Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Samsung Android 11 with Knox 3.x Legacy Security Technical Implementation Guide

  • Version/Release: V1R2
  • Published: 2024-05-23
  • Released: 2024-07-24
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
Samsung Android must be configured to enforce a minimum password length of six characters.
IA-5 - Medium - CCI-000205 - V-231013 - SV-231013r958468_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000205
Version
KNOX-11-000200
Vuln IDs
  • V-231013
Rule IDs
  • SV-231013r958468_rule
Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise. SFR ID: FMT_SMF_EXT.1.1 #1a
Checks: C-33943r619733_chk

Review Samsung Android device configuration settings to determine if the mobile device is enforcing a minimum password length of six characters. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool: 1. Open the device password policies. 2. Verify "minimum password quality" is set to "Numeric" (or better). 3. Verify "minimum password length" is set to "6". NOTE: The following text is written assuming a password quality of "Numeric" or "Numeric (Complex)" has been configured. If a password quality of "Alphabetic" (or better) has been configured, substitute the text "PIN" with "Password" and "6 digits" with "6 characters". On the Samsung Android device: 1. Open Settings >> Lock screen >> Screen lock type. 2. Enter current password. 3. Tap "PIN". 4. Verify the text "PIN must contain at least", followed by a value of at least "6 digits", appears above the PIN entry. If on the management tool the "minimum password quality" is not set to "Numeric" (or better) and "minimum password length" is not set to "6", or on the Samsung Android device the text "PIN must contain at least" is followed by a value of less than "6 digits", this is a finding.

Fix: F-33916r619734_fix

Configure Samsung Android to enforce a minimum password length of six characters. On the management tool: 1. Open the device password policies. 2. Set "minimum password quality" to "Numeric" (or better). 3. Set "minimum password length" to "6".

b
Samsung Android must be configured to not allow passwords that include more than two repeating or sequential characters.
CM-6 - Medium - CCI-000366 - V-231014 - SV-231014r959010_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-000400
Vuln IDs
  • V-231014
Rule IDs
  • SV-231014r959010_rule
Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or sequential characters are significantly easier to guess than those that do not contain repeating or sequential characters. Therefore, disallowing repeating or sequential characters increases password strength and decreases risk. SFR ID: FMT_SMF_EXT.1.1 #1b
Checks: C-33944r619736_chk

This requirement is not applicable if the password quality is set to Numeric (complex) or better. Review Samsung Android configuration settings to determine if the mobile device is prohibiting passwords with more than two repeating or sequential characters. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device password section, verify the "maximum sequential numbers" is set to "2". On the Samsung Android device: 1. Open Settings. 2. Tap "Lock screen". 3. Tap "Screen lock type". 4. Enter current password. 5. Tap "Password". 6. Verify that passwords with two or more sequential numbers are not accepted. If on the management tool "maximum sequential numbers" is more than "2", or on the Samsung Android device a password with two or more sequential numbers is accepted, this is a finding.

Fix: F-33917r619737_fix

This requirement is not applicable if the password quality is set to Numeric (complex), or better. Configure Samsung Android to prevent passwords from containing more than two repeating or sequential characters. On the management tool, in the device password section, set the "maximum sequential numbers" to "2".

b
Samsung Android must be configured to lock the display after 15 minutes (or less) of inactivity.
AC-11 - Medium - CCI-000057 - V-231015 - SV-231015r958402_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
KNOX-11-000600
Vuln IDs
  • V-231015
Rule IDs
  • SV-231015r958402_rule
The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum timeout period of 15 minutes has been selected to balance functionality and security; shorter timeout periods may be appropriate depending on the risks posed to the mobile device. Satisfies: PP-MDF-301030, PP-MDF-301040 SFR ID: FMT_SMF_EXT.1.1 #2a, FMT_SMF_EXT.1.1 #2b
Checks: C-33945r619739_chk

Review Samsung Android configuration settings to determine if the mobile device has the screen lock timeout set to 15 minutes or less. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool: 1. Open the device password policies. 2. Verify "minimum password quality" is set to "Numeric" (or better). 3. Verify the "max time to screen lock" is set to "15 minutes" or less. On the Samsung Android device: 1. Open Settings >> Lock screen. 2. Verify "Secure lock settings" is present and tap it. 3. Enter current password. 4. Tap "Lock automatically". 5. Verify the listed timeout values are 15 minutes or less. If on the management tool the "minimum password quality" is not set to "Numeric" (or better) and "max time to screen lock" is not set to "15 minutes" or less, or on the Samsung Android device "Secure lock settings" is not present and the listed Screen timeout values include durations of more than 15 minutes, this is a finding.

Fix: F-33918r619740_fix

Configure Samsung Android to lock the device display after 15 minutes (or less) of inactivity. On the management tool: 1. Open the device password policies. 2. Set "minimum password quality" to "Numeric" (or better). 3. Set the "max time to screen lock" to "15 minutes" or less.

b
Samsung Android must be configured to not allow more than 10 consecutive failed authentication attempts.
AC-7 - Medium - CCI-000044 - V-231016 - SV-231016r958388_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
KNOX-11-000800
Vuln IDs
  • V-231016
Rule IDs
  • SV-231016r958388_rule
The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on the device. Setting a limit on the number of attempts mitigates this risk. Setting the limit at 10 or less gives authorized users the ability to make a few mistakes when entering the password but still provides adequate protection against dictionary or brute force attacks on the password. SFR ID: FMT_SMF_EXT.1.1 #2c, FIA_AFL_EXT.1.5
Checks: C-33946r619742_chk

Review Samsung Android configuration settings to determine if the mobile device has the maximum number of consecutive failed authentication attempts set at 10 or less. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool: 1. Open the device password policies. 2. Verify "minimum password quality" is set to "Numeric" (or better). 3. Verify the "max password failures for local wipe" is set to "10" attempts or less. On the Samsung Android device: 1. Open Settings >> Lock screen. 2. Verify "Secure lock settings" is present and tap it. 3. Enter current password. 4. Verify that "Auto factory reset" menu is disabled. If on the management tool the "minimum password quality" is not set to "Numeric" (or better) and "max password failures for local wipe" is not set to "10" attempts or less, or on the Samsung Android device the "Auto factory reset" menu is not disabled, this is a finding.

Fix: F-33919r619743_fix

Configure Samsung Android to allow only 10 or fewer consecutive failed authentication attempts. On the management tool: 1. Open the device password policies. 2. Set "minimum password quality" to "Numeric" (or better). 3. Set the "max password failures for local wipe" to "10" attempts or less.

b
Samsung Android must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including DoD-approved commercial app repository, management tool server, or mobile application store.
CM-6 - Medium - CCI-000366 - V-231017 - SV-231017r959010_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-001400
Vuln IDs
  • V-231017
Rule IDs
  • SV-231017r959010_rule
Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DoD data accessible by these unauthorized/malicious applications. SFR ID: FMT_SMF_EXT.1.1 #8a
Checks: C-33947r619745_chk

Review Samsung Android configuration settings to determine if the mobile device has only approved application repositories (DoD-approved commercial app repository, management tool server, and/or mobile application store). This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "installs from unknown sources" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> Apps >> (Overflow menu) >> Special access >> Install unknown apps. 2. Tap (Overflow menu) >> Show system apps. 3. In the "Personal" tab, ensure that each app listed has the status "Disabled" under the app name or that no apps are listed. 4. In the "Work" tab, ensure that each app listed has the status "Disabled" under the app name or that no apps are listed. If on the management tool "installs from unknown sources" is not set to "Disallow", or on the Samsung Android device an app is listed with a status other than "Disabled", this is a finding. NOTE: Google Play must not be disabled. Disabling Google Play will cause system instability and critical updates will not be received.

Fix: F-33920r619746_fix

Configure Samsung Android to disable unauthorized application repositories. On the management tool, in the device restrictions section, set "installs from unknown sources" to "Disallow". NOTE: Google Play must not be disabled. Disabling Google Play will cause system instability and critical updates will not be received.

b
Samsung Android Work Environment must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: names.
CM-6 - Medium - CCI-000366 - V-231018 - SV-231018r959010_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-001800
Vuln IDs
  • V-231018
Rule IDs
  • SV-231018r959010_rule
The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications, or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. Core application: Any application integrated into the OS by the OS or MD vendors. Pre-installed application: Additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier. Requiring all authorized applications to be in an application allowlist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the allowlist. Failure to configure an application allowlist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the OS by the OS vendor) and pre-installed applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. SFR ID: FMT_SMF_EXT.1.1 #8b
Checks: C-33948r619748_chk

Review the Samsung Android Work Environment configuration setting to determine if the mobile device has an application allowlist configured. Verify that all applications listed on the allowlist have been approved by the Approving Official (AO). This validation procedure is performed only on the management tool Administration Console. On the management tool, in the Work Environment KPE restrictions section, verify that only AO-approved apps are listed in the "app installation allowlist". If on the management tool the Work Environment "app installation allowlist" contains non-AO-approved apps, this is a finding.

Fix: F-33921r619749_fix

Configure Samsung Android Work Environment to use an application allowlist. The application allowlist does not control user access to/execution of all core and preinstalled applications, and guidance for doing so is covered in KNOX-10-009300. On the management tool, in the Work Environment KPE application section, add each AO-approved app to the "app installation allowlist". NOTE: Refer to the management tool documentation to determine the following: - If an application installation denylist is also required to be configured when enforcing an "app installation allowlist"; and - If the management tool supports adding apps to the "app installation allowlist" by package name and/or digital signature or supports a combination of the two.

b
The Samsung Android Work Environment allowlist must be configured to not include applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services); - transmit MD diagnostic data to non-DoD servers; - voice assistant application if available when MD is locked; - voice dialing application if available when MD is locked; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
CM-6 - Medium - CCI-000366 - V-231019 - SV-231019r959010_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-002000
Vuln IDs
  • V-231019
Rule IDs
  • SV-231019r959010_rule
Requiring all authorized applications to be in an application allowlist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the allowlist. Failure to configure an application allowlist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. Applications with the listed characteristics have features that can cause the compromise of sensitive DoD data or have features with no known application in the DoD environment. Application note: The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications, or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. Core application: Any application integrated into the OS by the OS or MD vendors. Pre-installed application: Additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier. SFR ID: FMT_SMF_EXT.1.1 #8b
Checks: C-33949r619751_chk

Review Samsung Android Work Environment configuration setting to determine if the application allowlist is configured to not include applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services); - transmit MD diagnostic data to non-DoD servers; - voice assistant application if available when MD is locked; - voice dialing application if available when MD is locked; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers. The application allowlist does not control user access to/execution of all core and preinstalled applications, and guidance for doing so is covered in KNOX-10-009300. This validation procedure is performed only on the management tool Administration Console. On the management tool, in the Work Environment restrictions section, for each approved app on the "app installation allowlist", review the app details and privacy policy to ensure the app does not include prohibited characteristics. If on the management tool the Work Environment "app installation allowlist" includes apps with unauthorized characteristics, this is a finding.

Fix: F-33922r619752_fix

Configure Samsung Android Work Environment to use an application allowlist to not include applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services); - transmit MD diagnostic data to non-DoD servers; - voice assistant application if available when MD is locked; - voice dialing application if available when MD is locked; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers. The application allowlist does not control user access to/execution of all core and preinstalled applications, and guidance for doing so is covered in KNOX-10-009300. On the management tool, in the Work Environment application section, before adding an app to the "app installation allowlist", review the app details and privacy policy to ensure the app does not include prohibited characteristics. NOTE: Refer to the management tool documentation to determine the following: - If an application installation denylist is also required to be configured when enforcing an "app installation allowlist"; and - If the management tool supports adding apps to the "app installation allowlist" by package name and/or digital signature or supports a combination of the two.

a
Samsung Android must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (HandsFree Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile).
CM-6 - Low - CCI-000366 - V-231020 - SV-231020r959010_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
KNOX-11-002400
Vuln IDs
  • V-231020
Rule IDs
  • SV-231020r959010_rule
Some Bluetooth profiles provide the capability for remote transfer of sensitive DoD data without encryption or otherwise do not meet DoD IT security policies and therefore should be disabled. SFR ID: FMT_SMF_EXT.1.1 #18h
Checks: C-33950r619754_chk

Review Samsung Android configuration settings to determine if all Bluetooth profiles are disabled except for HSP, HFP, SPP, A2DP, AVRCP, and PBAP. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device Bluetooth section, verify that only DoD-approved profile UUIDs are listed in the "Bluetooth UUID allowlist": HFP, HSP, SPP, A2DP, AVRCP, and PBAP. On the Samsung Android device: 1. Open Settings >> Connections >> Bluetooth. 2. Verify only Bluetooth devices that use DoD-approved profiles are listed. If on the management tool the "Bluetooth UUID allowlist" contains non-DoD-approved profile UUIDs, or on the Samsung Android device Bluetooth devices that use non-DoD-approved profiles are listed, this is a finding.

Fix: F-33923r619755_fix

Configure Samsung Android to disable all Bluetooth profiles except for HSP, HFP, SPP, A2DP, AVRCP, and PBAP. On the management tool, in the device Bluetooth section, add each DoD-approved profile UUID to the "Bluetooth UUID allowlist": HFP, HSP, SPP, A2DP, AVRCP, and PBAP.

b
Samsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: all notifications.
CM-6 - Medium - CCI-000366 - V-231021 - SV-231021r959010_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-002800
Vuln IDs
  • V-231021
Rule IDs
  • SV-231021r959010_rule
Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifications can contain sensitive information. When they are available on the lock screen, an adversary can see them merely by being in close physical proximity to the device. Configuring the MOS to not send notifications to the lock screen mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #19
Checks: C-33951r619757_chk

Review Samsung Android configuration settings to determine if Samsung Android displays (Work Environment) notifications on the lock screen. Notifications of incoming phone calls are acceptable even when the device is locked. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. This procedure is only applicable to the COPE use case. On the management tool, in the Work Environment RCP section, verify that "Show detailed notifications" is set to "Disallow". On the COPE Samsung Android device: 1. Open Settings >> Work profile >> Notification and data. 2. Verify that "Show notification content" is disabled. If on the management tool "Show detailed notifications" is not set to "Disallow", or on the Samsung Android device "Show notification content" is not disabled, this is a finding. NOTE: For the COBO use case, the API to implement this policy has been impacted by DA deprecation, and no KPE alternative policy is available. If the device is deployed in COBO mode, this requirement is not met and is a permanent finding.

Fix: F-33924r619758_fix

Configure Samsung Android to not display (Work Environment) notifications when the device is locked. This guidance is only applicable to the COPE use case. On the management tool, in the Work Environment RCP section, set "Show detailed notifications" to "Disallow".

c
Samsung Android must be configured to enable encryption for data at rest on removable storage media or alternatively, the use of removable storage media must be disabled.
SC-28 - High - CCI-001199 - V-231022 - SV-231022r958552_rule
RMF Control
SC-28
Severity
High
CCI
CCI-001199
Version
KNOX-11-003600
Vuln IDs
  • V-231022
Rule IDs
  • SV-231022r958552_rule
The MOS must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read removable media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running. SFR ID: FMT_SMF_EXT.1.1 #21, #47f
Checks: C-33952r619760_chk

This requirement is not applicable for devices that do not support removable storage media. If the mobile device does not support removable media, this requirement is not applicable. Review Samsung Android configuration settings to determine if the use of removable storage media is disabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "SD Card" is set to "Disable". On the Samsung Android device, verify that a microSD card cannot be mounted. NOTE: To mount the microSD card, insert it into the SIM/SD car tray in the slot marked "microSD", and push the tray firmly back into the device. The device should ignore the inserted SD card and no notifications for the transfer of media files should appear, nor should any files be listed using a file browser, such as Samsung My Files. If on the management tool "SD Card" is not set to "Disable", or on the Samsung Android device a microSD card can be mounted, this is a finding.

Fix: F-33925r619761_fix

This requirement is not applicable for devices that do not support removable storage media. Configure Samsung Android to enable data-at-rest protection for removable media, or alternatively, disable the use of removable storage media. On the management tool, in the device restrictions section, set "SD Card" to "Disable".

b
Samsung Android must be configured to disable trust agents. NOTE: This requirement is not applicable (NA) for specific biometric authentication factors included in the product Common Criteria evaluation.
CM-6 - Medium - CCI-000366 - V-231023 - SV-231023r958478_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-004000
Vuln IDs
  • V-231023
Rule IDs
  • SV-231023r958478_rule
The fingerprint reader can be used to authenticate the user in order to unlock the mobile device. At this time, no mobile device biometric reader has been evaluated as meeting the security requirements of the MDFPP or been approved for DoD use on mobile devices. This technology could allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of non-password authentication mechanisms, users are forced to use passcodes that meet DoD passcode requirements. SFR ID: FMT_SMF_EXT.1.1 #23, FIA_UAU.5.1
Checks: C-33953r619763_chk

Review Samsung Android configuration settings to determine if Trust Agents are disabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "Trust Agents" are set to "Disable". On the Samsung Android device: 1. Open Settings >> Biometrics and security >> Other security settings >> Trust agents. 2. Verify that all listed Trust Agents are disabled and cannot be enabled. If on the management tool "Trust Agents" are not set to "Disable", or on the Samsung Android device a "Trust Agent" can be enabled, this is a finding.

Fix: F-33926r619764_fix

Configure Samsung Android to disable Trust Agents. On the management tool, in the device restrictions section, set "Trust Agents" to "Disable".

b
Samsung Android must be configured to disable Face Recognition. NOTE: This requirement is not applicable (NA) for specific biometric authentication factors included in the product Common Criteria evaluation.
CM-6 - Medium - CCI-000366 - V-231024 - SV-231024r958478_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-004200
Vuln IDs
  • V-231024
Rule IDs
  • SV-231024r958478_rule
The fingerprint reader can be used to authenticate the user in order to unlock the mobile device. At this time, no mobile device biometric reader has been evaluated as meeting the security requirements of the MDFPP or been approved for DoD use on mobile devices. This technology could allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of non-password authentication mechanisms, users are forced to use passcodes that meet DoD passcode requirements. SFR ID: FMT_SMF_EXT.1.1 #23, FIA_UAU.5.1
Checks: C-33954r619766_chk

Review Samsung Android configuration settings to determine if Face Recognition is disabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "Face" is set to "Disable". On the Samsung Android device: 1. Open Settings >> Lock screen >> Screen lock type. 2. Enter current password. 3. Verify that "Face" is disabled and cannot be enabled. If on the management tool "Face" is not set to "Disable", or on the Samsung Android device "Face" can be enabled, this is a finding.

Fix: F-33927r619767_fix

Configure the Samsung Android to disable Face Recognition. On the management tool, in the device restrictions section, set "Face" to "Disable".

b
Samsung Android must be configured to disable developer modes.
CM-7 - Medium - CCI-000381 - V-231025 - SV-231025r958478_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
KNOX-11-005200
Vuln IDs
  • V-231025
Rule IDs
  • SV-231025r958478_rule
Developer modes expose features of the MOS that are not available during standard operation. An adversary may leverage a vulnerability inherent in a developer mode to compromise the confidentiality, integrity, and availability of DoD sensitive information. Disabling developer modes mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #26
Checks: C-33955r619769_chk

Review Samsung Android configuration settings to determine whether a developer mode is enabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. For Legacy COPE deployments, this configuration is the default configuration. If the management tool does not provide the capability to enable/disable "debugging features", there is NO finding because the default setting cannot be changed. On the management tool, in the device restrictions section, verify that "Debugging Features" is set to "Disallow". On the Samsung Android device: 1. Open "Settings". 2. Verify "Developer options" is not listed. If on the management tool "Debugging Features" is not set to "Disallow" or on the Samsung Android device "Developer options" is listed, this is a finding.

Fix: F-33928r619770_fix

Configure Samsung Android to disable developer modes. On the management tool, in the device restrictions section, set the "Debugging Features" to "Disallow".

a
Samsung Android must be configured to display the DoD advisory warning message at startup or each time the user unlocks the device.
AC-8 - Low - CCI-000048 - V-231026 - SV-231026r958390_rule
RMF Control
AC-8
Severity
Low
CCI
CCI-000048
Version
KNOX-11-006400
Vuln IDs
  • V-231026
Rule IDs
  • SV-231026r958390_rule
The mobile operating system is required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Required banners help ensure that DoD can audit and monitor the activities of mobile device users without legal restriction. System use notification messages can be displayed when individuals first access or unlock the mobile device. The banner must be implemented as a "click-through" banner at device unlock (to the extent permitted by the operating system). A "click-through" banner prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK". The approved DoD text must be used exactly as required in the KS referenced in DoDI 8500.01. For devices accommodating banners of 1300 characters, the banner text is: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. For devices with severe character limitations, the banner text is: I've read & consent to terms in IS user agreem't. The administrator must configure the banner text exactly as written without any changes. SFR ID: FMT_SMF_EXT.1.1 #36
Checks: C-33956r619772_chk

Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Validation Procedure for Method #1: Place the DoD warning banner in the user agreement signed by each Samsung Android device user (preferred method). Review the signed user agreements for several Samsung Android device users and verify that the agreement includes the required DoD warning banner text. **** Validation Procedure for Method #2: Configure the warning banner text in the KPE Reboot Banner on each managed mobile device. On the management tool, in the device Banner section, verify that "Banner Text" is set to the DoD-managed warning banner text. On the Samsung Android device, verify that after a reboot the required DoD warning banner text is displayed. **** If the warning text has not been placed in the signed user agreement, or if on the management tool "Banner Text" is not set to the DoD-mandated warning banner text, or on the Samsung Android device the required DoD warning banner text is not displayed after a reboot, this is a finding.

Fix: F-33929r619773_fix

Configure the DoD warning banner by either of the following methods (required text is found in the Discussion): Method #1: Place the DoD warning banner in the user agreement signed by each Samsung Android device user (preferred method). **** Method #2: Configure the warning banner text in the KPE Reboot Banner on each managed mobile device. On the management tool, in the device Banner section, set "Banner Text" to the DoD-managed warning banner text.

b
Samsung Android must be configured to disable USB mass storage mode.
CM-7 - Medium - CCI-000381 - V-231027 - SV-231027r958478_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
KNOX-11-006600
Vuln IDs
  • V-231027
Rule IDs
  • SV-231027r958478_rule
USB mass storage mode enables the transfer of data and software from one device to another. This software can include malware. When USB mass storage is enabled on a mobile device, it becomes a potential vector for malware and unauthorized data exfiltration. Prohibiting USB mass storage mode mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #39a
Checks: C-33957r619775_chk

Review Samsung Android configuration settings to determine if the mobile device has a USB mass storage mode and if it has been disabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "USB file transfer" has been set to "Disallow". On the PC, browse the mounted Samsung Android device and verify that it does not display any folders or files. If on the management tool "USB file transfer" is not set to "Disallow", or the PC can mount and browse folders and files on the Samsung Android device, this is a finding.

Fix: F-33930r619776_fix

Configure Samsung Android to disable USB mass storage mode. On the management tool, in the device restrictions section, set "USB file transfer" to "Disallow".

b
Samsung Android must be configured to not allow backup of all applications, configuration data to locally connected systems.
AC-20 - Medium - CCI-000097 - V-231028 - SV-231028r959010_rule
RMF Control
AC-20
Severity
Medium
CCI
CCI-000097
Version
KNOX-11-007000
Vuln IDs
  • V-231028
Rule IDs
  • SV-231028r959010_rule
Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed up to an external system (either locally connected or cloud-based), many if not all of these mechanisms are no longer present. This leaves the backed-up data vulnerable to attack. Disabling backup to external systems mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #40
Checks: C-33958r619778_chk

Verify requirement KNOX-11-006600 (Disallow USB file transfer) has been implemented. If "Disallow USB file transfer" has not been implemented, this is a finding.

Fix: F-33931r619779_fix

Verify "USB file transfer" has been "Disallowed" (see requirement KNOX-11-006600 [Legacy]).

b
Samsung Android Work Environment must be configured to not allow backup of all applications, configuration data to remote systems (device management backup). - Disable Backup Services
AC-20 - Medium - CCI-002338 - V-231029 - SV-231029r959010_rule
RMF Control
AC-20
Severity
Medium
CCI
CCI-002338
Version
KNOX-11-007400
Vuln IDs
  • V-231029
Rule IDs
  • SV-231029r959010_rule
Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the MOS. Where the remote backup involves a cloud-based solution, the backup capability is often used to synchronize data across multiple devices. In this case, DoD devices may synchronize DoD sensitive information to a user's personal device or other unauthorized computers that are vulnerable to breach. Disallowing remote backup mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #40
Checks: C-33959r619781_chk

Review Samsung Android configuration settings to determine if the capability to back up to a remote system has been disabled. This requirement is inherently met for COPE because data in a "Profile/Workspace" cannot be backed up by default. This procedure is applicable to COBO only. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the Work Environment restrictions section, verify that "Backup service" is set to "Disallow". On the COBO Samsung Android device: 1. Open Settings >> Accounts and backup. 2. Verify that any backup service listed cannot be configured to back up data. If on the management tool "Backup service" is not set to "Disallow", or on the Samsung Android device a listed backup service can be configured to back up data, this is a finding.

Fix: F-33932r619782_fix

Configure Samsung Android Work Environment to disable backup to remote systems (including commercial clouds) (device management backup). This requirement is inherently met for COPE because data in a work profile cannot be backed up by default. This guidance is applicable to COBO only. On the management tool, in the Work Environment restrictions section, set "Backup service" to "Disallow".

b
Samsung Android Work Environment must be configured to not allow backup of all applications, configuration data to remote systems (account management backup). - Disable Data Sync
AC-20 - Medium - CCI-002338 - V-231030 - SV-231030r959010_rule
RMF Control
AC-20
Severity
Medium
CCI
CCI-002338
Version
KNOX-11-007600
Vuln IDs
  • V-231030
Rule IDs
  • SV-231030r959010_rule
Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the MOS. Where the remote backup involves a cloud-based solution, the backup capability is often used to synchronize data across multiple devices. In this case, DoD devices may synchronize DoD sensitive information to a user's personal device or other unauthorized computers that are vulnerable to breach. Disallowing remote backup mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #40
Checks: C-33960r619784_chk

Review Samsung Android configuration settings to determine if the capability to back up to a remote system has been disabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool: 1. In the Work Environment Account section, verify that "Account Addition Denylist" is set to "Denylist all" for Samsung accounts and Google accounts. 2. In the Work Environment, verify that no app that uses accounts for data backup/sync is approved. For COPE: On the Samsung Android device: 1. Open Settings >> Work profile >> Accounts. 2. Verify that accounts are grayed out, or an account cannot be added. For COBO: On the Samsung Android device: 1. Open Settings >> Accounts and backup >> Manage accounts 2. Verify that accounts are grayed out, or an account cannot be added. If on the management tool "Account Addition Denylist" is not set to "Denylist all" for Samsung accounts and Google accounts, or on the Samsung Android device an account can be added, this is a finding.

Fix: F-33933r619785_fix

Configure Samsung Android Work Environment to disable backup to remote systems (including commercial clouds) (account management backup). On the management tool: 1. In the Work Environment Account section, set "Account Addition Denylist" to "Denylist all" for Samsung accounts and Google accounts. 2. In the Work Environment, do not approve any app that uses accounts for data backup/sync.

b
Samsung Android must be configured to enable authentication of personal hotspot connections to the device using a pre-shared key.
AC-17 - Medium - CCI-002314 - V-231031 - SV-231031r958672_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-002314
Version
KNOX-11-008200
Vuln IDs
  • V-231031
Rule IDs
  • SV-231031r958672_rule
If no authentication is required to establish personal hotspot connections, an adversary may be able to use that device to perform attacks on other devices or networks without detection. A sophisticated adversary may also be able to exploit unknown system vulnerabilities to access information and computing resources on the device. Requiring authentication to establish personal hotspot connections mitigates this risk. Application note: If hotspot functionality is permitted, it must be authenticated via a pre-shared key. There is no requirement to enable hotspot functionality. SFR ID: FMT_SMF_EXT.1.1 #41a
Checks: C-33961r619787_chk

Review Samsung Android configuration settings to determine if the mobile device has enabled authentication of personal hotspot connections to the device using a pre-shared key. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device Wi-Fi section, verify that "Unsecured hotspot" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> Connections >> Mobile Hotspot and Tethering >> Mobile Hotspot >> Edit. 2. Tap option "Open" in the "Security" drop-down box. 3. Verify that "Save" is disabled. If on the management tool "Unsecured hotspot" is not set to "Disallow", or on the Samsung Android device "Open" can be selected in the "Security" drop-down box and the configuration can be saved, this is a finding.

Fix: F-33934r619788_fix

Configure Samsung Android to enable authentication of personal hotspot connections to the device using a pre-shared key. On the management tool, in the device Wi-Fi section, set "Unsecured hotspot" to "Disallow".

b
Samsung Android Work Environment must be configured to disable exceptions to the access control policy that prevents application processes, groups of application processes from accessing all, private data stored by other application processes, groups of application processes. - Disable Move files to personal
CM-6 - Medium - CCI-000366 - V-231032 - SV-231032r959010_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-009000
Vuln IDs
  • V-231032
Rule IDs
  • SV-231032r959010_rule
App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain access to DoD sensitive information. Data sharing restrictions mitigate this risk. If a user is allowed to make exceptions to the data sharing restriction policy, the user could enable unauthorized sharing of data, leaving it vulnerable to breach. Limiting the granting of exceptions to either the Administrator or common application developer mitigates this risk. Copy/paste of data between applications in different application processes or groups of application processes is considered an exception to the access control policy and therefore, the Administrator must be able to enable/disable the feature. Other exceptions include allowing any data or application sharing between process groups. SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2
Checks: C-33962r619790_chk

Review Samsung Android Work Environment configuration settings to determine if the access control policy prevents groups of application processes from accessing all data stored by other groups of application processes. This procedure is for verifying that the moving of files to the Personal Environment is disabled and is applicable to COPE only. This procedure is performed on the management tool Administration console only. This configuration is the default configuration. If the management tool does not provide the capability to configure "Move files to personal", there is NO finding because the default setting cannot be changed. On the management tool, in the Work Environment RCP section, verify "Move files to personal" is set to "Disallow". If the management tool provides the capability to configure the "Move files to personal" policy and it is not set to "Disallow", this is a finding. If the management tool does not provide the capability to configure the policy, this requirement is inherently met and there is NO finding.

Fix: F-33935r619791_fix

Configure Samsung Android Work Environment to enable the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes. This guidance is for disabling the moving of files to the Personal Environment and is applicable to COPE only. On the management tool, in the device restrictions section, set "Move files to personal" to "Disallow". NOTE: "Move files to workspace" may be configured if there is a DoD mission need for this feature.

b
Samsung Android Work Environment must be configured to disable exceptions to the access control policy that prevents application processes, groups of application processes from accessing all, private data stored by other application processes, groups of application processes. - Disable Copy and Paste data
CM-6 - Medium - CCI-000366 - V-231033 - SV-231033r959010_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-009200
Vuln IDs
  • V-231033
Rule IDs
  • SV-231033r959010_rule
App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain access to DoD sensitive information. Data sharing restrictions mitigate this risk. If a user is allowed to make exceptions to the data sharing restriction policy, the user could enable unauthorized sharing of data, leaving it vulnerable to breach. Limiting the granting of exceptions to either the Administrator or common application developer mitigates this risk. Copy/paste of data between applications in different application processes or groups of application processes is considered an exception to the access control policy and therefore, the Administrator must be able to enable/disable the feature. Other exceptions include allowing any data or application sharing between process groups. SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2
Checks: C-33963r619793_chk

Review Samsung Android Work Environment configuration settings to determine if the access control policy prevents groups of application processes from accessing all data stored by other groups of application processes. This procedure is for verifying that the sharing of clipboard data from the Work Environment to the Personal Environment is disabled and is applicable to COPE only. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the Work Environment RCP section, verify that "Sharing clipboard to personal" is set to "Disallow". On the Samsung Android device: 1. Using any Work Environment app, copy text to the clipboard. 2. Using any Personal Environment app, verify that the clipboard text cannot be pasted. If on the management tool the "Sharing clipboard to personal" is not set to "Disallow", or on the Samsung Android device the clipboard text can be pasted into a Personal Environment app, this is a finding.

Fix: F-33936r619794_fix

Configure Samsung Android Work Environment to enable the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes. This guidance is for disabling the sharing of clipboard data from the Work Environment to the Personal Environment and is applicable to COPE only. On the management tool, in the Work Environment RCP section, set "Sharing clipboard to personal" to "Disallow".

b
Samsung Android Work Environment must be configured to disable exceptions to the access control policy that prevents application processes, groups of application processes from accessing all, private data stored by other application processes, groups of application processes. - Disable Sync Calendar to personal
CM-6 - Medium - CCI-000366 - V-231034 - SV-231034r959010_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-009400
Vuln IDs
  • V-231034
Rule IDs
  • SV-231034r959010_rule
App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain access to DoD sensitive information. Data sharing restrictions mitigate this risk. If a user is allowed to make exceptions to the data sharing restriction policy, the user could enable unauthorized sharing of data, leaving it vulnerable to breach. Limiting the granting of exceptions to either the Administrator or common application developer mitigates this risk. Copy/paste of data between applications in different application processes or groups of application processes is considered an exception to the access control policy and therefore, the Administrator must be able to enable/disable the feature. Other exceptions include allowing any data or application sharing between process groups. SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2
Checks: C-33964r619796_chk

Review Samsung Android Work Environment configuration settings to determine if the access control policy prevents groups of application processes from accessing all data stored by other groups of application processes. This procedure is for verifying that Calendar events created in the Work Environment are disallowed from being displayed in the Personal Environment Calendar and is applicable to COPE only. This procedure is performed on the management tool Administration console only. On the management tool, in the Work Environment RCP section, verify that "Sync calendar to personal" is set to "Disallow". On the COPE Samsung Android device: 1. Open Settings >> Work profile >> Notifications and data. 2. Verify that "Export to personal calendar" is disabled and cannot be enabled. If on the management tool the "Sync calendar to personal" is not set to "Disallow", or on the Samsung Android device "Export to personal calendar" is enabled or can be enabled, this is a finding.

Fix: F-33937r619797_fix

Configure Samsung Android Work Environment to enable the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes. This guidance is for disallowing Calendar events created in the Work Environment from being displayed in the Personal Environment Calendar and is applicable to COPE only. On the management tool, in the Work Environment RCP section, set "Sync calendar to personal" to "Disallow".

b
Samsung Android must be configured to disable multi-user modes (tablets only).
CM-6 - Medium - CCI-000366 - V-231035 - SV-231035r959010_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-009800
Vuln IDs
  • V-231035
Rule IDs
  • SV-231035r959010_rule
NOTE: This requirement is only applicable to Samsung tablets. Multi-user mode allows multiple users to share a mobile device by providing a degree of separation between user data. To date, no mobile device with multi-user mode features meets DoD requirements for access control, data separation, and non-repudiation for user accounts. In addition, the MDFPP does not include design requirements for multi-user account services. Disabling multi-user mode mitigates the risk of not meeting DoD multi-user account security policies. SFR ID: FMT_SMF_EXT.1.1 #47b
Checks: C-33965r619799_chk

Review Samsung Android configuration settings to determine if multi-user mode is disabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device Multiuser section, verify that "Multi-user mode" is set to "Disallow". On the Samsung Android device, open Settings and verify that the "User" setting is not listed. If on the management tool "Multi-user mode" is not set to "Disallow", or on the Samsung Android device the "User" setting is available, this is a finding.

Fix: F-33938r619800_fix

Configure Samsung Android to disable multi-user modes. On the management tool, in the device Multiuser section, set "Multi-user mode" to "Disallow".

a
Samsung Android must [not accept the certificate] when it cannot establish a connection to determine the validity of a certificate.
IA-5 - Low - CCI-000185 - V-231036 - SV-231036r959026_rule
RMF Control
IA-5
Severity
Low
CCI
CCI-000185
Version
KNOX-11-014000
Vuln IDs
  • V-231036
Rule IDs
  • SV-231036r959026_rule
Certificate-based security controls are dependent on the ability of the system to verify the validity of a certificate. If the MOS were to accept an invalid certificate, it could take unauthorized actions, resulting in unanticipated outcomes. At the same time, if the MOS were to disable functionality when it could not determine the validity of the certificate, this could result in a denial of service. Therefore, the ability to provide exceptions is appropriate to balance the tradeoff between security and functionality. Always accepting certificates when they cannot be determined to be valid is the most extreme exception policy and is not appropriate in the DoD context. Involving an Administrator or user in the exception decision mitigates this risk to some degree. SFR ID: FIA_X509_EXT_2.2
Checks: C-33966r619802_chk

Verify requirement KNOX-11-020200 (CC Mode) has been implemented. If CC Mode has not been implemented, this is a finding.

Fix: F-33939r619803_fix

Implement CC Mode (see requirement KNOX-11-020200).

b
The Samsung Android Work Environment must be configured to prevent users from adding personal email accounts to the work email app.
CM-6 - Medium - CCI-000366 - V-231037 - SV-231037r959010_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-017400
Vuln IDs
  • V-231037
Rule IDs
  • SV-231037r959010_rule
If the user is able to add a personal email account (POP3, IMAP, EAS) to the work email app, it could be used to forward sensitive DoD data to unauthorized recipients. Restricting email account addition to the Administrator or to allowlisted accounts mitigates this vulnerability. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33967r619805_chk

Review Samsung Android Work Environment configuration settings to determine if users are prevented from adding personal email accounts to the work email app. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool: 1. In the Work Environment Account section, set "Account Addition Denylist" to "Denylist all" for: Work email app. 2. Provision the user's email account on their behalf. For COPE: On the Samsung Android device: 1. Open Settings >> Work profile >> Accounts. 2. Verify that no account can be added. 3. Verify that the user's work email app has been provisioned with the work email account. For COBO: On the Samsung Android device: 1. Open Settings >> Accounts and backup >> Manage accounts. 2. Verify that no account can be added. 3. Verify that the user's work email app has been provisioned with the work email account. If on the management tool "Account Addition Denylist" is not set to "Denylist all" for the Work email app, or on the Samsung Android device an account can be added, this is a finding.

Fix: F-33940r619806_fix

Configure the Samsung Android Work Environment to prevent users from adding personal email accounts to the work email app. Refer to the management tool documentation to determine how to provision users’ work email accounts for the work email app. On the management tool: 1. In the Work Environment Account section, set "Account Addition Denylist" to "Denylist all" for: Work email app. 2. Provision the user's email account on their behalf.

b
Samsung Android Personal Environment must be configured to enforce the system application disable list.
CM-6 - Medium - CCI-000366 - V-231038 - SV-231038r959010_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-017800
Vuln IDs
  • V-231038
Rule IDs
  • SV-231038r959010_rule
The system application disable list controls user access/execution of all core and pre-installed applications. Core application: Any application integrated into Samsung Android by Google or Samsung. Pre-installed application: Additional non-core applications included in the Samsung Android build by Google, Samsung, or the wireless carrier. Some system applications can compromise DoD data or upload users' information to non-DoD-approved servers. A user must be blocked from using applications that exhibit behavior that can result in compromise of DoD data or DoD user information. The site Administrator must analyze all pre-installed applications on the device and disable all applications not approved for DoD use by configuring the system application disable list. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33968r619808_chk

Review Samsung Android Personal Environment configuration settings to determine if the system application disable list is enforced. This procedure is only for the Personal Environment of a COPE deployment. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device application section, verify that the "system app disable list" contains all apps that have not been approved for DoD use by the Authorizing Official (AO). On the Samsung Android device, review the Personal Environment apps and confirm that only approved core and preinstalled app are listed. If on the management tool the "system app disable list" contains non-approved core and preinstalled apps, or on the Samsung Android device non-approved apps are listed, this is a finding.

Fix: F-33941r619809_fix

Configure the Samsung Android device to enforce the system application disable list. This guidance is only for the Personal Environment of a COPE deployment. On the management tool, in the device application section, add all non-AO-approved system app packages to the "system app disable list".

b
Samsung Android Work Environment must be configured to enforce the system application disable list.
CM-6 - Medium - CCI-000366 - V-231039 - SV-231039r959010_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-018000
Vuln IDs
  • V-231039
Rule IDs
  • SV-231039r959010_rule
The system application disable list controls user access/execution of all core and pre-installed applications. Core application: Any application integrated into Samsung Android by Google or Samsung. Pre-installed application: Additional non-core applications included in the Samsung Android build by Google, Samsung, or the wireless carrier. Some system applications can compromise DoD data or upload user's information to non-DoD-approved servers. A user must be blocked from using applications that exhibit behavior that can result in compromise of DoD data or DoD user information. The site Administrator must analyze all pre-installed applications on the device and disable all applications not approved for DoD use by configuring the system application disable list. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33969r619811_chk

Review Samsung Android Work Environment configuration settings to determine if the system application disable list is enforced. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the Work Environment application section, verify that the "system app disable list" contains all apps that have not been approved for DoD use by the Authorizing Official (AO). On the Samsung Android device, review the Work Environment apps and confirm that only apps that have been approved for DoD use by the Authorizing Official (AO) are listed. If on the management tool the "system app disable list" contains non-approved core and preinstalled apps, or on the Samsung Android device non-approved apps are listed, this is a finding.

Fix: F-33942r619812_fix

Configure Samsung Android Work Environment to enforce the system application disable list. On the management tool, in the Work Environment application section, add all non-AO-approved system app packages to the "system app disable list".

b
Samsung Android must be configured to enable audit logging.
CM-6 - Medium - CCI-000366 - V-231040 - SV-231040r959010_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-018400
Vuln IDs
  • V-231040
Rule IDs
  • SV-231040r959010_rule
Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks so that breaches can either be prevented or limited in their scope. They facilitate analysis to improve performance and security. SFR ID: FAU_GEN.1.1 #8
Checks: C-33970r619814_chk

Review Samsung Android device configuration settings to confirm that audit logging is enabled. This validation procedure is performed on the management tool Administration Console only. On the management tool, for the device audit log section, verify that "Audit log" is set to "Enable". If on the management tool the "Audit log" is not set to "Enable", this is a finding.

Fix: F-33943r619815_fix

Configure Samsung Android to enable audit logging. On the management tool, in the device audit log section, set "Audit log" to "Enable".

b
Samsung Android must be enrolled as a COPE/COBO device.
CM-6 - Medium - CCI-000366 - V-231041 - SV-231041r959010_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-018600
Vuln IDs
  • V-231041
Rule IDs
  • SV-231041r959010_rule
The Knox Workspace is the designated application group for the COPE use case. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33971r619817_chk

Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. **** Method #1: Legacy managed with Legacy Workspace (COPE) On the management tool, verify that the default enrollment is set to "Legacy managed with Legacy Workspace". On the Samsung Android device: 1. Open Settings >> Biometric and security >> Other security settings >> Device admin apps. 2. Verify that the management tool Agent is listed. 3. Go to the app drawer. 4. Verify that a "Personal" and "Workspace" tab are present. If on the management tool the default enrollment is not set as "Legacy managed with Legacy Workspace", or on the Samsung Android device the "Personal" and "Work" tabs are not present or the management tool Agent is not listed, this is a finding. **** Method #2: Legacy managed (COBO) On the management tool, verify that the default enrollment is set as "Legacy managed". On the Samsung Android device: 1. Open Settings >> Biometric and security >> Other security settings >> Device admin apps. 2. Verify that the management tool Agent is listed. If on the management tool the default enrollment is not set as "Legacy managed" or the management tool Agent is not listed, this is a finding.

Fix: F-33944r619818_fix

Enroll the Samsung Android device in a DoD-approved use case by either of the following methods: Method #1: Legacy managed with Legacy Workspace (COPE) On the management tool, configure the default enrollment as "Legacy managed with Legacy Workspace". **** Method #2: Legacy managed (COBO) On the management tool, configure the default enrollment as "Legacy managed". **** Refer to the management tool documentation to determine how to configure the device enrollment.

b
Samsung Android device users must complete required training.
CM-6 - Medium - CCI-000366 - V-231042 - SV-231042r959010_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-019000
Vuln IDs
  • V-231042
Rule IDs
  • SV-231042r959010_rule
The security posture of Samsung devices requires the device user to configure several required policy rules on their device. User Based Enforcement (UBE) is required for these controls. In addition, if the Authorizing Official (AO) has approved the use of an unmanaged personal space, the user must receive training on risks. If a user is not aware of their responsibilities and does not comply with UBE requirements, the security posture of the Samsung mobile device may become compromised and DoD sensitive data may become compromised. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33972r619820_chk

Review a sample of site User Agreements of Samsung device users or similar training records and training course content. Verify that Samsung device users have completed required training. The intent is that required training is renewed on a periodic basis in a time period determined by the AO. If any Samsung device user has not completed required training, this is a finding.

Fix: F-33945r619821_fix

Have all Samsung device users complete training on the following topics. Users should acknowledge they have reviewed training via a signed User Agreement or similar written record. Training topics: - Operational security concerns introduced by unmanaged applications/unmanaged personal space including applications using global positioning system (GPS) tracking. - Need to ensure no DoD data is saved to the personal space or transmitted from a personal app (for example, from personal email). - If the Purebred key management app is used, users are responsible for maintaining positive control of their credentialed device at all times. The DoD PKI certificate policy requires subscribers to maintain positive control of the devices that contain private keys and to report any loss of control so the credentials can be revoked. Upon device retirement, turn-in, or reassignment, ensure a factory data reset is performed prior to device hand-off. Follow Mobility service provider decommissioning procedures as applicable. - How to configure the following UBE controls (users must configure the control) on the Samsung device: 1. Secure use of Calendar Alarm. 2. Local screen mirroring and MirrorLink procedures (authorized/not authorized for use). 3. Do not connect Samsung devices (either via DeX Station or dongle) to any DoD network via Ethernet connection. 4. Do not upload DoD contacts via smart call and caller ID services. 5. Disable Wi-Fi Sharing. 6. Do not configure a DoD network (work) VPN profile on any third-party VPN client installed in the personal space. - AO guidance on acceptable use and restrictions, if any, on downloading and installing personal apps and data (music, photos, etc.) in the Samsung device personal space.

a
Samsung Android must be configured to enable Knox CC Mode.
CM-6 - Low - CCI-000366 - V-231043 - SV-231043r959010_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
KNOX-11-020200
Vuln IDs
  • V-231043
Rule IDs
  • SV-231043r959010_rule
The KPE CC Mode feature is a superset of other features and behavioral changes that are mandatory MDFPP requirements. If CC mode is not implemented the device will not be operating in the NIAP-certified compliant CC Mode of operation. CC Mode implements the following behavioral/functional changes to meet MDFPP requirements: - Download Mode is disabled and all updates will occur via FOTA only. In addition, CC Mode adds new restrictions, which are not to meet MDFPP requirements, but to offer better security above what is required: - Force password info following FOTA update for consistency. - Disable Remote unlock by FindMyMobile. - Restrict biometric attempts to 10 for better security. - Support Android CommonCriteria mode API implementation which secures BT and Wi-Fi keys. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33973r619823_chk

Review Samsung Android configuration settings to determine if KPE CC Mode is enabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "CC mode" is set to "Enable". On the Samsung Android device, put the device into "Download mode" and verify that the text "Blocked by CC Mode" is displayed on the screen. If on the management tool "CC mode" is not set to "Enable", or on the Samsung Android device the text "Blocked by CC Mode" is not displayed in "Download mode", this is a finding.

Fix: F-33946r619824_fix

Configure Samsung Android to enable KPE CC Mode. On the management tool, in the device restrictions section, set "CC mode" to "Enable".

b
Samsung Android must be configured to disallow configuration of Date Time.
CM-6 - Medium - CCI-000366 - V-231044 - SV-231044r959010_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-020600
Vuln IDs
  • V-231044
Rule IDs
  • SV-231044r959010_rule
Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. Periodically synchronizing internal clocks with an authoritative time source is needed to correctly correlate the timing of events that occur across the enterprise. The three authoritative time sources for Samsung Android are an authoritative time server that is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network (NIPRNet or SIPRNet), the Global Positioning System (GPS), or the wireless carrier. Time stamps generated by the audit system in Samsung Android must include both date and time. The time may be expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33974r619826_chk

Review Samsung Android configuration settings to determine if the configuration of the date and time is disallowed. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device Date Time section, verify that "Date Time Change" is set to "Disable". On the Samsung Android device: 1. Open Settings >> General management >> Date and time. 2. Verify that "Automatic data and time" is on and the user cannot disable it. If on the management tool "Date Time Change" is not set to "Disable", or on the Samsung Android device "Automatic date and time" is not set or the user can disable it, this is a finding.

Fix: F-33947r619827_fix

Configure Samsung Android to disallow configuration of the date and time. On the management tool, in the device Date Time section, set "Date Time Change" to "Disable".

b
Samsung Android must be configured to enforce a USB host mode exception list. NOTE: This configuration allows DeX mode (with input devices), which is DoD-approved for use.
CM-6 - Medium - CCI-000366 - V-231045 - SV-231045r959010_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-021000
Vuln IDs
  • V-231045
Rule IDs
  • SV-231045r959010_rule
The USB host mode feature allows USB devices to connect to the device (e.g., USB flash drives, USB mouse, USB keyboard) using a micro USB to USB adapter cable. The USB host mode exception list allows selected USB devices to operate, while disallowing others, based on their USB device class. With some USB device classes, a user can copy sensitive DoD information to external USB storage unencrypted, resulting in compromise of DoD data. However, some USB device classes do not allow data to be copied, such as Human Interface Devices (HID). Disabling all USB devices except for HID mitigates the risk of compromising sensitive DoD data. This allows for DeX mode to be used, with a USB keyboard and mouse, without compromising DoD data. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33975r619829_chk

Review Samsung Android device configuration settings to determine if USB host mode exception list is configured, or alternatively, if USB host mode is disabled. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify that "HID" is the only USB class included in the "USB host mode exception list". On the Samsung Android device: 1. Connect a micro USB-to-USB "On the Go" (OTG) adapter to the device. 2. Connect a USB thumb drive to the adapter. 3. Verify that the device cannot access the USB thumb drive. If on the management tool the "USB host mode exception list" includes a USB class other than "HID", or on the Samsung Android device the USB thumb drive can be mounted, this is a finding.

Fix: F-33948r619830_fix

Configure Samsung Android with a USB host mode exception list, or alternatively, disable the use of USB host mode. On the management tool, in the device restrictions section, add the "HID" USB class to the "USB host mode exception list".

b
Samsung Android Work Environment must be configured to enforce that Share Via List is disabled.
CM-6 - Medium - CCI-000366 - V-231046 - SV-231046r959010_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-021400
Vuln IDs
  • V-231046
Rule IDs
  • SV-231046r959010_rule
The "Share Via List" feature allows the transfer of data between nearby Samsung devices via Android Beam, Wi-Fi Direct, Link Sharing, and Share to Device. If sharing were enabled, sensitive DoD data could be compromised. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33976r619832_chk

Review Samsung Android Work Environment configuration settings to determine if Share Via List is disallowed. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the Work Environment restrictions section, verify that "Share Via List" is set to "Disallow". On the Samsung Android device, attempt to share by long pressing a file in the Work Environment and tapping "Share". If on the management tool "Share Via List" is not set to "Disallow", or on the Samsung Android device the user is able to share, this is a finding.

Fix: F-33949r619833_fix

Configure Samsung Android Work Environment to disallow Share Via List. On the management tool, in the Work Environment restrictions section, set "Share Via List" to "Disallow". NOTE: Disabling Share Via List will also disable functionality such as Gallery Sharing and Direct Sharing.

b
Samsung Android must be configured to disallow outgoing beam.
CM-6 - Medium - CCI-000366 - V-231047 - SV-231047r959010_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-021800
Vuln IDs
  • V-231047
Rule IDs
  • SV-231047r959010_rule
Outgoing beam allows transfer of data through NFC and Bluetooth by touching two unlocked devices together. If it were enabled, sensitive DoD data could be transmitted. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33977r619835_chk

Review Samsung Android Work Environment configuration settings to verify that outgoing beam is disallowed. This requirement is inherently met for COPE as outgoing beam in a "Profile/Workspace" cannot be initiated. This validation procedure is applicable to COBO only. This procedure is performed on both the MDM Administration console and the Samsung Android device. On the MDM console, in the Work Environment restrictions section, verify that "disallow outgoing beam" is selected. On the Samsung Android device, open a picture, contact, or web page and put it back to back with an unlocked outgoing beam-enabled device. Verify that outgoing beam cannot be started. If on the MDM console "outgoing beam" is not set to "disallow", or on the Samsung Android device the user is able to successfully start outgoing beam, this is a finding.

Fix: F-33950r619836_fix

Configure Samsung Android to disallow outgoing beam. This requirement is inherently met for COPE as outgoing beam in a "Profile/Workspace" cannot be initiated. This guidance is applicable to COBO only. On the MDM console, in the Work Environment restrictions section, set "outgoing beam" to "disallow".

b
Samsung Android Work Environment must be configured to enforce that Wi-Fi Sharing is disabled.
CM-6 - Medium - CCI-000366 - V-231048 - SV-231048r959010_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-022200
Vuln IDs
  • V-231048
Rule IDs
  • SV-231048r959010_rule
Wi-Fi Sharing is an optional configuration of Wi-Fi Tethering/Mobile Hotspot, which allows the device to share its Wi-Fi connection with other wirelessly connected devices instead of its mobile (cellular) connection. Wi-Fi Sharing grants the "other" device access to a corporate Wi-Fi network and may possibly bypass the network access control mechanisms. This risk can be partially mitigated by requiring the use of a pre-shared key for personal hotspots. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33978r619838_chk

Review Samsung Android device configuration settings to confirm that Wi-Fi Sharing is disabled. Mobile Hotspot must be enabled in order to enable Wi-Fi Sharing. If the AO has not approved Mobile Hotspot, and it has been verified as disabled on the management tool, the following guidance is not applicable. This setting cannot be managed by the management tool Administrator and is a User Based Enforcement (UBE) requirement. On the Samsung Android device: 1. Open Settings >> Connections >> Mobile Hotspot and Tethering >> Mobile hotspot. 2. Verify that "Wi-Fi sharing" is disabled. If on the Samsung Android device "Wi-Fi sharing" is enabled, this is a finding.

Fix: F-33951r619839_fix

Configure Samsung Android to disable Wi-Fi Sharing. Mobile Hotspot must be enabled in order to enable Wi-Fi Sharing. If the AO has not approved Mobile Hotspot, and it has been disabled on the management tool, the following guidance is not applicable. On the Samsung Android device: 1. Open Settings >> Connections >> Mobile Hotspot and Tethering >> Mobile hotspot. 2. Disable "Wi-Fi sharing" if it is enabled.

b
Samsung Android Work Environment must be configured to enable Certificate Revocation checking.
CM-6 - Medium - CCI-000366 - V-231049 - SV-231049r959010_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-022600
Vuln IDs
  • V-231049
Rule IDs
  • SV-231049r959010_rule
A Certificate Revocation List (CRL) allows a certificate issuer to revoke a certificate for any reason, including improperly issued certificates and compromise of the private keys. Checking the revocation status of the certificate mitigates the risk associated with using a compromised certificate. Online Certificate Status Protocol (OCSP) is a protocol for obtaining the revocation status of a certificate. It addresses problems associated with using CRLs. When OCSP is enabled, it is used prior to CRL checking. If OCSP could not obtain a decisive response about a certificate, it will then try to use CRL checking. The OCSP response server must be listed in the certificate information under Authority Info Access. This feature must be enabled for a Samsung Android device to be in the NIAP-certified CC Mode of operation. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33979r619841_chk

Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on the management tool Administration Console only. **** Validation Procedure for Method #1: CRL Checking On the management tool, in the Work profile certificate section, verify that "Revocation check" is set to "enable for all apps". If on the management tool "Revocation check" is not set to "enable for all apps", this is a finding. **** Validation Procedure for Method #2: OCSP with CRL Fallback On the management tool: 1. In the Work profile certificate section, verify that "Revocation check" is set to "enable for all apps". 2. In the Work profile restrictions section, verify that "OCSP check" is set to "enable for all apps". If on the management tool "Revocation check" is not set to "enable for all apps" or if "OCSP check" is not set to "enable for all apps", this is a finding.

Fix: F-33952r619842_fix

Configure Samsung Android Work Environment to enable Certificate Revocation checking by either of the following methods: Method #1: CRL Checking On the management tool, in the Work profile certificate section, set "Revocation check" to "enable for all apps". **** Method #2: OCSP with CRL Fallback On the management tool: 1. In the Work profile certificate section, set "Revocation check" to "enable for all apps". 2. In the Work profile restrictions section, set "OCSP check" to "enable for all apps". **** Refer to the management tool documentation to determine how to configure Revocation and OCSP checking to "enable for all apps". Some may, for example, allow a wildcard string: "*".

b
Samsung Android Work Environment must have the DoD root and intermediate PKI certificates installed.
CM-6 - Medium - CCI-000366 - V-231050 - SV-231050r959010_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-023000
Vuln IDs
  • V-231050
Rule IDs
  • SV-231050r959010_rule
DoD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the root and intermediate certificates are not available, an adversary could falsely sign a certificate in such a way that it could not be detected. Providing access to the DoD root and intermediate PKI certificates greatly diminishes the risk of this attack. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33980r619844_chk

Review Samsung Android Work Environment configuration settings to determine if the DoD root and intermediate PKI certificates are installed. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. The current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at https://cyber.mil/pki-pke (for NIPRNet). On the management tool, in the Work Environment certificate section, verify that the DoD root and intermediate PKI certificates are installed. On the Samsung Android device: 1. Open Settings >> Biometrics and security >> Other security settings >> View security certificates. 2. In the User tab, verify that the DoD root and intermediate PKI certificates are listed in the Work Environment. If on the management tool the DoD root and intermediate PKI certificates are not listed in the Work Environment, or on the Samsung Android device the DoD root and intermediate PKI certificates are not listed in the Work Environment, this is a finding.

Fix: F-33953r619845_fix

Configure the Samsung Android Work Environment to install DoD root and intermediate PKI certificates. The current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at https://cyber.mil/pki-pke (for NIPRNet). On the management tool, in the Work Environment certificate section, install the DoD root and intermediate PKI certificates.

b
Samsung Android Work Environment must allow only the Administrator (management tool) to perform the following management function: install/remove DoD root and intermediate PKI certificates.
CM-6 - Medium - CCI-000366 - V-231051 - SV-231051r959010_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
KNOX-11-023200
Vuln IDs
  • V-231051
Rule IDs
  • SV-231051r959010_rule
DoD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the user is allowed to remove root and intermediate certificates, the user could allow an adversary to falsely sign a certificate in such a way that it could not be detected. Restricting the ability to remove DoD root and intermediate PKI certificates to the Administrator mitigates this risk. SFR ID: FMT_MOF_EXT.1.2 #47
Checks: C-33981r619847_chk

Review Samsung Android Work Environment configuration settings to determine if the user is unable to remove DoD root and intermediate PKI certificates. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the Work Environment restrictions section, verify "User Remove Certificates" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> Biometrics and security >> Other security settings >> View security certificates. 2. In the System tab, verify that no listed certificate in the Work Environment can be untrusted. 3. In the User tab, verify that no listed certificate in the Work Environment can be removed. If on the management tool the device "User Remove Certificates" is not set to "Disallow", or on the Samsung Android device a certificate can be untrusted or removed, this is a finding.

Fix: F-33954r619848_fix

Configure Samsung Android Work Environment to prevent a user from removing DoD root and intermediate PKI certificates. On the management tool, in the Work Environment restrictions section, set "User Remove Certificates" to "Disallow".

c
The Samsung Android device must have the latest available Samsung Android operating system (OS) installed.
CM-6 - High - CCI-000366 - V-231052 - SV-231052r959010_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
KNOX-11-023400
Vuln IDs
  • V-231052
Rule IDs
  • SV-231052r959010_rule
Required security features are not available in earlier OS versions. In addition, earlier versions may have known vulnerabilities. SFR ID: FMT_SMF_EXT.1.1 #47
Checks: C-33982r619850_chk

Review Samsung Android device configuration settings to confirm that the most recently released version of Samsung Android is installed. This procedure is performed on both the management tool and the Samsung Android device. In the management tool management console, review the version of Samsung Android installed on a sample of managed devices. This procedure will vary depending on the management tool product. See the notes below to determine the latest available OS version. On the Samsung Android device, to see the installed OS version: 1. Open Settings. 2. Tap "About phone". 3. Tap "Software information". If the installed version of Android OS on any reviewed Samsung devices is not the latest released by the wireless carrier, this is a finding. NOTE: Some wireless carriers list the version of the latest Android OS release by mobile device model online: ATT: https://www.att.com/devicehowto/dsm.html#!/popular/make/Samsung T-Mobile: https://support.t-mobile.com/docs/DOC-34510 Verizon Wireless: https://www.verizonwireless.com/support/software-updates/ Google Android OS patch website: https://source.android.com/security/bulletin/ Samsung Android OS patch website: https://security.samsungmobile.com/securityUpdate.smsb

Fix: F-33955r619851_fix

Install the latest released version of Samsung Android OS on all managed Samsung devices. NOTE: In most cases, OS updates are released by the wireless carrier (for example, Sprint, T-Mobile, Verizon Wireless, and ATT).

c
All Samsung Android 11 installations must be removed.
CM-6 - High - CCI-000366 - V-264378 - SV-264378r985809_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
KNOX-11-999999
Vuln IDs
  • V-264378
Rule IDs
  • SV-264378r985809_rule
Samsung Android 11 is no longer supported by Google and therefore, may contain security vulnerabilities. Satisfies: FMT_MOF_EXT.1.2 #47 Reference: PP-MDF-991000
Checks: C-68292r985807_chk

Verify there are no installations of Samsung Android 11 at the site. If Samsung Android 11 is being used at the site, this is a finding.

Fix: F-68200r985808_fix

Remove all installations of Samsung Android 11.