Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

Samsung Android 11 with Knox 3.x AE Security Technical Implementation Guide

V1R2 · · · Released 24 Jul 2024 · 41 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Digest of Updates vs. V1R1 · 20 Nov 2020 +1

Comparison against the immediately-prior release (V1R1). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Added rules 1

  • V-264377 High All Samsung Android 11 installations must be removed.
Sort by
b
Samsung Android must be configured to enforce a minimum password length of six characters.
IA-5 - Medium - CCI-000205 - V-230973 - SV-230973r958468_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000205
Version
KNOX-11-000100
Vuln IDs
  • V-230973
Rule IDs
  • SV-230973r958468_rule
Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise. SFR ID: FMT_SMF_EXT.1.1 #1a
Checks: C-33903r619490_chk

Review Samsung Android device configuration settings to determine if the mobile device is enforcing a minimum password length of six characters. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool: 1. Open the device password policies. 2. Verify "minimum password quality" is set to "Numeric" (or better). 3. Verify "minimum password length" is set to "6". NOTE: The following text is written assuming a password quality of "Numeric" or "Numeric (Complex)" has been configured. If a password quality of "Alphabetic" (or better) has been configured, substitute the text "PIN" with "Password" and "6 digits" with "6 characters". On the Samsung Android device: 1. Open Settings >> Lock screen >> Screen lock type. 2. Enter current password. 3. Tap "PIN". 4. Verify the text "PIN must contain at least", followed by a value of at least "6 digits", appears above the PIN entry. If on the management tool the "minimum password quality" is not set to "Numeric" (or better) and "minimum password length" is not set to "6", or on the Samsung Android device the text "PIN must contain at least" is followed by a value of less than "6 digits", this is a finding.

Fix: F-33876r619491_fix

Configure Samsung Android to enforce a minimum password length of six characters. On the management tool: 1. Open the device password policies. 2. Set "minimum password quality" to "Numeric" (or better). 3. Set "minimum password length" to "6".

b
Samsung Android must be configured to not allow passwords that include more than two repeating or sequential characters.
CM-6 - Medium - CCI-000366 - V-230974 - SV-230974r959010_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-000300
Vuln IDs
  • V-230974
Rule IDs
  • SV-230974r959010_rule
Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or sequential characters are significantly easier to guess than those that do not contain repeating or sequential characters. Therefore, disallowing repeating or sequential characters increases password strength and decreases risk. SFR ID: FMT_SMF_EXT.1.1 #1b
Checks: C-33904r619493_chk

This requirement is not applicable if the password quality is set to Numeric (complex) or better. Review Samsung Android configuration settings to determine if the mobile device is prohibiting passwords with more than two repeating or sequential characters. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device password section, verify the "maximum sequential numbers" is set to "2". On the Samsung Android device: 1. Open Settings. 2. Tap "Lock screen". 3. Tap "Screen lock type". 4. Enter current password. 5. Tap "Password". 6. Verify that passwords with two or more sequential numbers are not accepted. If on the management tool "maximum sequential numbers" is more than "2", or on the Samsung Android device a password with two or more sequential numbers is accepted, this is a finding.

Fix: F-33877r619494_fix

This requirement is not applicable if the password quality is set to Numeric (complex) or better. Configure Samsung Android to prevent passwords from containing more than two repeating or sequential characters. On the management tool, in the device password section, set the "maximum sequential numbers" to "2".

b
Samsung Android must be configured to lock the display after 15 minutes (or less) of inactivity.
AC-11 - Medium - CCI-000057 - V-230975 - SV-230975r958402_rule
RMF Control
AC-11
Severity
M
CCI
CCI-000057
Version
KNOX-11-000500
Vuln IDs
  • V-230975
Rule IDs
  • SV-230975r958402_rule
The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum timeout period of 15 minutes has been selected to balance functionality and security; shorter timeout periods may be appropriate depending on the risks posed to the mobile device. Satisfies: PP-MDF-301030, PP-MDF-301040 SFR ID: FMT_SMF_EXT.1.1 #2a, FMT_SMF_EXT.1.1 #2b
Checks: C-33905r619496_chk

Review Samsung Android configuration settings to determine if the mobile device has the screen lock timeout set to 15 minutes or less. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool: 1. Open the device password policies. 2. Verify "minimum password quality" is set to "Numeric" (or better). 3. Verify the "max time to screen lock" is set to "15 minutes" or less. On the Samsung Android device: 1. Open Settings >> Lock screen. 2. Verify "Secure lock settings" is present and tap it. 3. Enter current password. 4. Tap "Lock automatically". 5. Verify the listed timeout values are 15 minutes or less. If on the management tool the "minimum password quality" is not set to "Numeric" (or better) and "max time to screen lock" is not set to "15 minutes" or less, or on the Samsung Android device "Secure lock settings" is not present and the listed Screen timeout values include durations of more than 15 minutes, this is a finding.

Fix: F-33878r619497_fix

Configure Samsung Android to lock the device display after 15 minutes (or less) of inactivity. On the management tool: 1. Open the device password policies. 2. Set "minimum password quality" to "Numeric" (or better). 3. Set the "max time to screen lock" to "15 minutes" or less.

b
Samsung Android must be configured to not allow more than 10 consecutive failed authentication attempts.
AC-7 - Medium - CCI-000044 - V-230976 - SV-230976r958388_rule
RMF Control
AC-7
Severity
M
CCI
CCI-000044
Version
KNOX-11-000700
Vuln IDs
  • V-230976
Rule IDs
  • SV-230976r958388_rule
The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on the device. Setting a limit on the number of attempts mitigates this risk. Setting the limit at 10 or less gives authorized users the ability to make a few mistakes when entering the password but still provides adequate protection against dictionary or brute force attacks on the password. SFR ID: FMT_SMF_EXT.1.1 #2c, FIA_AFL_EXT.1.5
Checks: C-33906r619499_chk

Review Samsung Android configuration settings to determine if the mobile device has the maximum number of consecutive failed authentication attempts set at 10 or less. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool: 1. Open the device password policies. 2. Verify "minimum password quality" is set to "Numeric" (or better). 3. Verify the "max password failures for local wipe" is set to "10" attempts or less. On the Samsung Android device: 1. Open Settings >> Lock screen. 2. Verify "Secure lock settings" is present and tap it. 3. Enter current password. 4. Verify that "Auto factory reset" menu is disabled. If on the management tool the "minimum password quality" is not set to "Numeric" (or better) and "max password failures for local wipe" is not set to "10" attempts or less, or on the Samsung Android device the "Auto factory reset" menu is not disabled, this is a finding.

Fix: F-33879r619500_fix

Configure Samsung Android to allow only 10 or fewer consecutive failed authentication attempts. On the management tool: 1. Open the device password policies. 2. Set "minimum password quality" to "Numeric" (or better). 3. Set the "max password failures for local wipe" to "10" attempts or less.

b
Samsung Android must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including DoD-approved commercial app repository, management tool server, or mobile application store.
CM-6 - Medium - CCI-000366 - V-230977 - SV-230977r959010_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-001300
Vuln IDs
  • V-230977
Rule IDs
  • SV-230977r959010_rule
Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DoD data accessible by these unauthorized/malicious applications. SFR ID: FMT_SMF_EXT.1.1 #8a
Checks: C-33907r619502_chk

Review Samsung Android configuration settings to determine if the mobile device has only approved application repositories (DoD-approved commercial app repository, management tool server, and/or mobile application store). This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "installs from unknown sources globally" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> Apps >> (Overflow menu) >> Special access >> Install unknown apps. 2. Tap (Overflow menu) >> Show system apps. 3. In the "Personal" tab, ensure that each app listed has the status "Disabled" under the app name or that no apps are listed. 4. In the "Work" tab, ensure that each app listed has the status "Disabled" under the app name or that no apps are listed. If on the management tool "installs from unknown sources globally" is not set to "Disallow", or on the Samsung Android device an app is listed with a status other than "Disabled", this is a finding. NOTE: Google Play must not be disabled. Disabling Google play will cause system instability and critical updates will not be received.

Fix: F-33880r619503_fix

Configure Samsung Android to disable unauthorized application repositories. On the management tool, in the AE device restrictions section, set "installs from unknown sources globally" to "Disallow". NOTE: Google Play must not be disabled. Disabling Google Play will cause system instability and critical updates will not be received.

b
Samsung Android Work Environment must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: names.
CM-6 - Medium - CCI-000366 - V-230978 - SV-230978r959010_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-001700
Vuln IDs
  • V-230978
Rule IDs
  • SV-230978r959010_rule
The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications, or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. Core application: Any application integrated into the OS by the OS or MD vendors. Pre-installed application: Additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier. Requiring all authorized applications to be in an application allowlist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the allowlist. Failure to configure an application allowlist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the OS by the OS vendor) and pre-installed applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. SFR ID: FMT_SMF_EXT.1.1 #8b
Checks: C-33908r619505_chk

Review the Samsung Android Work Environment configuration setting to determine if the mobile device has an application allowlist configured. Verify that all applications listed on the allowlist have been approved by the Approving Official (AO). This validation procedure is performed only on the management tool Administration Console. On the management tool: 1. Open the device restrictions section. 2. Verify "installed from unknown sources globally" is set to "Disallow". 3. In the Work Environment app catalog for managed Google Play, verify that only AO-approved apps are available. If on the management tool the Work Environment app catalog for managed Google Play includes non-AO-approved apps, this is a finding.

Fix: F-33881r619506_fix

Configure Samsung Android Work Environment to use an application allowlist. The application allowlist does not control user access to/execution of all core and preinstalled applications, and guidance for doing so is covered in KNOX-10-009300. On the management tool: 1. Open the device restrictions section. 2. Set "installs from unknown sources globally" to "Disallow". 3. In the Work Environment app catalog for managed Google Play, add each AO-approved app to be available. NOTE: Managed Google Play is an allowed App Store.

b
The Samsung Android Work Environment allowlist must be configured to not include applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services); - transmit MD diagnostic data to non-DoD servers; - voice assistant application if available when MD is locked; - voice dialing application if available when MD is locked; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
CM-6 - Medium - CCI-000366 - V-230979 - SV-230979r959010_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-001900
Vuln IDs
  • V-230979
Rule IDs
  • SV-230979r959010_rule
Requiring all authorized applications to be in an application allowlist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the allowlist. Failure to configure an application allowlist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. Applications with the listed characteristics have features that can cause the compromise of sensitive DoD data or have features with no known application in the DoD environment. Application note: The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications, or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. Core application: Any application integrated into the OS by the OS or MD vendors. Pre-installed application: Additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier. SFR ID: FMT_SMF_EXT.1.1 #8b
Checks: C-33909r619508_chk

Review Samsung Android Work Environment configuration setting to determine if the application allowlist is configured to not include applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services); - transmit MD diagnostic data to non-DoD servers; - voice assistant application if available when MD is locked; - voice dialing application if available when MD is locked; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers. The application allowlist does not control user access to/execution of all core and preinstalled applications, and guidance for doing so is covered in KNOX-10-009300. This validation procedure is performed only on the management tool Administration Console. On the management tool, in the Work Environment app catalog for managed Google Play, for each approved app, verify the app details and privacy policy to ensure the app does not include prohibited characteristics. If on the management tool the Work Environment app catalog for managed Google Play includes apps with unauthorized characteristics, this is a finding.

Fix: F-33882r619509_fix

Configure Samsung Android Work Environment to use an application allowlist to not include applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services); - transmit MD diagnostic data to non-DoD servers; - voice assistant application if available when MD is locked; - voice dialing application if available when MD is locked; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers. The application allowlist does not control user access to/execution of all core and preinstalled applications, and guidance for doing so is covered in KNOX-10-009300. On the management tool, in the Work Environment app catalog for managed Google Play, before adding an app, review the app details and privacy policy to ensure the app does not include prohibited characteristics. NOTE: Managed Google Play is an allowed App Store.

a
Samsung Android must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (HandsFree Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile).
CM-6 - Low - CCI-000366 - V-230980 - SV-230980r959010_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
KNOX-11-002300
Vuln IDs
  • V-230980
Rule IDs
  • SV-230980r959010_rule
Some Bluetooth profiles provide the capability for remote transfer of sensitive DoD data without encryption or otherwise do not meet DoD IT security policies and therefore should be disabled. SFR ID: FMT_SMF_EXT.1.1 #18h
Checks: C-33910r619511_chk

Review Samsung Android configuration settings to determine if all Bluetooth profiles are disabled except for HSP, HFP, SPP, A2DP, AVRCP, and PBAP. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device Bluetooth section, verify that only DoD-approved profile UUIDs are listed in the "Bluetooth UUID allowlist": HFP, HSP, SPP, A2DP, AVRCP, and PBAP. On the Samsung Android device: 1. Open Settings >> Connections >> Bluetooth. 2. Verify only Bluetooth devices that use DoD-approved profiles are listed. If on the management tool the "Bluetooth UUID allowlist" contains non-DoD-approved profile UUIDs, or on the Samsung Android device Bluetooth devices that use non-DoD-approved profiles are listed, this is a finding.

Fix: F-33883r619512_fix

Configure Samsung Android to disable all Bluetooth profiles except for HSP, HFP, SPP, A2DP, AVRCP, and PBAP. On the management tool, in the device Bluetooth section, add each DoD-approved profile UUID to the "Bluetooth UUID allowlist": HFP, HSP, SPP, A2DP, AVRCP, and PBAP.

b
Samsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: all notifications.
CM-6 - Medium - CCI-000366 - V-230981 - SV-230981r959010_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-002700
Vuln IDs
  • V-230981
Rule IDs
  • SV-230981r959010_rule
Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifications can contain sensitive information. When they are available on the lock screen, an adversary can see them merely by being in close physical proximity to the device. Configuring the MOS to not send notifications to the lock screen mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #19
Checks: C-33911r619514_chk

Review Samsung Android configuration settings to determine if Samsung Android displays (Work Environment) notifications on the lock screen. Notifications of incoming phone calls are acceptable even when the device is locked. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the Work Environment restrictions section, verify that "Unredacted Notifications" is set to "Disallow". For COPE: On the Samsung Android device: 1. Open Settings >> Work profile >> Notification and data. 2. Verify that "Show notification content" is disabled. If on the management tool "Unredacted Notifications" is not set to "Disallow", or on the Samsung Android device "Show notification content" is not disabled, this is a finding. *** For COBO: On the Samsung Android device: 1. Open Settings >> Lock screen. 2. Verify that "Notifications" menu is disabled. If on the management tool "Unredacted Notifications" is not set to "Disallow", or on the Samsung Android device "Notifications" menu is not disabled, this is a finding.

Fix: F-33884r619515_fix

Configure Samsung Android to not display (Work Environment) notifications when the device is locked. On the management tool, in the Work Environment restrictions section, set "Unredacted Notifications" to "Disallow".

c
Samsung Android must be configured to enable encryption for data at rest on removable storage media or alternatively, the use of removable storage media must be disabled.
SC-28 - High - CCI-001199 - V-230982 - SV-230982r958552_rule
RMF Control
SC-28
Severity
H
CCI
CCI-001199
Version
KNOX-11-003500
Vuln IDs
  • V-230982
Rule IDs
  • SV-230982r958552_rule
The MOS must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read removable media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running. SFR ID: FMT_SMF_EXT.1.1 #21, #47f
Checks: C-33912r619517_chk

This requirement is not applicable for devices that do not support removable storage media. If the mobile device does not support removable media, this requirement is not applicable. Review Samsung Android configuration settings to determine if the use of removable storage media is disabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "Mount physical media" is set to "Disallow". On the Samsung Android device, verify that a microSD card cannot be mounted. NOTE: To mount the microSD card, insert it into the SIM/SD card tray in the slot marked "microSD", and push the tray firmly back into the device. The device should ignore the inserted SD card and no notifications for the transfer of media files should appear, nor should any files be listed using a file browser, such as Samsung My Files. If on the management tool "Mount physical media" is not set to "Disallow", or on the Samsung Android device a microSD card can be mounted, this is a finding.

Fix: F-33885r619518_fix

This requirement is not applicable for devices that do not support removable storage media. Configure Samsung Android to enable data-at-rest protection for removable media, or alternatively, disable the use of removable storage media. On the management tool, in the device restrictions section, set "Mount physical media" to "Disallow".

b
Samsung Android must be configured to disable trust agents. NOTE: This requirement is not applicable (NA) for specific biometric authentication factors included in the product Common Criteria evaluation.
CM-6 - Medium - CCI-000366 - V-230983 - SV-230983r958478_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-003900
Vuln IDs
  • V-230983
Rule IDs
  • SV-230983r958478_rule
The fingerprint reader can be used to authenticate the user in order to unlock the mobile device. At this time, no mobile device biometric reader has been evaluated as meeting the security requirements of the MDFPP or been approved for DoD use on mobile devices. This technology could allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of non-password authentication mechanisms, users are forced to use passcodes that meet DoD passcode requirements. SFR ID: FMT_SMF_EXT.1.1 #23, FIA_UAU.5.1
Checks: C-33913r619520_chk

Review Samsung Android configuration settings to determine if Trust Agents are disabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "Trust Agents" are set to "Disable". On the Samsung Android device: 1. Open Settings >> Biometrics and security >> Other security settings >> Trust agents. 2. Verify that all listed Trust Agents are disabled and cannot be enabled. If on the management tool "Trust Agents" are not set to "Disable", or on the Samsung Android device a "Trust Agent" can be enabled, this is a finding.

Fix: F-33886r619521_fix

Configure Samsung Android to disable Trust Agents. On the management tool, in the device restrictions section, set "Trust Agents" to "Disable".

b
Samsung Android must be configured to disable Face Recognition. NOTE: This requirement is not applicable (NA) for specific biometric authentication factors included in the product Common Criteria evaluation.
CM-6 - Medium - CCI-000366 - V-230984 - SV-230984r958478_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-004100
Vuln IDs
  • V-230984
Rule IDs
  • SV-230984r958478_rule
The fingerprint reader can be used to authenticate the user in order to unlock the mobile device. At this time, no mobile device biometric reader has been evaluated as meeting the security requirements of the MDFPP or been approved for DoD use on mobile devices. This technology could allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of non-password authentication mechanisms, users are forced to use passcodes that meet DoD passcode requirements. SFR ID: FMT_SMF_EXT.1.1 #23, FIA_UAU.5.1
Checks: C-33914r619523_chk

Review Samsung Android configuration settings to determine if Face Recognition is disabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "Face" is set to "Disable". On the Samsung Android device: 1. Open Settings >> Lock screen >> Screen lock type. 2. Enter current password. 3. Verify that "Face" is disabled and cannot be enabled. If on the management tool "Face" is not set to "Disable", or on the Samsung Android device "Face" can be enabled, this is a finding.

Fix: F-33887r619524_fix

Configure the Samsung Android to disable Face Recognition. On the management tool, in the device restrictions section, set "Face" to "Disable".

b
Samsung Android must be configured to disable developer modes.
CM-7 - Medium - CCI-000381 - V-230985 - SV-230985r958478_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
KNOX-11-005100
Vuln IDs
  • V-230985
Rule IDs
  • SV-230985r958478_rule
Developer modes expose features of the MOS that are not available during standard operation. An adversary may leverage a vulnerability inherent in a developer mode to compromise the confidentiality, integrity, and availability of DoD sensitive information. Disabling developer modes mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #26
Checks: C-33915r619526_chk

Review Samsung Android configuration settings to determine whether a developer mode is enabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "Debugging Features" is set to "Disallow". On the Samsung Android device: 1. Open "Settings". 2. Verify "Developer options" is not listed. If on the management tool "Debugging Features" is not set to "Disallow" or on the Samsung Android device "Developer options" is listed, this is a finding.

Fix: F-33888r619527_fix

Configure Samsung Android to disable developer modes. On the management tool, in the device restrictions section, set the "Debugging Features" to "Disallow".

a
Samsung Android must be configured to display the DoD advisory warning message at startup or each time the user unlocks the device.
AC-8 - Low - CCI-000048 - V-230986 - SV-230986r958390_rule
RMF Control
AC-8
Severity
L
CCI
CCI-000048
Version
KNOX-11-006300
Vuln IDs
  • V-230986
Rule IDs
  • SV-230986r958390_rule
The mobile operating system is required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Required banners help ensure that DoD can audit and monitor the activities of mobile device users without legal restriction. System use notification messages can be displayed when individuals first access or unlock the mobile device. The banner must be implemented as a "click-through" banner at device unlock (to the extent permitted by the operating system). A "click-through" banner prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK". The approved DoD text must be used exactly as required in the KS referenced in DoDI 8500.01. For devices accommodating banners of 1300 characters, the banner text is: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. For devices with severe character limitations, the banner text is: I've read & consent to terms in IS user agreem't. The administrator must configure the banner text exactly as written without any changes. SFR ID: FMT_SMF_EXT.1.1 #36
Checks: C-33916r619529_chk

Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Validation Procedure for Method #1: Place the DoD warning banner in the user agreement signed by each Samsung Android device user (preferred method). Review the signed user agreements for several Samsung Android device users and verify that the agreement includes the required DoD warning banner text. **** Validation Procedure for Method #2: Configure the warning banner text in the Lock screen message on each managed mobile device. On the management tool, in the device restrictions section, verify that "Lock Screen Message" is set to the DoD-mandated warning banner text. On the Samsung Android device, verify that the required DoD warning banner text is displayed on the Lock screen. **** If the warning text has not been placed in the signed user agreement, or if on the management tool "Lock Screen Message" is not set to the DoD-mandated warning banner text, or on the Samsung Android device the required DoD warning banner text is not displayed on the Lock screen, this is a finding.

Fix: F-33889r619530_fix

Configure the DoD warning banner by either of the following methods (required text is found in the Discussion): Method #1: Place the DoD warning banner in the user agreement signed by each Samsung Android device user (preferred method). **** Method #2: Configure the warning banner text in the Lock screen message on each managed mobile device. On the management tool, in the device restrictions section, set "Lock Screen Message" to the DoD-mandated warning banner text.

b
Samsung Android must be configured to disable USB mass storage mode.
CM-7 - Medium - CCI-000381 - V-230987 - SV-230987r958478_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
KNOX-11-006500
Vuln IDs
  • V-230987
Rule IDs
  • SV-230987r958478_rule
USB mass storage mode enables the transfer of data and software from one device to another. This software can include malware. When USB mass storage is enabled on a mobile device, it becomes a potential vector for malware and unauthorized data exfiltration. Prohibiting USB mass storage mode mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #39a
Checks: C-33917r619532_chk

Review Samsung Android configuration settings to determine if the mobile device has a USB mass storage mode and if it has been disabled. For AE deployments, this configuration is the default configuration. If the management tool does not provide the capability to configure "USB file transfer", there is NO finding because the default setting cannot be changed. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "USB file transfer" has been set to "Disallow". On the PC, browse the mounted Samsung Android device and verify that it does not display any folders or files. If on the management tool "USB file transfer" is not set to "Disallow", or the PC can mount and browse folders and files on the Samsung Android device, this is a finding.

Fix: F-33890r619533_fix

Configure Samsung Android to disable USB mass storage mode. On the management tool, in the device restrictions section, set "USB file transfer" to "Disallow".

b
Samsung Android must be configured to not allow backup of all applications, configuration data to locally connected systems.
AC-20 - Medium - CCI-000097 - V-230988 - SV-230988r959010_rule
RMF Control
AC-20
Severity
M
CCI
CCI-000097
Version
KNOX-11-006900
Vuln IDs
  • V-230988
Rule IDs
  • SV-230988r959010_rule
Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed up to an external system (either locally connected or cloud-based), many if not all of these mechanisms are no longer present. This leaves the backed-up data vulnerable to attack. Disabling backup to external systems mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #40
Checks: C-33918r619535_chk

Verify requirement KNOX-11-006500 (Disallow USB file transfer) has been implemented. If "Disallow USB file transfer" has not been implemented, this is a finding.

Fix: F-33891r619536_fix

Verify "USB file transfer" has been "Disallowed" (see requirement KNOX-11-006500 [AE]).

b
Samsung Android Work Environment must be configured to not allow backup of all applications, configuration data to remote systems (device management backup). - Disable Backup Services
AC-20 - Medium - CCI-002338 - V-230989 - SV-230989r959010_rule
RMF Control
AC-20
Severity
M
CCI
CCI-002338
Version
KNOX-11-007300
Vuln IDs
  • V-230989
Rule IDs
  • SV-230989r959010_rule
Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the MOS. Where the remote backup involves a cloud-based solution, the backup capability is often used to synchronize data across multiple devices. In this case, DoD devices may synchronize DoD sensitive information to a user's personal device or other unauthorized computers that are vulnerable to breach. Disallowing remote backup mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #40
Checks: C-33919r619538_chk

Review Samsung Android configuration settings to determine if the capability to back up to a remote system has been disabled. This requirement is inherently met for COPE because data in a "Profile/Workspace" cannot be backed up by default. This procedure is applicable to COBO only. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the Work Environment restrictions section, verify that "Backup service" is set to "Disallow". On the COBO Samsung Android device: 1. Open Settings >> Accounts and backup. 2. Verify that any backup service listed cannot be configured to back up data. If on the management tool "Backup service" is not set to "Disallow", or on the Samsung Android device a listed backup service can be configured to back up data, this is a finding.

Fix: F-33892r619539_fix

Configure Samsung Android Work Environment to disable backup to remote systems (including commercial clouds) (device management backup). This requirement is inherently met for COPE because data in a work profile cannot be backed up by default. This guidance is applicable to COBO only. On the management tool, in the Work Environment restrictions section, set "Backup service" to "Disallow".

b
Samsung Android Work Environment must be configured to not allow backup of all applications, configuration data to remote systems (account management backup). - Disable Data Sync
AC-20 - Medium - CCI-002338 - V-230990 - SV-230990r959010_rule
RMF Control
AC-20
Severity
M
CCI
CCI-002338
Version
KNOX-11-007500
Vuln IDs
  • V-230990
Rule IDs
  • SV-230990r959010_rule
Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the MOS. Where the remote backup involves a cloud-based solution, the backup capability is often used to synchronize data across multiple devices. In this case, DoD devices may synchronize DoD sensitive information to a user's personal device or other unauthorized computers that are vulnerable to breach. Disallowing remote backup mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #40
Checks: C-33920r619541_chk

Review Samsung Android configuration settings to determine if the capability to back up to a remote system has been disabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the Work Environment restrictions section, verify that "Account Management" is set to "Disable" for Samsung accounts, Google accounts, and each AO-approved app that uses accounts for data backup/sync. For COPE: On the Samsung Android device: 1. Open Settings >> Work profile >> Accounts. 2. Verify that accounts are grayed out, or an account cannot be added. For COBO: On the Samsung Android device: 1. Open Settings >> Accounts and backup >> Managed accounts. 2. Verify that accounts are grayed out, or an account cannot be added. If on the management tool "Account Management" is not set to "Disable" for Samsung accounts, Google accounts, and each AO-approved app that uses accounts for data backup/sync, or on the Samsung Android device an account can be added, this is a finding.

Fix: F-33893r619542_fix

Configure Samsung Android Work Environment to disable backup to remote systems (including commercial clouds) (account management backup). On the management tool, in the Work Environment restrictions section, set "Account Management" to "Disable" for Samsung accounts, Google accounts, and each AO-approved app that uses accounts for data backup/sync.

b
Samsung Android must be configured to enable authentication of personal hotspot connections to the device using a pre-shared key.
AC-17 - Medium - CCI-002314 - V-230991 - SV-230991r958672_rule
RMF Control
AC-17
Severity
M
CCI
CCI-002314
Version
KNOX-11-008100
Vuln IDs
  • V-230991
Rule IDs
  • SV-230991r958672_rule
If no authentication is required to establish personal hotspot connections, an adversary may be able to use that device to perform attacks on other devices or networks without detection. A sophisticated adversary may also be able to exploit unknown system vulnerabilities to access information and computing resources on the device. Requiring authentication to establish personal hotspot connections mitigates this risk. Application note: If hotspot functionality is permitted, it must be authenticated via a pre-shared key. There is no requirement to enable hotspot functionality. SFR ID: FMT_SMF_EXT.1.1 #41a
Checks: C-33921r619544_chk

Review Samsung Android configuration settings to determine if the mobile device has enabled authentication of personal hotspot connections to the device using a pre-shared key. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device Wi-Fi section, verify that "Unsecured hotspot" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> Connections >> Mobile Hotspot and Tethering >> Mobile Hotspot >> Edit. 2. Tap option "Open" in the "Security" drop-down box. 3. Verify that "Save" is disabled. If on the management tool "Unsecured hotspot" is not set to "Disallow", or on the Samsung Android device "Open" can be selected in the "Security" drop-down box and the configuration can be saved, this is a finding.

Fix: F-33894r619545_fix

Configure Samsung Android to enable authentication of personal hotspot connections to the device using a pre-shared key. On the management tool, in the device Wi-Fi section, set "Unsecured hotspot" to "Disallow".

b
Samsung Android Work Environment must be configured to disable exceptions to the access control policy that prevents application processes, groups of application processes from accessing all, private data stored by other application processes, groups of application processes. - Disable Move files to personal
CM-6 - Medium - CCI-000366 - V-230992 - SV-230992r959010_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-008900
Vuln IDs
  • V-230992
Rule IDs
  • SV-230992r959010_rule
App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain access to DoD sensitive information. Data sharing restrictions mitigate this risk. If a user is allowed to make exceptions to the data sharing restriction policy, the user could enable unauthorized sharing of data, leaving it vulnerable to breach. Limiting the granting of exceptions to either the Administrator or common application developer mitigates this risk. Copy/paste of data between applications in different application processes or groups of application processes is considered an exception to the access control policy and therefore, the Administrator must be able to enable/disable the feature. Other exceptions include allowing any data or application sharing between process groups. SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2
Checks: C-33922r619547_chk

Review Samsung Android Work Environment configuration settings to determine if the access control policy prevents groups of application processes from accessing all data stored by other groups of application processes. This procedure is for verifying that the moving of files to the Personal Environment is disabled and is applicable to COPE only. This procedure is performed on the management tool Administration console only. This configuration is the default configuration. If the management tool does not provide the capability to configure "Move files to personal", there is NO finding because the default setting cannot be changed. On the management tool, in the Work Environment RCP section, verify "Move files to personal" is set to "Disallow". If the management tool provides the capability to configure the "Move files to personal" policy and it is not set to "Disallow", this is a finding. If the management tool does not provide the capability to configure the policy, this requirement is inherently met and there is NO finding.

Fix: F-33895r619548_fix

Configure Samsung Android Work Environment to enable the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes. This guidance is for disabling the moving of files to the Personal Environment and is applicable to COPE only. On the management tool, in the device restrictions section, set "Move files to personal" to "Disallow". NOTE: "Move files to workspace" may be configured if there is a DoD mission need for this feature.

b
Samsung Android Work Environment must be configured to disable exceptions to the access control policy that prevents application processes, groups of application processes from accessing all, private data stored by other application processes, groups of application processes. - Disable Copy and Paste data
CM-6 - Medium - CCI-000366 - V-230993 - SV-230993r959010_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-009100
Vuln IDs
  • V-230993
Rule IDs
  • SV-230993r959010_rule
App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain access to DoD sensitive information. Data sharing restrictions mitigate this risk. If a user is allowed to make exceptions to the data sharing restriction policy, the user could enable unauthorized sharing of data, leaving it vulnerable to breach. Limiting the granting of exceptions to either the Administrator or common application developer mitigates this risk. Copy/paste of data between applications in different application processes or groups of application processes is considered an exception to the access control policy and therefore, the Administrator must be able to enable/disable the feature. Other exceptions include allowing any data or application sharing between process groups. SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2
Checks: C-33923r619550_chk

Review Samsung Android Work Environment configuration settings to determine if the access control policy prevents groups of application processes from accessing all data stored by other groups of application processes. This procedure is for verifying that the sharing of clipboard data from the Work Environment to the Personal Environment is disabled and is applicable to COPE only. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the Work Environment restrictions section, set "Cross profile copy/paste" to "Disallow". On the Samsung Android device: 1. Using any Work Environment app, copy text to the clipboard. 2. Using any Personal Environment app, verify that the clipboard text cannot be pasted. If on the management tool "Cross profile copy/paste" is not set to "Disallow", or on the Samsung Android device the clipboard text can be pasted into a Personal Environment app, this is a finding.

Fix: F-33896r619551_fix

Configure Samsung Android Work Environment to enable the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes. This guidance is for disabling the sharing of clipboard data from the Work Environment to the Personal Environment and is applicable to COPE only. On the management tool, in the Work Environment restrictions section, set "Cross profile copy/paste" to "Disallow".

b
Samsung Android Work Environment must be configured to disable exceptions to the access control policy that prevents application processes, groups of application processes from accessing all, private data stored by other application processes, groups of application processes. - Disable Sync Calendar to personal
CM-6 - Medium - CCI-000366 - V-230994 - SV-230994r959010_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-009300
Vuln IDs
  • V-230994
Rule IDs
  • SV-230994r959010_rule
App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain access to DoD sensitive information. Data sharing restrictions mitigate this risk. If a user is allowed to make exceptions to the data sharing restriction policy, the user could enable unauthorized sharing of data, leaving it vulnerable to breach. Limiting the granting of exceptions to either the Administrator or common application developer mitigates this risk. Copy/paste of data between applications in different application processes or groups of application processes is considered an exception to the access control policy and therefore, the Administrator must be able to enable/disable the feature. Other exceptions include allowing any data or application sharing between process groups. SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2
Checks: C-33924r619553_chk

Review Samsung Android Work Environment configuration settings to determine if the access control policy prevents groups of application processes from accessing all data stored by other groups of application processes. This procedure is for verifying that Calendar events created in the Work Environment are disallowed from being displayed in the Personal Environment Calendar and is applicable to COPE only. This procedure is performed on the management tool Administration console only. On the management tool, in the Work Environment RCP section, verify that "Sync calendar to personal" is set to "Disallow". On the COPE Samsung Android device: 1. Open Settings >> Work profile >> Notifications and data. 2. Verify that "Export to personal calendar" is disabled and cannot be enabled. If on the management tool the "Sync calendar to personal" is not set to "Disallow", or on the Samsung Android device "Export to personal calendar" is enabled or can be enabled, this is a finding.

Fix: F-33897r619554_fix

Configure Samsung Android Work Environment to enable the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes. This guidance is for disallowing Calendar events created in the Work Environment from being displayed in the Personal Environment Calendar and is applicable to COPE only. On the management tool, in the Work Environment RCP section, set "Sync calendar to personal" to "Disallow".

a
Samsung Android must [not accept the certificate] when it cannot establish a connection to determine the validity of a certificate.
IA-5 - Low - CCI-000185 - V-230995 - SV-230995r959026_rule
RMF Control
IA-5
Severity
L
CCI
CCI-000185
Version
KNOX-11-013900
Vuln IDs
  • V-230995
Rule IDs
  • SV-230995r959026_rule
Certificate-based security controls are dependent on the ability of the system to verify the validity of a certificate. If the MOS were to accept an invalid certificate, it could take unauthorized actions, resulting in unanticipated outcomes. At the same time, if the MOS were to disable functionality when it could not determine the validity of the certificate, this could result in a denial of service. Therefore, the ability to provide exceptions is appropriate to balance the tradeoff between security and functionality. Always accepting certificates when they cannot be determined to be valid is the most extreme exception policy and is not appropriate in the DoD context. Involving an Administrator or user in the exception decision mitigates this risk to some degree. SFR ID: FIA_X509_EXT_2.2
Checks: C-33925r619556_chk

Verify requirement KNOX-11-020100 (CC Mode) has been implemented. If CC Mode has not been implemented, this is a finding.

Fix: F-33898r619557_fix

Implement CC Mode (see requirement KNOX-11-020100).

b
The Samsung Android Work Environment must be configured to prevent users from adding personal email accounts to the work email app.
CM-6 - Medium - CCI-000366 - V-230996 - SV-230996r959010_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-017300
Vuln IDs
  • V-230996
Rule IDs
  • SV-230996r959010_rule
If the user is able to add a personal email account (POP3, IMAP, EAS) to the work email app, it could be used to forward sensitive DoD data to unauthorized recipients. Restricting email account addition to the Administrator or to allowlisted accounts mitigates this vulnerability. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33926r619559_chk

Review Samsung Android Work Environment configuration settings to determine if users are prevented from adding personal email accounts to the work email app. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool: 1. In the Work Environment restrictions section, set "Account Management" to "Disable" for: Work email app. 2. Provision the user's email account on their behalf. For COPE: On the Samsung Android device: 1. Open Settings >> Work profile >> Accounts. 2. Verify that no account can be added. 3. Verify that the user's work email app has been provisioned with the work email account. For COBO: On the Samsung Android device: 1. Open Settings >> Accounts and backup >> Manage accounts. 2. Verify that no account can be added. 3. Verify that the user's Work email app has been provisioned with the work email account. If on the management tool "Account Management" is not set to "Disable" for the Work email app, or on the Samsung Android device an account can be added, this is a finding.

Fix: F-33899r619560_fix

Configure the Samsung Android Work Environment to prevent users from adding personal email accounts to the work email app. Refer to the management tool documentation to determine how to provision users’ work email accounts for the work email app. On the management tool: 1. In the Work Environment restrictions section, set "Account Management" to "Disable" for: Work email app. 2. Provision the user's email account on their behalf.

b
Samsung Android Personal Environment must be configured to enforce the system application disable list.
CM-6 - Medium - CCI-000366 - V-230997 - SV-230997r959010_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-017700
Vuln IDs
  • V-230997
Rule IDs
  • SV-230997r959010_rule
The system application disable list controls user access/execution of all core and pre-installed applications. Core application: Any application integrated into Samsung Android by Google or Samsung. Pre-installed application: Additional non-core applications included in the Samsung Android build by Google, Samsung, or the wireless carrier. Some system applications can compromise DoD data or upload users' information to non-DoD-approved servers. A user must be blocked from using applications that exhibit behavior that can result in compromise of DoD data or DoD user information. The site Administrator must analyze all pre-installed applications on the device and disable all applications not approved for DoD use by configuring the system application disable list. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33927r619562_chk

Review Samsung Android Personal Environment configuration settings to determine if the system application disable list is enforced. This procedure is only for the Personal Environment of a COPE deployment. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. The required configuration is the default configuration when the device is enrolled as an AE deployment. On the management tool, verify that the "core app allowlist" contains only approved core and preinstalled apps. On the Samsung Android device, review the Personal Environment apps and confirm that only approved core and preinstalled apps are listed. If on the management tool the "core app allowlist" contains non-approved core and preinstalled apps, or on the Samsung Android device non-approved apps are listed, this is a finding.

Fix: F-33900r619563_fix

Configure the Samsung Android device to enforce the system application disable list. This guidance is only for the Personal Environment of a COPE deployment. The required configuration is the default configuration when the device is enrolled as an AE deployment. If the device configuration is changed, use the following procedure to bring the device back into compliance: On the management tool, configure a list of approved Google core and preinstalled apps in the core app allowlist.

b
Samsung Android Work Environment must be configured to enforce the system application disable list.
CM-6 - Medium - CCI-000366 - V-230998 - SV-230998r959010_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-017900
Vuln IDs
  • V-230998
Rule IDs
  • SV-230998r959010_rule
The system application disable list controls user access/execution of all core and pre-installed applications. Core application: Any application integrated into Samsung Android by Google or Samsung. Pre-installed application: Additional non-core applications included in the Samsung Android build by Google, Samsung, or the wireless carrier. Some system applications can compromise DoD data or upload user's information to non-DoD-approved servers. A user must be blocked from using applications that exhibit behavior that can result in compromise of DoD data or DoD user information. The site Administrator must analyze all pre-installed applications on the device and disable all applications not approved for DoD use by configuring the system application disable list. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33928r619565_chk

Review Samsung Android Work Environment configuration settings to determine if the system application disable list is enforced. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. The required configuration is the default configuration when the device is enrolled as an AE deployment. On the management tool, verify that the Work Environment "core app allowlist" contains only approved core and preinstalled apps. On the Samsung Android device, review the Work Environment apps and confirm that only approved core and preinstalled app are listed. If on the management tool the "core app allowlist" contains non-approved core and preinstalled apps, or on the Samsung Android device non-approved apps are listed, this is a finding.

Fix: F-33901r619566_fix

Configure Samsung Android Work Environment to enforce the system application disable list. The required configuration is the default configuration when the device is enrolled as an AE deployment. If the device configuration is changed, use the following procedure to bring the device back into compliance: On the management tool, configure a list of approved Google core and preinstalled apps in the core app allowlist.

b
Samsung Android Work Environment must be configured to enable audit logging.
CM-6 - Medium - CCI-000366 - V-230999 - SV-230999r959010_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-018300
Vuln IDs
  • V-230999
Rule IDs
  • SV-230999r959010_rule
Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks so that breaches can either be prevented or limited in their scope. They facilitate analysis to improve performance and security. SFR ID: FAU_GEN.1.1 #8
Checks: C-33929r619568_chk

Review Samsung Android device configuration settings to confirm that audit logging is enabled. This validation procedure is performed on the management tool Administration Console only. On the management tool, in the Work Environment restrictions section, verify that "Security logging" is set to "Enable". If on the management tool "Security logging" is not set to "Enable", this is a finding.

Fix: F-33902r619569_fix

Configure Samsung Android to enable audit logging. On the management tool, in the Work Environment restrictions section, set "Security logging" to "Enable".

b
Samsung Android must be enrolled as a COPE/COBO device.
CM-6 - Medium - CCI-000366 - V-231000 - SV-231000r959010_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-018500
Vuln IDs
  • V-231000
Rule IDs
  • SV-231000r959010_rule
The Knox Workspace is the designated application group for the COPE use case. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33930r619571_chk

Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Validation Procedure for Method #1: Work profile for company-owned devices (COPE) On the management tool, verify that the default enrollment is set to "Work profile for company-owned devices". On the Samsung Android device: 1. Open Settings >> Work profile >> Other security settings >> Device admin apps. 2. Verify that the management tool Agent is listed. 3. Go to the app drawer. 4. Verify that a "Personal" and "Work" tab are present. If on the management tool the default enrollment is not set as "Work profile for company-owned devices", or on the Samsung Android device the "Personal" and "Work" tabs are not present or the management tool Agent is not listed, this is a finding. **** Validation Procedure for Method #2: Fully Managed (COBO) On the management tool, verify that the default enrollment is set as "Fully managed". On the Samsung Android device: 1. Open Settings >> Biometric and security >> Other security settings >> Device admin apps. 2. Verify that the management tool Agent is listed. **** If on the management tool the default enrollment is not set as "Fully managed", or the management tool Agent is not listed, this is a finding.

Fix: F-33903r619572_fix

Enroll the Samsung Android device in a DoD-approved use case by either of the following methods: Method #1: Work profile for company-owned devices (COPE) On the management tool, configure the default enrollment as "Work profile for company-owned devices". **** Method #2: Fully Managed (COBO) On the management tool, configure the default enrollment as "Fully managed". **** Refer to the management tool documentation to determine how to configure the device enrollment.

b
Samsung Android device users must complete required training.
CM-6 - Medium - CCI-000366 - V-231001 - SV-231001r959010_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-018900
Vuln IDs
  • V-231001
Rule IDs
  • SV-231001r959010_rule
The security posture of Samsung devices requires the device user to configure several required policy rules on their device. User Based Enforcement (UBE) is required for these controls. In addition, if the Authorizing Official (AO) has approved the use of an unmanaged personal space, the user must receive training on risks. If a user is not aware of their responsibilities and does not comply with UBE requirements, the security posture of the Samsung mobile device may become compromised and DoD sensitive data may become compromised. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33931r619574_chk

Review a sample of site User Agreements of Samsung device users or similar training records and training course content. Verify that Samsung device users have completed required training. The intent is that required training is renewed on a periodic basis in a time period determined by the AO. If any Samsung device user has not completed required training, this is a finding.

Fix: F-33904r619575_fix

Have all Samsung device users complete training on the following topics. Users should acknowledge they have reviewed training via a signed User Agreement or similar written record. Training topics: - Operational security concerns introduced by unmanaged applications/unmanaged personal space including applications using global positioning system (GPS) tracking. - Need to ensure no DoD data is saved to the personal space or transmitted from a personal app (for example, from personal email). - If the Purebred key management app is used, users are responsible for maintaining positive control of their credentialed device at all times. The DoD PKI certificate policy requires subscribers to maintain positive control of the devices that contain private keys and to report any loss of control so the credentials can be revoked. Upon device retirement, turn-in, or reassignment, ensure a factory data reset is performed prior to device hand-off. Follow Mobility service provider decommissioning procedures as applicable. - How to configure the following UBE controls (users must configure the control) on the Samsung device: 1. Secure use of Calendar Alarm. 2. Local screen mirroring and MirrorLink procedures (authorized/not authorized for use). 3. Do not connect Samsung devices (either via DeX Station or dongle) to any DoD network via Ethernet connection. 4. Do not upload DoD contacts via smart call and caller ID services. 5. Disable Wi-Fi Sharing. 6. Do not configure a DoD network (work) VPN profile on any third-party VPN client installed in the personal space. - AO guidance on acceptable use and restrictions, if any, on downloading and installing personal apps and data (music, photos, etc.) in the Samsung device personal space.

b
Samsung Android Work Environment must be configured to disable the autofill services.
CM-6 - Medium - CCI-000366 - V-231002 - SV-231002r959010_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-019700
Vuln IDs
  • V-231002
Rule IDs
  • SV-231002r959010_rule
The autofill services allow the user to complete text inputs that could contain sensitive information, such as personally identifiable information (PII), without previous knowledge of the information. By allowing the use of autofill services, an adversary who learns a user's Samsung Android device password, or who otherwise is able to unlock the device, may be able to further breach other systems by relying on the autofill services to provide information unknown to the adversary. By disabling the autofill services, the risk of an adversary gaining further information about the device's user or compromising other systems is significantly mitigated. Examples of apps that offer autofill services include Samsung Pass, Google, Dashlane, LastPass, and 1Password. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33932r619577_chk

Review Samsung Android Work Environment configuration settings to determine if autofill services are disabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. This policy cannot be enforced on a Legacy deployment and is a permanent finding. On the management tool, in the Work Environment restrictions section, verify that "Autofill services" is set to "Disallow". For COPE: On the Samsung Android device: 1. Open Settings >> Work profile >> More settings >> Keyboard and input >> Autofill service. 2. Verify that no Autofill services are listed. For COBO: On the Samsung Android device: 1. Open Settings >> General management >> Language and input >> Autofill service. 2. Verify that no Autofill services are listed. If on the management tool "Autofill services" is not set to "Disallow", or on the Samsung Android device autofill services are listed, this is a finding.

Fix: F-33905r619578_fix

Configure the Samsung Android Work Environment to disable autofill services. On the management tool, in the Work Environment restrictions section, set "Autofill services" to "Disallow".

a
Samsung Android must be configured to enable Knox CC Mode.
CM-6 - Low - CCI-000366 - V-231003 - SV-231003r959010_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
KNOX-11-020100
Vuln IDs
  • V-231003
Rule IDs
  • SV-231003r959010_rule
The KPE CC Mode feature is a superset of other features and behavioral changes that are mandatory MDFPP requirements. If CC Mode is not implemented the device will not be operating in the NIAP-certified compliant CC Mode of operation. CC Mode implements the following behavioral/functional changes to meet MDFPP requirements: - Download Mode is disabled and all updates will occur via FOTA only. In addition, CC Mode adds new restrictions, which are not to meet MDFPP requirements, but to offer better security above what is required: - Force password info following FOTA update for consistency. - Disable Remote unlock by FindMyMobile. - Restrict biometric attempts to 10 for better security. - Support Android CommonCriteria mode API implementation, which secures BT and Wi-Fi keys. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33933r619580_chk

Review Samsung Android configuration settings to determine if KPE CC Mode is enabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "CC mode" is set to "Enable". On the Samsung Android device, put the device into "Download mode" and verify that the text "Blocked by CC Mode" is displayed on the screen. If on the management tool "CC mode" is not set to "Enable", or on the Samsung Android device the text "Blocked by CC Mode" is not displayed in "Download mode", this is a finding.

Fix: F-33906r619581_fix

Configure Samsung Android to enable KPE CC Mode. On the management tool, in the device restrictions section, set "CC mode" to "Enable".

b
Samsung Android must be configured to disallow configuration of Date Time.
CM-6 - Medium - CCI-000366 - V-231004 - SV-231004r959010_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-020500
Vuln IDs
  • V-231004
Rule IDs
  • SV-231004r959010_rule
Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. Periodically synchronizing internal clocks with an authoritative time source is needed to correctly correlate the timing of events that occur across the enterprise. The three authoritative time sources for Samsung Android are an authoritative time server that is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network (NIPRNet or SIPRNet), the Global Positioning System (GPS), or the wireless carrier. Time stamps generated by the audit system in Samsung Android must include both date and time. The time may be expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33934r619583_chk

Review Samsung Android configuration settings to determine if the configuration of the date and time is disallowed. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "Config Date Time" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> General management >> Date and time. 2. Verify that "Automatic data and time" is on and the user cannot disable it. If on the management tool "Config Date Time" is not set to "Disallow", or on the Samsung Android device "Automatic date and time" is not set or the user can disable it, this is a finding.

Fix: F-33907r619584_fix

Configure Samsung Android to disallow configuration of the date and time. On the management tool, in the device restrictions section, set "Config Date Time" to "Disallow".

b
Samsung Android must be configured to enforce a USB host mode exception list. NOTE: This configuration allows DeX mode (with input devices), which is DoD-approved for use.
CM-6 - Medium - CCI-000366 - V-231005 - SV-231005r959010_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-020900
Vuln IDs
  • V-231005
Rule IDs
  • SV-231005r959010_rule
The USB host mode feature allows USB devices to connect to the device (e.g., USB flash drives, USB mouse, USB keyboard) using a micro USB to USB adapter cable. The USB host mode exception list allows selected USB devices to operate, while disallowing others, based on their USB device class. With some USB device classes, a user can copy sensitive DoD information to external USB storage unencrypted, resulting in compromise of DoD data. However, some USB device classes do not allow data to be copied, such as Human Interface Devices (HID). Disabling all USB devices except for HID mitigates the risk of compromising sensitive DoD data. This allows for DeX mode to be used, with a USB keyboard and mouse, without compromising DoD data. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33935r619586_chk

Review Samsung Android device configuration settings to determine if USB host mode exception list is configured, or alternatively, if USB host mode is disabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "HID" is the only USB class included in the "USB host mode exception list". On the Samsung Android device: 1. Connect a micro USB-to-USB "On the Go" (OTG) adapter to the device. 2. Connect a USB thumb drive to the adapter. 3. Verify that the device cannot access the USB thumb drive. If on the management tool the "USB host mode exception list" includes a USB class other than "HID", or on the Samsung Android device the USB thumb drive can be mounted, this is a finding.

Fix: F-33908r619587_fix

Configure Samsung Android with a USB host mode exception list, or alternatively, disable the use of USB host mode. On the management tool, in the device restrictions section, add the "HID" USB class to the "USB host mode exception list".

b
Samsung Android Work Environment must be configured to enforce that Share Via List is disabled.
CM-6 - Medium - CCI-000366 - V-231006 - SV-231006r959010_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-021300
Vuln IDs
  • V-231006
Rule IDs
  • SV-231006r959010_rule
The "Share Via List" feature allows the transfer of data between nearby Samsung devices via Android Beam, Wi-Fi Direct, Link Sharing, and Share to Device. If sharing were enabled, sensitive DoD data could be compromised. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33936r619589_chk

Review Samsung Android Work Environment configuration settings to determine if Share Via List is disallowed. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the Work Environment restrictions section, verify that "Share Via List" is set to "Disallow". On the Samsung Android device, attempt to share by long pressing a file in the Work Environment and tapping "Share". If on the management tool "Share Via List" is not set to "Disallow", or on the Samsung Android device the user is able to share, this is a finding.

Fix: F-33909r619590_fix

Configure Samsung Android Work Environment to disallow Share Via List. On the management tool, in the Work Environment restrictions section, set "Share Via List" to "Disallow". NOTE: Disabling Share Via List will also disable functionality such as Gallery Sharing and Direct Sharing.

b
Samsung Android must be configured to disallow outgoing beam.
CM-6 - Medium - CCI-000366 - V-231007 - SV-231007r959010_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-021700
Vuln IDs
  • V-231007
Rule IDs
  • SV-231007r959010_rule
Outgoing beam allows transfer of data through NFC and Bluetooth by touching two unlocked devices together. If it were enabled, sensitive DoD data could be transmitted. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33937r619592_chk

Review Samsung Android Work Environment configuration settings to verify that outgoing beam is disallowed. This requirement is inherently met for COPE as outgoing beam in a "Profile/Workspace" cannot be initiated. This validation procedure is applicable to COBO only. This procedure is performed on both the MDM Administration console and the Samsung Android device. On the MDM console, in the Work Environment restrictions section, verify that "disallow outgoing beam" is selected. On the Samsung Android device, open a picture, contact, or web page and put it back to back with an unlocked outgoing beam-enabled device. Verify that outgoing beam cannot be started. If on the MDM console "outgoing beam" is not set to "disallow", or on the Samsung Android device the user is able to successfully start outgoing beam, this is a finding.

Fix: F-33910r619593_fix

Configure Samsung Android to disallow outgoing beam. This requirement is inherently met for COPE as outgoing beam in a "Profile/Workspace" cannot be initiated. This guidance is applicable to COBO only. On the MDM console, in the Work Environment restrictions section, set "outgoing beam" to "disallow".

b
Samsung Android Work Environment must be configured to enforce that Wi-Fi Sharing is disabled.
CM-6 - Medium - CCI-000366 - V-231008 - SV-231008r959010_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-022100
Vuln IDs
  • V-231008
Rule IDs
  • SV-231008r959010_rule
Wi-Fi Sharing is an optional configuration of Wi-Fi Tethering/Mobile Hotspot, which allows the device to share its Wi-Fi connection with other wirelessly connected devices instead of its mobile (cellular) connection. Wi-Fi Sharing grants the "other" device access to a corporate Wi-Fi network and may possibly bypass the network access control mechanisms. This risk can be partially mitigated by requiring the use of a pre-shared key for personal hotspots. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33938r619595_chk

Review Samsung Android device configuration settings to confirm that Wi-Fi Sharing is disabled. Mobile Hotspot must be enabled in order to enable Wi-Fi Sharing. If the AO has not approved Mobile Hotspot, and it has been verified as disabled on the management tool, the following guidance is not applicable. This setting cannot be managed by the management tool Administrator and is a User Based Enforcement (UBE) requirement. On the Samsung Android device: 1. Open Settings >> Connections >> Mobile Hotspot and Tethering >> Mobile hotspot. 2. Verify that "Wi-Fi sharing" is disabled. If on the Samsung Android device "Wi-Fi sharing" is enabled, this is a finding.

Fix: F-33911r619596_fix

Configure Samsung Android to disable Wi-Fi Sharing. Mobile Hotspot must be enabled in order to enable Wi-Fi Sharing. If the AO has not approved Mobile Hotspot, and it has been disabled on the management tool, the following guidance is not applicable. On the Samsung Android device: 1. Open Settings >> Connections >> Mobile Hotspot and Tethering >> Mobile hotspot. 2. Disable "Wi-Fi sharing" if it is enabled.

b
Samsung Android Work Environment must be configured to enable Certificate Revocation checking.
CM-6 - Medium - CCI-000366 - V-231009 - SV-231009r959010_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-022500
Vuln IDs
  • V-231009
Rule IDs
  • SV-231009r959010_rule
A Certificate Revocation List (CRL) allows a certificate issuer to revoke a certificate for any reason, including improperly issued certificates and compromise of the private keys. Checking the revocation status of the certificate mitigates the risk associated with using a compromised certificate. Online Certificate Status Protocol (OCSP) is a protocol for obtaining the revocation status of a certificate. It addresses problems associated with using CRLs. When OCSP is enabled, it is used prior to CRL checking. If OCSP could not obtain a decisive response about a certificate, it will then try to use CRL checking. The OCSP response server must be listed in the certificate information under Authority Info Access. This feature must be enabled for a Samsung Android device to be in the NIAP-certified CC Mode of operation. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33939r619598_chk

Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on the management tool Administration Console only. **** Validation Procedure for Method #1: CRL Checking On the management tool, in the Work profile certificate section, verify that "Revocation check" is set to "enable for all apps". If on the management tool "Revocation check" is not set to "enable for all apps", this is a finding. **** Validation Procedure for Method #2: OCSP with CRL Fallback On the management tool: 1. In the Work profile certificate section, verify that "Revocation check" is set to "enable for all apps". 2. In the Work profile restrictions section, verify that "OCSP check" is set to "enable for all apps". If on the management tool "Revocation check" is not set to "enable for all apps" or if "OCSP check" is not set to "enable for all apps", this is a finding.

Fix: F-33912r619599_fix

Configure Samsung Android Work Environment to enable Certificate Revocation checking by either of the following methods: Method #1: CRL Checking On the management tool, in the Work profile certificate section, set "Revocation check" to "enable for all apps". **** Method #2: OCSP with CRL Fallback On the management tool: 1. In the Work profile certificate section, set "Revocation check" to "enable for all apps". 2. In the Work profile restrictions section, set "OCSP check" to "enable for all apps". **** Refer to the management tool documentation to determine how to configure Revocation and OCSP checking to "enable for all apps". Some may, for example, allow a wildcard string: "*".

b
Samsung Android Work Environment must have the DoD root and intermediate PKI certificates installed.
CM-6 - Medium - CCI-000366 - V-231010 - SV-231010r959010_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-022900
Vuln IDs
  • V-231010
Rule IDs
  • SV-231010r959010_rule
DoD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the root and intermediate certificates are not available, an adversary could falsely sign a certificate in such a way that it could not be detected. Providing access to the DoD root and intermediate PKI certificates greatly diminishes the risk of this attack. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33940r619601_chk

Review Samsung Android Work Environment configuration settings to determine if the DoD root and intermediate PKI certificates are installed. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. The current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at https://cyber.mil/pki-pke (for NIPRNet). On the management tool, in the Work Environment certificate section, verify that the DoD root and intermediate PKI certificates are installed. On the Samsung Android device: 1. Open Settings >> Biometrics and security >> Other security settings >> View security certificates. 2. In the User tab, verify that the DoD root and intermediate PKI certificates are listed in the Work Environment. If on the management tool the DoD root and intermediate PKI certificates are not listed in the Work Environment, or on the Samsung Android device the DoD root and intermediate PKI certificates are not listed in the Work Environment, this is a finding.

Fix: F-33913r619602_fix

Configure the Samsung Android Work Environment to install DoD root and intermediate PKI certificates. The current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at https://cyber.mil/pki-pke (for NIPRNet). On the management tool, in the Work Environment certificate section, install the DoD root and intermediate PKI certificates.

b
Samsung Android Work Environment must allow only the Administrator (management tool) to perform the following management function: install/remove DoD root and intermediate PKI certificates.
CM-6 - Medium - CCI-000366 - V-231011 - SV-231011r959010_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-11-023100
Vuln IDs
  • V-231011
Rule IDs
  • SV-231011r959010_rule
DoD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the user is allowed to remove root and intermediate certificates, the user could allow an adversary to falsely sign a certificate in such a way that it could not be detected. Restricting the ability to remove DoD root and intermediate PKI certificates to the Administrator mitigates this risk. SFR ID: FMT_MOF_EXT.1.2 #47
Checks: C-33941r619604_chk

Review Samsung Android Work Environment configuration settings to determine if the user is unable to remove DoD root and intermediate PKI certificates. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the Work Environment restrictions section, verify that "Config credentials" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> Biometrics and security >> Other security settings >> View security certificates. 2. In the System tab, verify that no listed certificate in the Work Environment can be untrusted. 3. In the User tab, verify that no listed certificate in the Work Environment can be removed. If on the management tool the device "Config credentials" is not set to "Disallow", or on the Samsung Android device a certificate can be untrusted or removed, this is a finding.

Fix: F-33914r619605_fix

Configure Samsung Android Work Environment to prevent a user from removing DoD root and intermediate PKI certificates. On the management tool, in the Work Environment restrictions section, set "Config credentials" to "Disallow".

c
The Samsung Android device must have the latest available Samsung Android operating system (OS) installed.
CM-6 - High - CCI-000366 - V-231012 - SV-231012r959010_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
KNOX-11-023300
Vuln IDs
  • V-231012
Rule IDs
  • SV-231012r959010_rule
Required security features are not available in earlier OS versions. In addition, earlier versions may have known vulnerabilities. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33942r619607_chk

Review Samsung Android device configuration settings to confirm that the most recently released version of Samsung Android is installed. This procedure is performed on both the management tool and the Samsung Android device. In the management tool management console, review the version of Samsung Android installed on a sample of managed devices. This procedure will vary depending on the management tool product. See the notes below to determine the latest available OS version. On the Samsung Android device, to see the installed OS version: 1. Open Settings. 2. Tap "About phone". 3. Tap "Software information". If the installed version of Android OS on any reviewed Samsung devices is not the latest released by the wireless carrier, this is a finding. NOTE: Some wireless carriers list the version of the latest Android OS release by mobile device model online: ATT: https://www.att.com/devicehowto/dsm.html#!/popular/make/Samsung T-Mobile: https://support.t-mobile.com/docs/DOC-34510 Verizon Wireless: https://www.verizonwireless.com/support/software-updates/ Google Android OS patch website: https://source.android.com/security/bulletin/ Samsung Android OS patch website: https://security.samsungmobile.com/securityUpdate.smsb

Fix: F-33915r619608_fix

Install the latest released version of Samsung Android OS on all managed Samsung devices. NOTE: In most cases, OS updates are released by the wireless carrier (for example, Sprint, T-Mobile, Verizon Wireless, and ATT).

c
All Samsung Android 11 installations must be removed.
CM-6 - High - CCI-000366 - V-264377 - SV-264377r985806_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
KNOX-11-999999
Vuln IDs
  • V-264377
Rule IDs
  • SV-264377r985806_rule
Samsung Android 11 is no longer supported by Google and therefore, may contain security vulnerabilities. Satisfies: FMT_MOF_EXT.1.2 #47 Reference: PP-MDF-991000
Checks: C-68291r985804_chk

Verify there are no installations of Samsung Android 11 at the site. If Samsung Android 11 is being used at the site, this is a finding.

Fix: F-68199r985805_fix

Remove all installations of Samsung Android 11.