictions". 3. Verify that "Disallow cross profile copy/paste" is toggled to "ON". 4. Verify that "Disallow sharing data into the profile" is toggled to "ON". If the EMM console device policy is not set to disable data sharing between profiles, this is a finding.
Configure the Google Android 14 device to enable the access control policy that prevents [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes]. Note: All application data is inherently sandboxed and isolated from other applications. To disable copy/paste on the EMM Console: 1. Open "User restrictions". 2. Open "Set user restrictions". 3. Toggle "Disallow cross profile copy/paste" to "ON". 4. Toggle "Disallow sharing data into the profile" to "ON".
Review a sample of site User Agreements for Google Android 14 device users or similar training records and training course content. Verify the Google Android 14 device users have completed the required training. The intent is that required training is renewed on a periodic basis in a time period determined by the AO. If any Google Android 14 device user has not completed the required training, this is a finding.
All Google Android 14 device users must complete training on the following training topics (users must acknowledge that they have reviewed training via a signed User Agreement or similar written record): - Operational security concerns introduced by unmanaged applications/unmanaged personal space, including applications using global positioning system (GPS) tracking. - The need to ensure no DOD data is saved to the personal space or transmitted from a personal app (for example, from personal email). - If the Purebred key management app is used, users are responsible for always maintaining positive control of their credentialed device. The DOD PKI certificate policy requires subscribers to maintain positive control of the devices that contain private keys and to report any loss of control so the credentials can be revoked. Upon device retirement, turn-in, or reassignment, ensure that a factory data reset is performed prior to device hand-off. Follow mobility service provider decommissioning procedures as applicable. - How to configure the following UBE controls (users must configure the control) on the Google device: **Do not remove DOD intermediate and root PKI digital certificates. **Do not configure a DOD network (work) VPN profile on any third-party VPN client installed in the personal space. -How to implement OneLock. -Screenshots will not be taken of any "work"-related managed data. -Screenshots will not be taken of any "work"-related managed data.
Review device configuration settings to confirm that the DOD root and intermediate PKI certificates are installed (work profile only). This procedure is performed on both the EMM Administration console and the managed Google Android 14 device. The current DOD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://cyber.mil/pki-pke (for NIPRNet). On the EMM console, verify that the DOD root and intermediate certificates are part of a device and/or work profile that is being pushed down to the devices. On the managed Google Android 14 device: 1. Open Settings. 2. Tap "Security & privacy". 3. Tap "More security settings". 4. Tap "Encryption & credentials". 5. Tap "Trusted credentials". 6. Verify that DOD root and intermediate PKI certificates are listed under the User tab in the Work section. If on the EMM console the DOD root and intermediate certificates are not listed in a profile, or the managed Android 14 device does not list the DOD root and intermediate certificates under the user tab, this is a finding.
Configure the Google Android 14 device to install DOD root and intermediate certificates (work profile only). On the EMM console upload DOD root and intermediate certificates as part of the work profile. The current DOD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://cyber.mil/pki-pke (for NIPRNet).
Review the managed Google Android 14 work profile configuration settings to confirm that users are prevented from adding personal email accounts to the work email app. This procedure is performed on both the EMM Administrator console and the managed Google Android 14 device. On the EMM console: 1. Open "Set user restrictions". 2. Verify "Disallow modify accounts" is toggled to "ON". On the managed Google Android 14 device: 1. Open Settings. 2. Tap "Passwords & accounts". 3. Select "Work". 4. Tap "Add account". 5. Verify a message is displayed to the user stating, "Blocked by your IT admin". If on the EMM console the restriction to "Disallow modify accounts" is not set, or on the managed Android 14 device the user is able to add an account in the Work section, this is a finding.
Configure the Google Android 14 device to prevent users from adding personal email accounts to the work email app. On the EMM console: 1. Open "Set user restrictions". 2. Toggle "Disallow modify accounts" to "ON". Refer to the EMM documentation to determine how to provision users' work email accounts for the work email app.
Review the managed Google Android 14 work profile configuration settings to confirm the system application disable list is enforced (work profile only). This setting is enforced by default. Verify only approved system apps have been placed on the core allowlist. This procedure is performed on the EMM Administrator console. Review the system app allowlist and verify only approved apps are on the list. 1. Open "Apps management" section. 2. Select "Hide apps on parent". 3. Verify package names of apps are listed. If on the EMM console the system app allowlist contains unapproved core apps, this is a finding.
Configure the Google Android 14 device to enforce the system application disable list (work profile only). The required configuration is the default configuration when the device is enrolled. If the device configuration is changed, use the following procedure to bring the device back into compliance: On the EMM console: 1. Open "Apps management" section. 2. Select "Hide apps on parent". 3. Enter package names of apps to hide. Configure a list of approved Google core and preinstalled apps in the core app allowlist.
Review that managed Google Android 14 is configured for BYOD (work profile for employee-owned devices [BYOD]). This procedure is performed on both the EMM Administrator console and the managed Google Android 14 device. On the EMM console, configure the default enrollment as work profile for employee-owned devices (BYOD). On the managed Google Android 14 device: 1. Go to the application drawer. 2. Ensure a Personal tab and a Work tab are present. If on the EMM console, the default enrollment is not set for BYOD (work profile for employee-owned devices [BYOD]), or if on the managed Android 14 device, the user does not have a Work tab, this is a finding.
Configure the Google Android 14 device for BYOD (work profile for employee-owned devices [BYOD]). On the EMM console, configure the default enrollment as work profile for employee-owned devices (BYOD). Refer to the EMM documentation to determine how to configure the device.
Review the work profile Chrome Browser app on the Google Android 14 autofill setting. This procedure is performed only on the EMM Administrator console. On the EMM console: 1. Open "Managed Configurations" section. 2. Select the Chrome Browser version from the work profile. 3. Verify "SearchSuggestEnabled" is turned "OFF". If on the EMM console autofill is set to "On" in the Chrome Browser Settings, this is a finding.
Configure the Chrome browser on the Google Android 14 device work profile to disable autofill. On the EMM console: 1. Open "Managed Configurations" section. 2. Select the Chrome Browser version from the work profile. 3. Ensure "SearchSuggestEnabled" is turned "OFF". Refer to the EMM documentation to determine how to configure Chrome Browser Settings.
Review the Google Android 14 work profile configuration settings to confirm that autofill services are disabled. This procedure is performed only on the EMM Administration console. On the EMM console: 1. Open "Set user restrictions". 2. Verify "Disallow autofill" is toggled to "ON". If on the EMM console "disallow autofill" is not selected, this is a finding.
Configure the Google Android 14 device work profile to disable the autofill services. On the EMM console: 1. Open "Set user restrictions". 2. Toggle "Disallow autofill" to "ON".
Review device configuration settings to confirm the Google Android device has the most recently released version of managed Google Android 14 installed. This procedure is performed on both the EMM console and the managed Google Android 14 device. In the EMM management console, review the version of Google Android 14 installed on a sample of managed devices. This procedure will vary depending on the EMM product. To determine the installed operating system version on the managed Google Android 14 device: 1. Open Settings. 2. Tap "About phone". 3. Verify "Build number". If the installed version of the Google Android 14 operating system on any reviewed device is not the latest released by Google, this is a finding. Google's Android operating system patch website: https://source.android.com/security/bulletin/ Android versions for Pixel devices: https://developers.google.com/android/images
Install the latest released version of the Google Android 14 operating system on all managed Google devices. Note: Google Android device operating system updates are released directly by Google or can be distributed via the EMM. Check each device manufacturer and/or carriers for current updates.
Review the managed Google Android 14 configuration settings to confirm that no third-party keyboards are enabled (work profile only). This procedure is performed on the EMM console. On the EMM console: 1. Open "Input methods". 2. Tap "Set input methods". 3. Verify only the approved keyboards are selected. If unapproved third-party keyboards are allowed in the work profile, this is a finding.
Configure the Google Android 14 device to disallow the use of third-party keyboards (work profile only). On the EMM console: 1. Open "Input methods". 2. Tap "Set input methods". 3. Select only the approved keyboards. Additionally, admins can configure application allowlists for Google Play so no third-party keyboards are available for user installation.
Review the device configuration to confirm that the user is unable to remove DOD root and intermediate PKI certificates (work profile). On the EMM console: 1. Open "Set user restrictions". 2. Verify "Disallow config credentials" is toggled to "ON". On the Google Android 14 device: 1. Open Settings. 2. Tap "Security and privacy". 3. Tap "More security settings". 4. Tap "Encryption & credentials". 5. Tap "Trusted credentials". 6. Verify the user is unable to untrust or remove any work certificates. If the user can remove certificates on the Google Android 14 device, this is a finding.
Configure Google Android 14 device to prevent a user from removing DOD root and intermediate PKI certificates (work profile). On the EMM console: 1. Open "Set user restrictions". 2. Toggle "Disallow config credentials" to "ON".