Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the configuration to determine if the Samsung Android devices are enrolled in a DOD-approved use case. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, verify the default enrollment is set to "Work profile for personally-owned devices". On the Samsung Android device: 1. Open Settings >> Security and privacy >> More security settings >> Device admin apps. 2. Verify the management tool Agent is listed. 3. Go to the app drawer. 4. Verify a "Personal" and "Work" tab are present. If on the management tool the default enrollment is not set as "Work profile for personally-owned devices", or on the Samsung Android device the "Personal" and "Work" tabs are not present or the management tool Agent is not listed, this is a finding.
Enroll the Samsung Android devices in a DOD-approved use case. On the management tool, configure the default enrollment as "Work profile for personally-owned devices". Refer to the management tool documentation to determine how to configure the device enrollment.
The DOD warning banner can be displayed using the following method (required text is found in the Vulnerability Discussion): Place the DOD warning banner in the user agreement signed by each Samsung Android device user (preferred method). Note: It is not possible for the EMM to force a warning banner be placed on the device screen when using "work profile for employee-owned devices (BYOD)" deployment mode. Review the signed user agreements for several Samsung Android device users and verify the agreement includes the required DOD warning banner text. If the required warning banner text is not on all signed user agreements reviewed, this is a finding.
Configure the DOD warning banner by either of the following methods (required text is found in the Vulnerability Description): Place the DOD warning banner in the user agreement signed by each Samsung Android device user (preferred method). Note: It is not possible for the EMM to force a warning banner be placed on the device screen when using "work profile for employee-owned devices (BYOD)".
Review the configuration to determine if the Samsung Android devices' Work Environment is disallowing passwords containing more than four repeating or sequential characters. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device password policies, verify "minimum password quality" is set to "Numeric(Complex)" or better. On the Samsung Android device, confirm if the user has "One Lock" enabled (Settings >> Security and privacy >> More security settings >> Work profile security >> Use one lock). If "One Lock" is enabled: 1. Open Settings >> Lock screen >> Screen lock type. 2. Enter current password. 3. Tap "PIN". 4. Verify that PINs with more than four repeating or sequential numbers are not accepted. If "One Lock" is disabled: 1. Open Settings >> Security and privacy >> More security settings >> Work profile security >> Work profile lock type. 2. Enter current password. 3. Tap "PIN". 4. Verify that PINs with more than four repeating or sequential numbers are not accepted. If on the management tool "minimum password quality" is not set to "Numeric(Complex)" or better, or on the Samsung Android device a password with more than four repeating or sequential numbers is accepted, this is a finding.
Configure the Samsung Android devices to disallow passwords containing more than four repeating or sequential characters. On the management tool, in the device password policies, set "minimum password quality" to "Numeric(Complex)" or better. If the management tool does not support "Numeric(Complex)" but does support "Numeric", Knox Platform for Enterprise (KPE) can be used to achieve STIG compliance. In this case, configure this policy with value "Numeric" and use an additional KPE policy (innately by the management tool or via KSP) "Maximum Numeric Sequence Length" with value "4".
Review the configuration to determine if the Samsung Android devices' Work Environment is enforcing a minimum password length of six characters. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the Work Environment password policies, verify "minimum password length" is set to "6". On the Samsung Android device, confirm if the user has "One Lock" enabled (Settings >> Security and privacy >> More security settings >> Work profile security >> Use one lock). If "One Lock" is enabled: 1. Open Settings >> Lock screen >> Screen lock type. 2. Enter current password. 3. Tap "PIN". 4. Verify the text "PIN must contain at least", followed by a value of at least "6 digits", appears above the PIN entry. If "One Lock" is disabled: 1. Open Settings >> Security and privacy >> More security settings >> Work profile security >> Work profile lock type. 2. Enter current password. 3. Tap "PIN". 4. Verify the text "PIN must contain at least", followed by a value of at least "6 digits", appears above the PIN entry. If on the management tool "minimum password length" is not set to "6", or on the Samsung Android device the text "PIN must contain at least" is followed by a value of less than "6 digits", this is a finding.
Configure the Samsung Android devices to enforce a minimum password length of six characters. On the management tool, in the device password policies, set "minimum password length" to "6".
Review the configuration to determine if the Samsung Android devices' Work Environment is allowing only 10 or fewer consecutive failed authentication attempts. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device password policies, verify "max password failures for local wipe" is set to "10" attempts or less. On the Samsung Android device, confirm if the user has "One Lock" enabled (Settings >> Security and privacy >> More security settings >> Work profile security >> Use one lock). If "One Lock" is enabled: 1. Lock the device. 2. Make attempts to unlock the Device with incorrect PIN and validate that the device reports that if you do not enter the correct PIN within the next few attempts that a wipe will occur. If "One Lock" is disabled: 1. Wait for the Work profile to Lock (determined by Auto lock work profile configuration) - or reboot the Device. 2. Attempt to unlock the Work profile with an incorrect PIN and validate that the device reports "9" or less attempts left. If on the management tool "max password failures for local wipe" is not set to "10" attempts or less, or on the Samsung Android device - after making incorrect PIN entry attempts - it does not report that the device will wipe, this is a finding.
Configure the Samsung Android devices to allow only 10 or fewer consecutive failed authentication attempts. On the management tool, in the device password policies, set "max password failures for local wipe" to "10" attempts or fewer. A device password must be set for "max password failures for local wipe" to become active.
Review the configuration to determine if the Samsung Android devices' Work Environment is locking the device display after 15 minutes (or less) of inactivity. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the Work environment password policies, verify "max time to screen lock" is set to "15 minutes" or less. On the Samsung Android device, confirm if the user has "One Lock" enabled (Settings >> Security and privacy >> More security settings >> Work profile security >> Use one lock). If "One Lock" is enabled: 1. Open Settings >> Lock screen. 2. Verify "Secure lock settings" is present and tap it. 3. Enter current password. 4. Tap "Auto lock when screen turns off". 5. Verify the listed timeout values are 15 minutes or less. If "One Lock" is disabled: 1. Open Settings >> Security and privacy >> More security settings >> Work profile security >> Auto lock work profile. 2. Verify the listed timeout values are 15 minutes or less. If on the management tool "max time to screen lock" is not set to "15 minutes" or less, or on the Samsung Android device the listed Screen timeout values include durations of more than 15 minutes, this is a finding.
Configure the Samsung Android devices to lock the device display after 15 minutes (or less) of inactivity. On the management tool, in the device password policies, set "max time to screen lock" to "15 minutes" or less. A device password must be set for "max time to screen lock" to become active.
Note: This requirement is not applicable for specific biometric authentication factors included in the product's Common Criteria evaluation. Review the configuration to determine if the Samsung Android devices' Work Environment is disabling Face Recognition. This validation procedure is performed on both the management tool and the Samsung Android device. Face recognition is not a feature available for unlocking the Work profile unless "One Lock" is used. Otherwise, on the management tool, in the Work Environment restrictions, verify that "Face" is set to "Disable". On the Samsung Android device, confirm if the user has "One Lock" enabled (Settings >> Security and privacy >> More security settings >> Work profile security >> Use one lock). If "One Lock" is enabled: 1. Open Settings >> Lock screen >> Screen lock type. 2. Enter current password. 3. Verify that "Face" is disabled and cannot be enabled. The disablement of Face cannot be verified while "One Lock" is disabled, as they are not an available feature for Work profiles. To verify, the Admin would need to temporarily enable "One Lock" for the purpose of testing only and follow the above instruction. After testing, the User would have to reset their Work profile password when "One Lock" was turned off again. If on the management tool "Face" is not set to "Disable", or on the Samsung Android device "Face" can be enabled, this is a finding.
Note: This requirement is not applicable for specific biometric authentication factors included in the product's Common Criteria evaluation. Configure the Samsung Android devices to disable Face Recognition. On the management tool, in the device restrictions, set "Face Recognition" to "Disable".
Review the configuration to determine if the Samsung Android devices' Work Environment is disabling Trust Agents. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device restrictions, verify that "Trust Agents" are set to "Disable". On the Samsung Android device, confirm if the user has "One Lock" enabled (Settings >> Security and privacy >> More security settings >> Work profile security >> Use one lock). If "One Lock" is enabled: 1. Open Settings >> Security and privacy >> More security settings >> Trust agents. 2. Verify that all listed Trust Agents are disabled and cannot be enabled. The disablement of Trust Agents cannot be verified while "One Lock" is disabled, as they are not an available feature for Work profiles. To verify, the Admin would need to temporarily enable "One Lock" for the purpose of testing only and follow the above instruction. After testing, the User would have to reset their Work profile password when "One Lock" was turned off again. If on the management tool "Trust Agents" are not set to "Disable", or on the Samsung Android device a "Trust Agent" can be enabled, this is a finding. Note: If the management tool has been correctly configured but a Trust Agent is still enabled, configure the "List of approved apps listed in managed Google Play" to disable it; refer to KNOX-14-710190. Exception: Trust Agents may be used if the Authorizing Official (AO) allows a screen lock timeout after four hours (or more) of inactivity. This may be applicable to tactical use case.
Configure the Samsung Android devices to disable Trust Agents. On the management tool, in the device restrictions, set "Trust Agents" to "Disable".
Review the configuration to determine if the Samsung Android's Work profile has the DOD root and intermediate PKI certificates installed. This validation procedure is performed on both the management tool and the Samsung Android device. The current DOD root and intermediate PKI certificates may be obtained in self-extracting zip files at https://cyber.mil/pki-pke (for NIPRNet). On the management tool, in the Work profile policy management, verify the DOD root and intermediate PKI certificates are installed. On the Samsung Android device: 1. Open Settings >> Security and privacy >> More security settings >> View security certificates. 2. In the User tab, verify the DOD root and intermediate PKI certificates are listed in the Work profile. If on the management tool the DOD root and intermediate PKI certificates are not listed in the Work profile, or on the Samsung Android device the DOD root and intermediate PKI certificates are not listed in the Work profile, this is a finding.
Install the DOD root and intermediate PKI certificates into the Samsung Android devices' Work profile. The current DOD root and intermediate PKI certificates may be obtained in self-extracting zip files at https://cyber.mil/pki-pke (for NIPRNet). On the management tool, in the Work profile policy management, install the DOD root and intermediate PKI certificates.
Review the configuration to determine if the Work profile on the Samsung Android device is allowing users to install only applications that have been approved by the Authorizing Official (AO). This validation procedure is performed only on the management tool. On the management tool, in the app catalog for managed Google Play, verify that only AO-approved apps are available. If on the management tool the app catalog for managed Google Play includes non-AO-approved apps, this is a finding.
Configure the Work profile on Samsung Android devices to allow users to install only applications that have been approved by the AO. In addition to any local policy, the AO must not approve applications that have certain prohibited characteristic; these are covered in KNOX-14-710200. On the management tool, in the app catalog for managed Google Play, add each AO-approved app to be available. Note: Managed Google Play is an allowed App Store.
Verify requirement KNOX-14-710190 (managed Google Play) has been implemented. Verify the application allowlist does not include applications with the following characteristics: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; and - Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs, display screens (screen mirroring), or printers. - Apps which backup their own data to a remote system. If managed Google Play has not been implemented, this is a finding. This validation procedure is performed only on the EMM Administration Console. On the EMM console: 1. Review the list of selected Managed Google Play apps. 2. Review the details and privacy policy of each selected app to ensure the app does not include prohibited characteristics. If the EMM console device policy includes applications with unauthorized characteristics, this is a finding.
The Authorizing Official (AO) must not approve applications with the following characteristics for installation by users in the Work profile: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; and - Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs, display screens (screen mirroring), or printers. - Apps which backup their own data to a remote system. Implement managed Google Play (refer to requirement KNOX-14-710190).
Review the configuration to determine if the Samsung Android devices are not displaying (Work Environment) notifications when the device is locked. Notifications of incoming phone calls are acceptable even when the device is locked. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the Work profile restrictions section, verify "Unredacted Notifications" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> Notifications >> Lock screen notifications. 2. Verify "Sensitive work profile notifications" is disabled. If on the management tool "Unredacted Notifications" is not set to "Disallow", or on the Samsung Android device "Sensitive work profile notifications" is not disabled, this is a finding.
Configure the Samsung Android devices to not display (Work Environment) notifications when the device is locked. On the management tool, in the Work profile restrictions section, set "Unredacted Notifications" to "Disallow".
Review the configuration to determine if the Samsung Android devices are preventing users from adding personal email accounts to the work email app. On the management tool, in the device restrictions section, verify "Modify accounts" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> Accounts and backup >> Manage accounts. 2. Navigate to the "Work" tab. 3. Verify no account can be added. If on the management tool "Modify accounts" is not set to "Disallow", or on the Samsung Android device an account can be added, this is a finding.
Configure the Samsung Android devices to prevent users from adding personal email accounts to the work email app. On the management tool, in the Work profile restrictions, set "Modify accounts" to "Disallow".
Verify requirement KNOX-14-710230 (disallow modify accounts) has been implemented. If "disallow modify accounts" has not been implemented, this is a finding.
Disallow modify accounts (refer to requirement KNOX-14-710230).
Review the Samsung documentation and inspect the configuration to verify the Samsung Android devices are enabling an access control policy that prevents application processes and groups of application processes from accessing all data stored by other application processes and groups of application processes. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the Work profile restrictions, set "Cross profile copy/paste" to "Disallow". On the Samsung Android device: 1. Using any Work app, copy text to the clipboard. 2. Using any Personal app, verify the clipboard text cannot be pasted. If on the management tool "Cross profile copy/paste" is not set to "Disallow", or on the Samsung Android device the clipboard text can be pasted into a Personal app, this is a finding.
Configure the Samsung Android devices to enable an access control policy that prevents application processes and groups of application processes from accessing all data stored by other application processes and groups of application processes. On the management tool, in the Work profile restrictions section, set "Cross profile copy/paste" to "Disallow".
Review the configuration to determine if the Samsung Android devices' Work profile is preventing users from removing DOD root and intermediate PKI certificates. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the Work profile restrictions, verify "Configure credentials" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> Security and privacy >> More security settings >> View security certificates. 2. In the System tab, verify no listed certificate in the Work profile can be untrusted. 3. In the User tab, verify no listed certificate in the Work profile can be removed. If on the management tool the device "Configure credentials" is not set to "Disallow", or on the Samsung Android device a certificate can be untrusted or removed, this is a finding.
Configure the Samsung Android devices' Work profile to prevent users from removing DOD root and intermediate PKI certificates. On the management tool, in the Work profile restrictions, set "Configure credentials" to "Disallow".
Review the configuration to determine if the Samsung Android devices are disabling unauthorized application repositories. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the Work profile restrictions, verify "installs from unknown sources globally" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> Security and privacy >> More security settings >> Install unknown apps. 2. In the "Personal" tab, verify that each app listed has the status "Disabled" under the app name or no apps are listed. 3. In the "Work" tab, verify that each app listed has the status "Disabled" under the app name or no apps are listed. If on the management tool "installs from unknown sources globally" is not set to "Disallow", or on the Samsung Android device an app is listed with a status other than "Disabled", this is a finding.
Configure the Samsung Android devices to disable unauthorized application repositories. On the management tool, in the Work profile restrictions, set "installs from unknown sources globally" to "Disallow". Note: Google Play must not be disabled. Disabling Google Play will cause system instability and critical updates will not be received.
Review a sample of site User Agreements for Samsung device users or similar training records and training course content. Verify Samsung device users have completed required training. The intent is that required training is renewed on a periodic basis in a time period determined by the AO. If any Samsung device user has not completed required training, this is a finding.
Have all Samsung device users complete training on the following topics. Users should acknowledge they have reviewed training via a signed User Agreement or similar written record. Training topics: - Operational security concerns introduced by unmanaged applications/unmanaged personal space including applications using Global Positioning System (GPS) tracking. - Need to ensure no DOD data is saved to the personal space or transmitted from a personal app (for example, from personal email). - If the Purebred key management app is used, users are responsible for maintaining positive control of their credentialed device at all times. The DOD PKI certificate policy requires subscribers to maintain positive control of the devices that contain private keys and report any loss of control so the credentials can be revoked. Upon device retirement, turn-in, or reassignment, ensure a factory data reset is performed prior to device hand-off. Follow Mobility service provider decommissioning procedures as applicable. - How to configure the following UBE controls (users must configure the control) on the Samsung device: **Do not remove DOD intermediate and root PKI digital certificates **Do not configure a DOD network (work) VPN profile on any third-party VPN client installed in the personal space -How to implement One Lock. -Screenshots will not be taken of any “work” related managed data.-Screenshots will not be taken of any “work” related managed data.
Review the configuration to confirm if the Samsung Android devices have the most recently released version of Samsung Android installed. This procedure is performed on both the management tool and the Samsung Android device. In the management tool management console, review the version of Samsung Android installed on a sample of managed devices. This procedure will vary depending on the management tool product. Refer to the notes below to determine the latest available OS version. On the Samsung Android device, to determine the installed OS version: 1. Open Settings. 2. Tap "About phone". 3. Tap "Software information". If the installed version of Android OS on any reviewed Samsung devices is not the latest released by the wireless carrier, this is a finding. Note: Some wireless carriers list the version of the latest Android OS release by mobile device model online: ATT: https://www.att.com/devicehowto/dsm.html#!/popular/make/Samsung Verizon Wireless: https://www.verizonwireless.com/support/software-updates/ Google Android OS patch website: https://source.android.com/security/bulletin/ Samsung Android OS patch website: https://security.samsungmobile.com/securityUpdate.smsb
Install the latest released version of Samsung Android OS on all managed Samsung devices. Note: In most cases, OS updates are released by the wireless carrier (for example, T-Mobile, Verizon Wireless, and ATT).
Review the list of VPN profiles in the Personal Profile and determine if any VPN profiles are listed. If so, verify the VPN profiles are not configured with a DOD network VPN profile. If any VPN profiles are installed in the Personal Profile and they have a DOD network VPN profile configured, this is a finding. Note: This setting cannot be managed by the MDM administrator and is a User-Based Enforcement (UBE) requirement.
Do not configure DOD VPN profiles in the Personal Profile.
Review the configuration to confirm that revocation checking is enabled. Verify the revocation checklist is set to "All Applications". This procedure is performed on the management tool. On the management tool: 1. Open Certificates Policy >> Revocation section. 2. Select "Get CRL". 3. Verify Toast message "Get revocation check: true". If on the management tool the revocation check is disabled, this is a finding.
Configure the Samsung Android devices to enable CRL revocation checks for all applications. These revocation checks must be enabled using the Knox KPE APIs. On the management tool, in the Certificate Policy restrictions, enable "Revocation Checks" for "All Applications".
Review the configuration to confirm the system application disable list is enforced. This setting is enforced by default. Verify only approved system apps have been placed on the core allowlist. This procedure is performed on the management tool. Review the system app allowlist and verify only approved apps are on the list. On the management tool, in the Apps management section, select "Unhide apps" and verify the names of the apps listed. If on the management tool the system app allowlist contains unapproved core apps, this is a finding.
Configure the Samsung Android 14 device to enforce the system application disable list. The required configuration is the default configuration when the device is enrolled. If the device configuration is changed, use the following procedure to bring the device back into compliance: On the management tool: 1. Open "Apps management" section. 2. Select "Hide apps". 3. Enter names of apps to hide. Configure a list of approved Samsung core and preinstalled apps in the core app allowlist.
Review the work profile Chrome Browser app on the Samsung Android 14 autofill setting. This validation procedure is performed on the management tool. On the management tool: 1. Open "Managed Configurations" section. 2. Select the Chrome Browser version from the work profile. 3. Verify "PasswordManagerEnabled" is turned "OFF". 4. Verify "AutofillAddressEnabled" is turned "OFF". 5. Verify "AutofillCreditCardEnabled" is turned "OFF". If on the management tool any of the browser autofill settings are set to "On" in the Chrome Browser Settings, this is a finding.
Configure the Samsung Android 14 device to disable the autofill functionality. The required configuration is the default configuration when the device is enrolled. If the device configuration is changed, use the following procedure to bring the device back into compliance: On the management tool: 1. Open the "Managed configurations" section. 2. Select the Chrome Browser version from the work profile. 3. Ensure "PasswordManagerEnabled" is turned "OFF". 4. Ensure "AutofillAddressEnabled" is turned "OFF". 5. Ensure "AutofillCreditCardEnabled" is turned "OFF".
Review the Samsung Android 14 work profile configuration settings to confirm that autofill services are disabled. This validation procedure is performed on the management tool. On the management tool: 1. Open "Set user restrictions". 2. Verify "Disable autofill" is toggled to "ON". If on the management tool the "disallow autofill" is not selected, this is a finding.
Configure the Samsung Android 14 device to disable the autofill services. On the management tool, in the Work profile User restrictions section, set "Disable autofill" to "Enable".
Review the managed Samsung Android 14 configuration settings to confirm that no third-party keyboards are enabled. This procedure is performed on the management tool. On the management tool: 1. Open "Input methods". 2. Tap "Set input methods". 3. Verify only the approved keyboards are selected. If third-party keyboards are allowed, this is a finding.
Configure the Samsung Android 14 device to disallow the use of third-party keyboards. On the management tool: 1. Open "Input methods". 2. Tap "Set input methods". 3. Select only the approved keyboard. Additionally, Administrators can configure application allowlists for Google Play that do not have any third-party keyboards for user installation.