Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

Samsung Android 16 COPE Security Technical Implementation Guide

V1R2 · · · Released 01 Apr 2026 · 48 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Supporting documents DISA companion ZIP · 2.6 MB 5 PDFs

Bundled by DISA alongside this STIG release: overview, revision history, and readme files. Download the full archive or open an individual PDF.

Download full ZIP U_SS_Android_16_KPE_3-x_Y26M04_STIG.zip
Digest of Updates vs. V1R1 · 26 Aug 2025 ✎ 1

Comparison against the immediately-prior release (V1R1). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Content changes 1

  • V-276648 Medium checkfix Samsung Android 16 must disable the ability of the user to wipe the device.
Sort by
a
Samsung Android 16 must disable the use of assistants (including Samsung Assistant) unless required to meet Section 508 compliance requirements.
CM-6 - Low - CCI-000366 - V-276640 - SV-276640r1139442_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
KNOX-16-011100
Vuln IDs
  • V-276640
Rule IDs
  • SV-276640r1139442_rule
The use of assistants could expose sensitive DOD data to cloud based servers during the processing of assistant requests. SFR ID: FMT_MOF_EXT.1.2 #47
Checks: C-80795r1139440_chk

Review configuration settings to confirm the use of assistants has been disabled. This check procedure is performed on the device management tool and the Samsung Android 16 device. On the MDM console: COBO/COPE procedures: 1. Open user restrictions. 2. Verify that "Disallow assist content" is enabled. 3. Verify that the Gemini App in the Managed Samsung Play Store has not been added to the allowlist. On the managed Samsung Android 16 device: 1. Try to invoke the Google Assistant and note that it will not execute. 2. Verify the Gemini app is not installed and that it is not listed in the Managed Samsung Play Store. If the use of assistants has not been disabled, this is a finding. Note: This control also disables Gemini from being invoked if it was previously installed.

Fix: F-80700r1139441_fix

Configure the Samsung Android 16 device to disable the use of all assistants. On the MDM console, do the following: COBO procedures: 1. Open user restrictions. 2. Enable "Disallow assist content". 3. Do not allowlist the Gemini App in the Managed Samsung Play Store. COPE procedures: 1. Open user restrictions. 2. Enable "Disallow assist content". 3. Do not allowlist the Gemini App in the Managed Samsung Play Store. Note: This control also disables Gemini from being invoked if it was previously installed. API: addUserRestriction, DISALLOW_ASSIST_CONTENT

b
The Samsung Android device work profile must be configured to disable the autofill services.
CM-6 - Medium - CCI-000366 - V-276641 - SV-276641r1139445_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-16-010100
Vuln IDs
  • V-276641
Rule IDs
  • SV-276641r1139445_rule
The autofill services allow the user to complete text inputs that could contain sensitive information, such as personally identifiable information (PII), without previous knowledge of the information. By allowing the use of autofill services, an adversary who learns a user's Android device password, or who otherwise is able to unlock the device, may be able to further breach other systems by relying on the autofill services to provide information unknown to the adversary. By disabling the autofill services, the risk of an adversary gaining further information about the device's user or compromising other systems is significantly mitigated. Examples of apps that offer autofill services include Samsung Pass, Google, Dashlane, LastPass, and 1Password. SFR ID: FMT_SMF.1.1 #47
Checks: C-80796r1139443_chk

Review the Samsung work profile configuration settings to confirm that autofill services are disabled. This validation procedure is performed on the management tool. On the management tool: 1. Open "Set user restrictions". 2. Verify "Disable autofill" is toggled to "ON". If on the management tool the "disallow autofill" is not selected, this is a finding.

Fix: F-80701r1139444_fix

Configure the Samsung device to disable the autofill services. On the management tool, in the Work profile User restrictions section, set "Disable autofill" to "Enable". API: addUserRestriction, DISALLOW_AUTOFILL

a
Samsung Android must be configured to disable all Bluetooth profiles except for Headset Profile (HSP), Hands-Free Profile (HFP), Serial Port Profile (SPP), Advanced Audio Distribution Profile (A2DP), Audio/Video Remote Control Profile (AVRCP), and Phone Book Access Profile (PBAP).
CM-7 - Low - CCI-000381 - V-276642 - SV-276642r1139785_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
KNOX-16-008300
Vuln IDs
  • V-276642
Rule IDs
  • SV-276642r1139785_rule
Some Bluetooth profiles provide the capability for remote transfer of sensitive DOD data without encryption or otherwise do not meet DOD IT security policies and therefore, must be disabled. SFR ID: FMT_SMF_EXT.1.1/BLUETOOTH BT-8
Checks: C-80797r1139446_chk

Review the Samsung documentation and inspect the configuration to verify the Samsung Android devices are paired only with devices that support HSP, HFP, SPP, A2DP, AVRCP, and PBAP Bluetooth profiles. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device restrictions section, verify "Bluetooth" is set to the AO-approved selection: "Allow" if the AO has approved the use of Bluetooth or "Disallow" if the AO has not approved its use. On the Samsung Android device: 1. Open Settings >> Connections >> Bluetooth. 2. Verify all listed paired Bluetooth devices use only authorized Bluetooth profiles. If on the management tool "Bluetooth" is not set to the AO-approved value, or the Samsung Android device is paired with a device that uses unauthorized Bluetooth profiles, this is a finding.

Fix: F-80702r1139784_fix

Configure the Samsung Android devices to disable Bluetooth, or if the AO has approved the use of Bluetooth (for example, for hands-free use), train users to only pair devices that support HSP, HFP, SPP, A2DP, AVRCP, and PBAP profiles. On the management tool, in the device restrictions section, set "Bluetooth" to the AO-approved selection: "Allow" if the AO has approved the use of Bluetooth or "Disallow" if the AO has not approved its use. The user training requirement is satisfied in requirement KNOX-16-009400. If a COBO deployment requires the use of specific Bluetooth profiles, Knox Platform for Enterprise (KPE) can be used to allow them in a STIG-approved configuration. In this case, do not configure this policy, and instead replace with KPE policy (innately by the management tool or via Knox Service Plugin [KSP]) "Add Bluetooth UUIDs To White List " with values "HSP_UUID, HFP_UUID, SPP_UUID, A2DP_ADVAUDIODIST_UUID, AVRCP_CONTROLLER_UUID, AVRCP_TARGET_UUID" and default blacklist as "enable". API: addUserRestriction, DISALLOW_BLUETOOTH

b
Samsung Android's Work profile must allow only the Administrator (management tool) to perform the following management function: Install/remove DOD root and intermediate PKI certificates.
CM-6 - Medium - CCI-000370 - V-276643 - SV-276643r1139451_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000370
Version
KNOX-16-008600
Vuln IDs
  • V-276643
Rule IDs
  • SV-276643r1139451_rule
DOD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the user is allowed to remove root and intermediate certificates, the user could allow an adversary to falsely sign a certificate in such a way that it could not be detected. Restricting the ability to remove DOD root and intermediate PKI certificates to the Administrator mitigates this risk. SFR ID: FMT_MOF_EXT.1.2 #47
Checks: C-80798r1139449_chk

COPE: Review the configuration to determine if the Samsung Android devices' Work profile is preventing users from removing DOD root and intermediate PKI certificates. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the Work profile restrictions, verify "Configure credentials" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> Security and privacy >> More security settings >> View security certificates. 2. In the System tab, verify no listed certificate in the Work profile can be untrusted. 3. In the User tab, verify no listed certificate in the Work profile can be removed. If on the management tool the device "Configure credentials" is not set to "Disallow", or on the Samsung Android device a certificate can be untrusted or removed, this is a finding. COBO: Review the configuration to determine if the Samsung Android devices are preventing users from removing DOD root and intermediate PKI certificates. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device restrictions, verify "Configure credentials" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> Security and privacy >> More security settings >> View security certificates. 2. In the System tab, verify no listed certificate in the device can be untrusted. 3. In the User tab, verify no listed certificate in the device can be removed. If on the management tool in the device restrictions "Configure credentials" is not set to "Disallow", or on the Samsung Android device a certificate can be untrusted or removed, this is a finding.

Fix: F-80703r1139450_fix

COPE: Configure the Samsung Android devices' Work profile to prevent users from removing DOD root and intermediate PKI certificates. On the management tool, in the Work profile restrictions, set "Configure credentials" to "Disallow". COBO: Configure the Samsung Android devices to prevent users from removing DOD root and intermediate PKI certificates. On the management tool, in the device restrictions, set "Configure credentials" to "Disallow". API: addUserRestriction, DISALLOW_CONFIG_CREDENTIALS

b
Samsung Android must be configured to disallow configuration of the device's date and time.
CM-6 - Medium - CCI-000366 - V-276644 - SV-276644r1139454_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-16-008900
Vuln IDs
  • V-276644
Rule IDs
  • SV-276644r1139454_rule
Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. Periodically synchronizing internal clocks with an authoritative time source is necessary to correctly correlate the timing of events that occur across the enterprise. The three authoritative time sources for Samsung Android are an authoritative time server that is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DOD network (NIPRNet or SIPRNet), the Global Positioning System (GPS), or the wireless carrier. Time stamps generated by the audit system in Samsung Android must include both date and time. The time may be expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. SFR ID: FMT_MOF_EXT.1.2 #47
Checks: C-80799r1139452_chk

Review the configuration to determine if the Samsung Android devices are disallowing the users from changing the date and time. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device restrictions, verify "Configure Date/Time" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> General management >> Date and time. 2. Verify "Automatic date and time" is on and the user cannot disable it. If on the management tool "Configure Date/Time" is not set to "Disallow", or on the Samsung Android device "Automatic date and time" is not set or the user can disable it, this is a finding.

Fix: F-80704r1139453_fix

Configure the Samsung Android devices to disallow users from changing the date and time. On the management tool, in the device restrictions, set "Configure Date/Time" to "Disallow". API: addUserRestriction, DISALLOW_CONFIG_DATE_TIME

b
Samsung Android must be configured to enable authentication of personal hotspot connections to the device using a preshared key.
AC-18 - Medium - CCI-001443 - V-276645 - SV-276645r1139457_rule
RMF Control
AC-18
Severity
M
CCI
CCI-001443
Version
KNOX-16-007700
Vuln IDs
  • V-276645
Rule IDs
  • SV-276645r1139457_rule
If no authentication is required to establish personal hotspot connections (Wi-Fi and Bluetooth), an adversary may be able to use that device to perform attacks on other devices or networks without detection. A sophisticated adversary may also be able to exploit unknown system vulnerabilities to access information and computing resources on the device. Requiring authentication to establish personal hotspot connections mitigates this risk. Application note: If hotspot functionality is permitted, it must be authenticated via a preshared key. There is no requirement to enable hotspot functionality, and it is recommended this functionality be disabled by default. SFR ID: FMT_SMF.1.1 #41
Checks: C-80800r1139455_chk

This is a "User-Based Enforcement (UBE)" control. Check a sample of Samsung phones at the site and verify the Wi-Fi hotspot preshared key (password) is set to "WPA2/WPA3-Personal" or "WPA3-Personal". - Go to Settings >> Connections >> Mobile Hotspot and Tethering >> Mobile Hotspot. - Select Network name >> Password >> Band. - Click the "Security" link, and verify either "WPA2/WPA3-Personal" or "WPA3-Personal" have been selected. If the Wi-Fi hotspot security is not set to "WPA2/WPA3-Personal" or "WPA3-Personal", this is a finding.

Fix: F-80705r1139456_fix

This is a "User-Based Enforcement (UBE)" control. Train users to not change the default Wi-Fi hotspot security setting: 15-character complex Wi-Fi hotspot preshared key (password) ("WPA2/WPA3-Personal" or WPA3-Personal"). (KNOX-16-009400). If the required preshared key is not set up, train users to use the following procedure to set up the required setting: - Go to Settings >> Network & Internet >> Hotspot & tethering. - Enable "Wi-Fi hotspot". - Tap on "Wi-Fi Hotspot" to the left of the slide to bring up the configuration options. - Click the "Security" link and select "WPA2/WPA3-Personal" or "WPA3-Personal". API: addUserRestriction, DISALLOW_CONFIG_TETHERING

b
Samsung Android's Work profile must be configured to disable exceptions to the access control policy that prevent application processes and groups of application processes from accessing all data stored by other application processes and groups of application processes.
SC-39 - Medium - CCI-002530 - V-276646 - SV-276646r1139460_rule
RMF Control
SC-39
Severity
M
CCI
CCI-002530
Version
KNOX-16-007900
Vuln IDs
  • V-276646
Rule IDs
  • SV-276646r1139460_rule
App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain access to DOD sensitive information. To mitigate this risk, there are data sharing restrictions, primarily from sharing data from personal (unmanaged) apps and work (managed) apps. If a user is allowed to make exceptions to the data sharing restriction policy, the user could enable unauthorized sharing of data, leaving it vulnerable to breach. Limiting the granting of exceptions to either the Administrator or common application developer mitigates this risk. Copy/paste of data between applications in different application processes or groups of application processes is considered an exception to the access control policy and therefore, the Administrator must be able to enable/disable the feature. Other exceptions include allowing any data or application sharing between process groups. SFR ID: FMT_SMF.1.1 #42, FDP_ACF_EXT.1.2
Checks: C-80801r1139458_chk

Review the Samsung documentation and inspect the configuration to verify the Samsung Android devices are enabling an access control policy that prevents application processes and groups of application processes from accessing all data stored by other application processes and groups of application processes. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the Work profile restrictions, set "Cross profile copy/paste" to "Disallow". On the Samsung Android device: 1. Using any Work app, copy text to the clipboard. 2. Using any Personal app, verify the clipboard text cannot be pasted. If on the management tool "Cross profile copy/paste" is not set to "Disallow", or on the Samsung Android device the clipboard text can be pasted into a Personal app, this is a finding.

Fix: F-80706r1139459_fix

Configure the Samsung Android devices to enable an access control policy that prevents application processes and groups of application processes from accessing all data stored by other application processes and groups of application processes. On the management tool, in the Work profile restrictions section, set "Cross profile copy/paste" to "Disallow". API: addUserRestriction, DISALLOW_CROSS_PROFILE_COPY_PASTE

b
Samsung Android must be configured to disable developer modes.
CM-7 - Medium - CCI-000381 - V-276647 - SV-276647r1139463_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
KNOX-16-006400
Vuln IDs
  • V-276647
Rule IDs
  • SV-276647r1139463_rule
Developer modes expose features of the MOS that are not available during standard operation. An adversary may leverage a vulnerability inherent in a developer mode to compromise the confidentiality, integrity, and availability of DOD sensitive information. Disabling developer modes mitigates this risk. SFR ID: FMT_SMF.1.1 #26
Checks: C-80802r1139461_chk

Review the configuration to determine if the Samsung Android devices are disabling developer modes. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device restrictions, verify "Debugging Features" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> About phone >> Software information. 2. Tap on the Build Number to try to enable "Developer Options" and validate that action is blocked. If on the management tool "Debugging Features" is not set to "Disallow" or on the Samsung Android device "Developer options" action is not blocked, this is a finding.

Fix: F-80707r1139462_fix

Configure the Samsung Android devices to disable developer modes. On the management tool, in the device restrictions, set "Debugging Features" to "Disallow". API: addUserRestriction, DISALLOW_DEBUGGING_FEATURES

b
Samsung Android 16 must disable the ability of the user to wipe the device.
CM-6 - Medium - CCI-000366 - V-276648 - SV-276648r1183743_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-16-011000
Vuln IDs
  • V-276648
Rule IDs
  • SV-276648r1183743_rule
This feature must be disabled in order to comply with DOD electronic records retention requirements for mobile devices. Otherwise, mobile device users could wipe the device, which would violate DOD policy. SFR ID: FMT_MOF_EXT.1.2 #47
Checks: C-80803r1183740_chk

Verify the Android device user has been trained to not perform a factory wipe without the approval of the authorizing official (AO). Confirm by reviewing the site's mobile device training records or the User Agreement. This is a User-Based Enforcement (UBE) control. If the Android device user has not been trained to not perform a factory wipe without the approval of the AO, this is a finding.

Fix: F-80708r1183742_fix

Train users to not perform a factory reset on the Android device without AO approval. Document training via the site's mobile device training records or the User Agreement. This is a User-Based Enforcement (UBE) control. Note: It is not possible for the MDM to enforce this control when the Android device is deployed in COPE mode.

b
Samsung Android must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including DOD-approved commercial app repository, management tool server, or mobile application store.
CM-6 - Medium - CCI-000366 - V-276649 - SV-276649r1139469_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-16-005400
Vuln IDs
  • V-276649
Rule IDs
  • SV-276649r1139469_rule
Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DOD data accessible by these unauthorized/malicious applications. SFR ID: FMT_SMF.1.1 #8
Checks: C-80804r1139467_chk

Review the configuration to determine if the Samsung Android devices are disabling unauthorized application repositories. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the Work profile restrictions, verify "installs from unknown sources globally" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> Security and privacy >> More security settings >> Install unknown apps. 2. Verify each app listed has the status "Disabled" under the app name or no apps are listed. On COPE devices, confirm this in both the "Personal" and "Work" tabs. If on the management tool "installs from unknown sources globally" is not set to "Disallow", or on the Samsung Android device an app is listed with a status other than "Disabled", this is a finding.

Fix: F-80709r1139468_fix

Configure the Samsung Android devices to disable unauthorized application repositories. COPE: On the management tool, in the Work profile restrictions, set "installs from unknown sources globally" to "Disallow". COBO: On the management tool, in the device restrictions, set "installs from unknown sources globally" to "Disallow". Note: Google Play must not be disabled. Disabling Google Play will cause system instability and critical updates will not be received. API: addUserRestriction, DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY

b
Samsung Android must be configured to not allow backup of all applications and configuration data to remote systems. (This requirement applies to the Work Profile for COPE.) - Disable Data Sync Framework.
SC-4 - Medium - CCI-001090 - V-276650 - SV-276650r1139472_rule
RMF Control
SC-4
Severity
M
CCI
CCI-001090
Version
KNOX-16-007400
Vuln IDs
  • V-276650
Rule IDs
  • SV-276650r1139472_rule
Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the MOS. Where the remote backup involves a cloud-based solution, the backup capability is often used to synchronize data across multiple devices. In this case, DOD devices may synchronize DOD sensitive information to a user's personal device or other unauthorized computers that are vulnerable to breach. The Data Sync Framework allows apps to synchronize data between the mobile device and other web-based services. This uses accounts for services the user has added to the mobile device. Preventing the user from adding accounts to the device mitigates this risk. For COBO/COPE (work profile) data cannot be backed up remotely via Backup Services. Work (profile) data could be backed up thru adding an account to an app that supports the data sync framework; however, this is mitigated by preventing adding any accounts to the Work profile. SFR ID: FMT_SMF_EXT.1.1 #40 SFR ID: FMT_SMF.1.1 #40
Checks: C-80805r1139470_chk

Verify requirement KNOX-16-009200 (disallow modify accounts) has been implemented. If "disallow modify accounts" has not been implemented, this is a finding.

Fix: F-80710r1139471_fix

Disallow modify accounts (refer to requirement KNOX-16-009200). API: addUserRestriction, DISALLOW_MODIFY_ACCOUNTS

b
Samsung Android's Work profile must be configured to prevent users from adding personal email accounts to the work email app.
CM-6 - Medium - CCI-000366 - V-276651 - SV-276651r1139475_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-16-009200
Vuln IDs
  • V-276651
Rule IDs
  • SV-276651r1139475_rule
If the user is able to add a personal email account (POP3, IMAP, EAS) to the work email app, it could be used to forward sensitive DOD data to unauthorized recipients. Restricting email account addition to the Administrator or to allow-listed accounts mitigates this vulnerability. SFR ID: FMT_MOF_EXT.1.2 #47
Checks: C-80806r1139473_chk

Review the configuration to determine if the Samsung Android devices are preventing users from adding personal email accounts to the work email app. On the management tool, in the device restrictions section, verify "Modify accounts" is set to "Disallow". COPE: On the Samsung Android device: 1. Open Settings >> Accounts and backup >> Manage accounts. 2. Navigate to the "Work" tab. 3. Verify no account can be added. COBO: On the Samsung Android device: 1. Open Settings >> Accounts and backup >> Manage accounts. 2. Verify no account can be added. If on the management tool "Modify accounts" is not set to "Disallow", or on the Samsung Android device an account can be added, this is a finding.

Fix: F-80711r1139474_fix

Configure the Samsung Android devices to prevent users from adding personal email accounts to the work email app. On the management tool, in the Work profile restrictions, set "Modify accounts" to "Disallow". (COPE) On the management tool, in the device restrictions, set "Modify accounts" to "Disallow". (COBO) API: addUserRestriction, DISALLOW_MODIFY_ACCOUNTS

c
Samsung Android must be configured to enable encryption for data at rest on removable storage media or, alternately, the use of removable storage media must be disabled.
SC-28 - High - CCI-001199 - V-276652 - SV-276652r1139478_rule
RMF Control
SC-28
Severity
H
CCI
CCI-001199
Version
KNOX-16-006000
Vuln IDs
  • V-276652
Rule IDs
  • SV-276652r1139478_rule
The MOS must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read removable media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running. SFR ID: FMT_SMF.1.1 #20, #47d
Checks: C-80807r1139476_chk

Review the configuration to determine if the Samsung Android devices are either enabling data-at-rest protection for removable media or disabling their use. This requirement is not applicable for devices that do not support removable storage media. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device restrictions, verify "Mount physical media" is set to "Disallow". On the Samsung Android device, verify that a microSD card cannot be mounted. The device should ignore the inserted SD card and no notifications for the transfer of media files should appear, nor should any files be listed using a file browser, such as Samsung My Files. If on the management tool "Mount physical media" is not set to "Disallow", or on the Samsung Android device a microSD card can be mounted, this is a finding.

Fix: F-80712r1139477_fix

Configure the Samsung Android devices to enable data-at-rest protection for removable media, or alternatively, disable their use. This requirement is not applicable for devices that do not support removable storage media. On the management tool, in the device restrictions, set "Mount physical media" to "Disallow". This disables the use of all removable storage, e.g., microSD cards, USB thumb drives, etc. If the deployment requires the use of microSD cards, Knox Platform for Enterprise (KPE) can be used to allow them in a STIG-approved configuration. In this case, do not configure this policy, and instead replace with KPE policy (innately by the management tool or via Knox Service Plugin [KSP]) "Enforce external storage encryption" with value "enable". API: addUserRestriction, DISALLOW_MOUNT_PHYSICAL_MEDIA

a
Samsung Android 16 must disable wireless printing.
CM-6 - Low - CCI-000366 - V-276653 - SV-276653r1139481_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
KNOX-16-011200
Vuln IDs
  • V-276653
Rule IDs
  • SV-276653r1139481_rule
Wireless printing allows the printing of sensitive DOD documents to non-DOD controlled printers, which may lead to the exposure of sensitive DOD information. SFR ID: FMT_MOF_EXT.1.2 #47
Checks: C-80808r1139479_chk

Review configuration settings to confirm wireless printing has been disabled. This check procedure is performed on the device management tool and the Samsung Android 16 device. On the MDM console: COBO/COPE procedures: 1. Open user restrictions. 2. Verify that "Disallow printing" is enabled. On the managed Samsung Android 16 device: COBO/COPE procedures: 1. Open a document or image from the file app and try to print. 2. Verify the printer cannot print. If wireless printing has not been disabled, this is a finding.

Fix: F-80713r1139480_fix

Configure Samsung Android 16 device to disable wireless printing. On the MDM console, do the following: COBO procedures: 1. Open user restrictions. 2. Enable "Disallow printing". COPE procedures: 1. Open user restrictions. 2. Enable "Disallow printing". API: addUserRestriction, DISALLOW_PRINTING

b
Samsung Android must be configured to disable USB mass storage mode.
SC-41 - Medium - CCI-002546 - V-276654 - SV-276654r1139484_rule
RMF Control
SC-41
Severity
M
CCI
CCI-002546
Version
KNOX-16-007200
Vuln IDs
  • V-276654
Rule IDs
  • SV-276654r1139484_rule
USB mass storage mode enables the transfer of data and software from one device to another. This software can include malware. When USB mass storage is enabled on a mobile device, it becomes a potential vector for malware and unauthorized data exfiltration. Prohibiting USB mass storage mode mitigates this risk. SFR ID: FMT_SMF.1.1 #39
Checks: C-80809r1139482_chk

Review the configuration to determine if the Samsung Android devices are disabling USB mass storage mode. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device restrictions, verify "USB file transfer" has been set to "Disallow". On the Samsung Android device, from the "USB for file transfer" notification, verify that a "File Transfer" is not an option. If on the management tool "USB file transfer" is not set to "Disallow", or on the Samsung Android device a "File Transfer" is an option, this is a finding.

Fix: F-80714r1139483_fix

Configure the Samsung Android devices to disable USB mass storage mode. On the management tool, in the device restrictions, set "USB file transfer" to "Disallow". DeX drag and drop file transfer capabilities will be prohibited, but all other DeX capabilities remain usable. API: addUserRestriction, DISALLOW_USB_FILE_TRANSFER

b
Samsung Android must be configured to not allow backup of all applications and configuration data to locally connected systems.
SC-4 - Medium - CCI-001090 - V-276655 - SV-276655r1139487_rule
RMF Control
SC-4
Severity
M
CCI
CCI-001090
Version
KNOX-16-007300
Vuln IDs
  • V-276655
Rule IDs
  • SV-276655r1139487_rule
Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed up to an external system (either locally connected or cloud based), many if not all of these mechanisms are no longer present. This leaves the backed-up data vulnerable to attack. Disabling backup to external systems mitigates this risk. SFR ID: FMT_SMF.1.1 #40
Checks: C-80810r1139485_chk

Verify requirement KNOX-16-007200 (disallow USB file transfer) has been implemented. If "Disallow USB file transfer" has not been implemented, this is a finding.

Fix: F-80715r1139486_fix

Ensure "USB file transfer" has been disallowed (refer to requirement KNOX-16-007200). API: addUserRestriction, DISALLOW_USB_FILE_TRANSFER

b
Samsung Android must be configured to disable ad hoc wireless client-to-client connection capability.
SC-40 - Medium - CCI-002536 - V-276656 - SV-276656r1139490_rule
RMF Control
SC-40
Severity
M
CCI
CCI-002536
Version
KNOX-16-008400
Vuln IDs
  • V-276656
Rule IDs
  • SV-276656r1139490_rule
Ad hoc wireless client-to-client connections allow mobile devices to communicate with each other directly, circumventing network security policies and making the traffic invisible. This could allow the exposure of sensitive DOD data and increase the risk of downloading and installing malware of the DOD mobile device. SFR ID: FMT_SMF_EXT.1.1/WLAN
Checks: C-80811r1139488_chk

Review the configuration to determine if the Samsung Android devices are disallowing Wi-Fi Direct. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the user restrictions, verify "Wi-Fi Direct" has been set to "Disallow". On the Samsung Android device: 1. Open Settings >> Connections >> Wi-Fi. 2. From the hamburger menu, select Wi-Fi Direct. 3. Verify that Wi-Fi Direct cannot be selected. If on the management tool "Wi-Fi Direct" is not set to "Disallow", or on the Samsung Android device a Wi-Fi direct device is listed that can be connected to, this is a finding.

Fix: F-80716r1139489_fix

Configure the Samsung Android devices to disallow Wi-Fi Direct. On the management tool, in the user restrictions, set "Wi-Fi Direct" to "Disallow". Wi-Fi direct connections and pairing between devices will become unavailable. API: addUserRestriction, DISALLOW_WIFI_DIRECT 

b
The Samsung Android device must be configured to enforce that Wi-Fi Sharing is disabled.
CM-6 - Medium - CCI-000366 - V-276657 - SV-276657r1140698_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-16-009700
Vuln IDs
  • V-276657
Rule IDs
  • SV-276657r1140698_rule
Wi-Fi Sharing is an optional configuration of Wi-Fi Tethering/Mobile Hotspot, which allows the device to share its Wi-Fi connection with other wirelessly connected devices instead of its mobile (cellular) connection. Wi-Fi Sharing grants the "other" device access to a corporate Wi-Fi network and may possibly bypass the network access control mechanisms. This risk can be partially mitigated by requiring the use of a preshared key for personal hotspots. SFR ID: FMT_SMF.1.1 #47
Checks: C-80812r1140697_chk

Review device configuration settings to confirm Wi-Fi Sharing is disabled. Mobile Hotspot must be enabled to enable Wi-Fi Sharing. If the authorizing official (AO) has not approved Mobile Hotspot, and it has been verified as disabled on the EMM console, no further action is needed. If Mobile Hotspot is being used, use the following procedure to verify Wi-Fi Sharing is disabled: This is a "User-Based Enforcement (UBE)" control. Check a sample of Samsung phones at the site and verify that the mobile hotspot Wi-Fi sharing option is toggled to "Off". - Go to Settings >> Connections >> Mobile Hotspot and Tethering >> Mobile Hotspot. - Tap "Network name". - Tap "Advanced". - Verify "Wi-Fi sharing" is toggled off or the option is disabled. If the Wi-Fi sharing is not set to disabled, this is a finding. On the EMM console: COBO: 1. Open "Set user restrictions". 2. Verify "Disallow sharing admin configured Wi-Fi" is toggled to "ON". COPE: 1. Open "Set user restrictions on parent". 2. Verify "Disallow sharing admin configured Wi-Fi" it toggled to "ON". If on the EMM console, "Disallow sharing admin configured Wi-Fi" is not enabled, this is a finding.

Fix: F-80717r1139492_fix

Configure the Samsung Android 16 device to disable Wi-Fi Sharing. Mobile Hotspot must be enabled to enable Wi-Fi Sharing. If the AO has not approved Mobile Hotspot, and it has been disabled on the EMM console, no further action is needed. If Mobile Hotspot is being used, then use the following procedure and "User-Based Enforcement (UBE)" control: Train users to disable/not enable Samsung Wi-Fi Sharing. Refer to STIG requirement KNOX-16-009700. - Go to Settings >> Connections >> Mobile Hotspot and Tethering >> Mobile Hotspot. - Tap "Network name". - Tap "Advanced". - Verify "Wi-Fi sharing" is toggled off or the option is disabled. On the EMM console: COBO: 1. Open "Set user restrictions". 2. Toggle "Disallow sharing admin configured Wi-Fi" to "ON". COPE: 1. Open "Set user restrictions on parent". 2. Toggle "Disallow sharing admin configured Wi-Fi" to "ON". On COBO devices, KPE policy can be used to configure this setting without "User-Based Enforcement (UBE)" control, by setting the "Allow Wi-Fi Sharing" option in KSP to disable. API: DISALLOW_SHARING_ADMIN_CONFIGURED_WIFI

b
Samsung Android's Work profile must have the DOD root and intermediate PKI certificates installed.
CM-6 - Medium - CCI-000366 - V-276658 - SV-276658r1139496_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-16-009000
Vuln IDs
  • V-276658
Rule IDs
  • SV-276658r1139496_rule
DOD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the root and intermediate certificates are not available, an adversary could falsely sign a certificate in such a way that it could not be detected. Providing access to the DOD root and intermediate PKI certificates greatly diminishes the risk of this attack. SFR ID: FMT_MOF_EXT.1.2 #47
Checks: C-80813r1139494_chk

COPE: Review the configuration to determine if the Samsung Android's Work profile has the DOD root and intermediate PKI certificates installed. This validation procedure is performed on both the management tool and the Samsung Android device. The current DOD root and intermediate PKI certificates may be obtained in self-extracting zip files at https://cyber.mil/pki-pke (for NIPRNet). On the management tool, in the Work profile policy management, verify the DOD root and intermediate PKI certificates are installed. On the Samsung Android device: 1. Open Settings >> Security and privacy >> More security settings >> View security certificates. 2. In the User tab, verify the DOD root and intermediate PKI certificates are listed in the Work profile. If on the management tool the DOD root and intermediate PKI certificates are not listed in the Work profile, or on the Samsung Android device the DOD root and intermediate PKI certificates are not listed in the Work profile, this is a finding. COBO: Review the configuration to determine if the Samsung Android devices have the DOD root and intermediate PKI certificates installed. This validation procedure is performed on both the management tool and the Samsung Android device. The current DOD root and intermediate PKI certificates may be obtained in self-extracting zip files at https://cyber.mil/pki-pke (for NIPRNet). On the management tool, in the device policy management, verify the DOD root and intermediate PKI certificates are installed. On the Samsung Android device: 1. Open Settings >> Security and privacy >> More security settings >> View security certificates. 2. In the User tab, verify the DOD root and intermediate PKI certificates are listed in the device. If on the management tool the DOD root and intermediate PKI certificates are not listed in the device, or on the Samsung Android device the DOD root and intermediate PKI certificates are not listed in the device, this is a finding.

Fix: F-80718r1139495_fix

Install the DOD root and intermediate PKI certificates into the Samsung Android devices (install in Work profile for COPE). The current DOD root and intermediate PKI certificates may be obtained in self-extracting zip files at https://cyber.mil/pki-pke (for NIPRNet). On the management tool, in the device policy management (Work profile for COPE), install the DOD root and intermediate PKI certificates. API: installCaCert

b
The Samsung Android device work profile must be configured to enforce the system application disable list.
CM-6 - Medium - CCI-000366 - V-276659 - SV-276659r1139499_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-16-009800
Vuln IDs
  • V-276659
Rule IDs
  • SV-276659r1139499_rule
The system application disable list controls user access to/execution of all core and preinstalled applications. Core application: Any application integrated into Samsung Android 16 by Samsung. Preinstalled application: Additional noncore applications included in the Samsung Android 16 build by Samsung or the wireless carrier. Some system applications can compromise DOD data or upload users' information to non-DOD-approved servers. A user must be blocked from using such applications that exhibit behavior that can result in compromise of DOD data or DOD user information. The site administrator must analyze all preinstalled applications on the device and disable all applications not approved for DOD use by configuring the system application disable list. SFR ID: FMT_SMF.1.1 #47
Checks: C-80814r1139497_chk

Review the configuration to confirm the system application disable list is enforced. This setting is enforced by default. Verify only approved system apps have been placed on the core allowlist. This procedure is performed on the management tool. Review the system app allowlist and verify only approved apps are on the list. On the management tool, in the Apps management section, select "Unhide apps" and verify the names of the apps listed. If on the management tool the system app allowlist contains unapproved core apps, this is a finding.

Fix: F-80719r1139498_fix

Configure the Samsung Android 16 device to enforce the system application disable list. The required configuration is the default configuration when the device is enrolled. If the device configuration is changed, use the following procedure to bring the device back into compliance: On the management tool: 1. Open the "Apps management" section. 2. Select "Hide apps". 3. Enter names of apps to hide. Configure a list of approved Samsung core and preinstalled apps in the core app allowlist. API: setApplicationHidden

b
The Samsung Android device work profile must be configured to disable automatic completion of work space internet browser text input.
CM-6 - Medium - CCI-000366 - V-276660 - SV-276660r1139502_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-16-010000
Vuln IDs
  • V-276660
Rule IDs
  • SV-276660r1139502_rule
The autofill functionality in the web browser allows the user to complete a form that contains sensitive information, such as personally identifiable information (PII), without previous knowledge of the information. By allowing the use of autofill functionality, an adversary who learns a user's Android device password, or who otherwise is able to unlock the device, may be able to further breach other systems by relying on the autofill feature to provide information unknown to the adversary. By disabling the autofill functionality, the risk of an adversary gaining further information about the device's user or compromising other systems is significantly mitigated. SFR ID: FMT_SMF.1.1 #47
Checks: C-80815r1139500_chk

Review the work profile Chrome Browser app on the Samsung device autofill setting. This validation procedure is performed on the management tool. On the management tool: 1. Open "Managed Configurations" section. 2. Select the Chrome Browser version from the work profile. 3. Verify "PasswordManagerEnabled" is turned "OFF". 4. Verify "AutofillAddressEnabled" is turned "OFF". 5. Verify "AutofillCreditCardEnabled" is turned "OFF". If on the management tool any of the browser autofill settings are set to "On" in the Chrome Browser Settings, this is a finding.

Fix: F-80720r1139501_fix

Configure the Samsung device to disable the autofill functionality. The required configuration is the default configuration when the device is enrolled. If the device configuration is changed, use the following procedure to bring the device back into compliance: On the management tool: 1. Open the "Managed configurations" section. 2. Select the Chrome Browser version from the work profile. 3. Ensure "PasswordManagerEnabled" is turned "OFF". 4. Ensure "AutofillAddressEnabled" is turned "OFF". 5. Ensure "AutofillCreditCardEnabled" is turned "OFF". API: setApplicationRestrictions

a
Samsung Android must not accept the certificate when it cannot establish a connection to determine the validity of a certificate.
IA-5 - Low - CCI-000185 - V-276661 - SV-276661r1139505_rule
RMF Control
IA-5
Severity
L
CCI
CCI-000185
Version
KNOX-16-000700
Vuln IDs
  • V-276661
Rule IDs
  • SV-276661r1139505_rule
Certificate-based security controls depend on the ability of the system to verify the validity of a certificate. If the MOS were to accept an invalid certificate, it could take unauthorized actions, resulting in unanticipated outcomes. At the same time, if the MOS were to disable functionality when it could not determine the validity of the certificate, this could result in a denial of service. Therefore, the ability to provide exceptions is appropriate to balance the tradeoff between security and functionality. Always accepting certificates when they cannot be determined to be valid is the most extreme exception policy and is not appropriate in the DOD context. Involving an Administrator or user in the exception decision mitigates this risk to some degree. SFR ID: FIA_X509_EXT_2.2
Checks: C-80816r1139503_chk

Verify requirement KNOX-16-009300 (Common Criteria mode) has been implemented. If "Common Criteria mode" has not been implemented, this is a finding.

Fix: F-80721r1139504_fix

Implement "Common Criteria mode" (refer to requirement KNOX-16-009300). API: setCommonCriteriaModeEnabled

a
Samsung Android's Work profile must be configured to enable Common Criteria (CC) mode.
CM-6 - Low - CCI-000366 - V-276662 - SV-276662r1139508_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
KNOX-16-009300
Vuln IDs
  • V-276662
Rule IDs
  • SV-276662r1139508_rule
The CC mode feature is a superset of other features and behavioral changes that are mandatory MDFPP requirements. If CC mode is not implemented, the device will not be operating in the NIAP-certified compliant CC mode of operation. When enforcing Android Enterprise (AE) CC mode on a Samsung Android device, additional Samsung-specific security features are also enabled. CC mode implements the following behavioral/functional changes to meet MDFPP requirements: - How the Bluetooth and Wi-Fi keys are stored using different types of encryption. - Download mode is disabled and all updates will occur via Firmware Over the Air (FOTA) only. In addition, CC mode adds new restrictions not to meet MDFPP requirements but to offer better security above what is required: - Force password info following FOTA update for consistency. - Disable Remote unlock by FindMyMobile. - Restrict biometric attempts to 10. SFR ID: FMT_MOF_EXT.1.2 #47
Checks: C-80817r1139506_chk

Review the configuration to determine if the Samsung Android devices are enabling CC mode. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the Work profile restrictions, verify "Common Criteria mode" is set to "Enable". On the Samsung Android device, put the device into "Download mode" (press and hold down the Home + Power + Volume Down buttons at the same time) and verify the text "Blocked by CC Mode" is displayed on the screen. If on the management tool "Common Criteria mode" is not set to "Enable", or on the Samsung Android device the text "Blocked by CC Mode" is not displayed in "Download mode", this is a finding.

Fix: F-80722r1139507_fix

Configure the Samsung Android devices to enable CC mode. On the management tool, in the Work profile restrictions, set "Common Criteria mode" to "Enable". API: setCommonCriteriaModeEnabled

a
Samsung Android must be configured to display the DOD advisory warning message at startup or each time the user unlocks the device.
AC-8 - Low - CCI-000048 - V-276663 - SV-276663r1139511_rule
RMF Control
AC-8
Severity
L
CCI
CCI-000048
Version
KNOX-16-006700
Vuln IDs
  • V-276663
Rule IDs
  • SV-276663r1139511_rule
Before granting access to the system, the mobile operating system is required to display the DOD-approved system use notification message or banner that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Required banners help ensure that DOD can audit and monitor the activities of mobile device users without legal restriction. System use notification messages can be displayed when individuals first access or unlock the mobile device. The banner must be implemented as a "click-through" banner at device unlock (to the extent permitted by the operating system). A "click-through" banner prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK." The approved DOD text must be used exactly as required in the Knowledge Service referenced in DODI 8500.01. For devices accommodating banners of 1300 characters, the banner text is: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE, or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. Refer to User Agreement for details. For devices with severe character limitations, the banner text is: I've read & consent to terms in IS user agreem't. The Administrator must configure the banner text exactly as written without any changes. SFR ID: FMT_SMF.1.1 #36
Checks: C-80818r1139509_chk

Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool and the Samsung Android device. Validation procedure for Method #1: Place the DOD warning banner in the user agreement signed by each Samsung Android device user (preferred method). Review the signed user agreements for several Samsung Android device users and verify the agreement includes the required DOD warning banner text. Validation procedure for Method #2 (preferred method): Configure the warning banner text in the Lock screen message on each managed mobile device. On the management tool, in the device restrictions section, verify "Lock Screen Message" is set to the DOD-mandated warning banner text. On the Samsung Android device, verify the required DOD warning banner text is displayed on the Lock screen. If the warning text has not been placed in the signed user agreement, or if on the management tool "Lock Screen Message" is not set to the DOD-mandated warning banner text, or on the Samsung Android device the required DOD warning banner text is not displayed on the Lock screen, this is a finding.

Fix: F-80723r1139510_fix

Configure the DOD warning banner by either of the following methods (required text is found in the Vulnerability Description): Method #1: Place the DOD warning banner in the user agreement signed by each Samsung Android device user (preferred method). Method #2 (preferred method): Configure the warning banner text in the Lock screen message on each managed mobile device. On the management tool, in the device restrictions section, set "Lock Screen Message" to the DOD-mandated warning banner text. API: setDeviceOwnerLockScreenInfo

b
Samsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Face recognition.
IA-2 - Medium - CCI-000765 - V-276664 - SV-276664r1139514_rule
RMF Control
IA-2
Severity
M
CCI
CCI-000765
Version
KNOX-16-006100
Vuln IDs
  • V-276664
Rule IDs
  • SV-276664r1139514_rule
Note: This requirement is Not Applicable for specific biometric authentication factors included in the product's Common Criteria evaluation. The biometric factor can be used to authenticate the user to unlock the mobile device. Unapproved/evaluated biometric mechanisms could allow unauthorized users to have access to DOD sensitive data if compromised. By not permitting the use of unapproved/evaluated biometric authentication mechanisms, this risk is mitigated. SFR ID: FMT_SMF.1.1 #22, FIA_UAU.5.1
Checks: C-80819r1139512_chk

Note: This requirement is not applicable for specific biometric authentication factors included in the product's Common Criteria evaluation. Review the configuration to determine if the Samsung Android devices are disabling Face Recognition. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool in the device restrictions, verify "Face recognition" is set to "Disable". On the Samsung Android device: 1. Open Settings >> Lock screen and AOD >> Screen lock and biometrics. 2. Enter current password. 3. Open "Face recognition" and, if required, register a face. 4. Verify the "Face unlock" option is disabled and cannot be enabled. If on the management tool "Face recognition" is not set to "Disable", or on the Samsung Android device "Face unlock" can be enabled, this is a finding.

Fix: F-80724r1139513_fix

Note: This requirement is not applicable for specific biometric authentication factors included in the product's Common Criteria evaluation. Configure the Samsung Android devices to disable Face Recognition. On the management tool, in the device restrictions, set "Face Recognition" to "Disable". API: setKeyguardDisabledFeatures, KEYGUARD_DISABLE_FACE

b
Samsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity - Disable trust agents.
IA-2 - Medium - CCI-000765 - V-276665 - SV-276665r1139517_rule
RMF Control
IA-2
Severity
M
CCI
CCI-000765
Version
KNOX-16-005200
Vuln IDs
  • V-276665
Rule IDs
  • SV-276665r1139517_rule
The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum timeout period of 15 minutes has been selected to balance functionality and security; shorter timeout periods may be appropriate depending on the risks posed to the mobile device. SFR ID: FMT_SMF.1.1 #2
Checks: C-80820r1139515_chk

Review the configuration to determine if the Samsung Android devices are disabling Trust Agents. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device restrictions, verify "Trust Agents" are set to "Disable". On the Samsung Android device: 1. Open Settings >> Security and privacy >> More security settings >> Trust agents. 2. Verify all listed Trust Agents are disabled and cannot be enabled. If a Trust Agent is not disabled in the list, verify for that Trust Agent, all of its listed Trustlets are disabled and cannot be enabled. If on the management tool "Trust Agents" are not set to "Disable", or on the Samsung Android device a "Trust Agent" or "Trustlet" can be enabled, this is a finding. Note: If the management tool has been correctly configured but a Trust Agent is still enabled, configure the "List of approved apps listed in managed Google Play" to disable it; refer to KNOX-16-005500. Exception: Trust Agents may be used if the authorizing official (AO) allows a screen lock timeout after four hours (or more) of inactivity. This may be applicable to tactical use case.

Fix: F-80725r1139516_fix

Configure the Samsung Android devices to disable Trust Agents. On the management tool, in the device restrictions, set "Trust Agents" to "Disable". API: setKeyguardDisabledFeatures, KEYGUARD_DISABLE_TRUST_AGENTS or setTrustAgentConfiguration

b
Samsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: All notifications.
AC-11 - Medium - CCI-000060 - V-276666 - SV-276666r1139520_rule
RMF Control
AC-11
Severity
M
CCI
CCI-000060
Version
KNOX-16-005800
Vuln IDs
  • V-276666
Rule IDs
  • SV-276666r1139520_rule
Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifications can contain sensitive information. When they are available on the lock screen, an adversary can see them merely by being in close physical proximity to the device. Configuring the MOS to not send notifications to the lock screen mitigates this risk. SFR ID: FMT_SMF.1.1 #18
Checks: C-80821r1139518_chk

Review the configuration to determine if the Samsung Android devices are not displaying (Work Environment) notifications when the device is locked. Notifications of incoming phone calls are acceptable even when the device is locked. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the Work profile restrictions section, verify "Unredacted Notifications" is set to "Disallow". COPE: On the Samsung Android device: 1. Open Settings >> Notifications >> Lock screen. 2. Verify configuration of "Sensitive work profile notifications" is disabled. If on the management tool "Unredacted Notifications" is not set to "Disallow", or on the Samsung Android device "Sensitive work profile notifications" is not disabled, this is a finding. COBO: On the Samsung Android device: 1. Open Settings >> Notifications. 2. Verify "Lock screen" menu is disabled. If on the management tool "Unredacted Notifications" is not set to "Disallow", or on the Samsung Android device "Notifications" menu is not disabled, this is a finding.

Fix: F-80726r1139519_fix

Configure the Samsung Android devices to not display (Work Environment) notifications when the device is locked. On the management tool, in the Work profile restrictions section, set "Unredacted Notifications" to "Disallow". API: setKeyguardDisabledFeatures, KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS

b
Samsung Android must be configured to not allow more than 10 consecutive failed authentication attempts.
AC-7 - Medium - CCI-000044 - V-276667 - SV-276667r1139523_rule
RMF Control
AC-7
Severity
M
CCI
CCI-000044
Version
KNOX-16-005300
Vuln IDs
  • V-276667
Rule IDs
  • SV-276667r1139523_rule
The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on the device. Setting a limit on the number of attempts mitigates this risk. Setting the limit at 10 or fewer attempts gives authorized users the ability to make a few mistakes when entering the password but still provides adequate protection against dictionary or brute force attacks on the password. SFR ID: FMT_SMF.1.1 #2, FIA_AFL_EXT.1.5
Checks: C-80822r1139521_chk

Review the configuration to determine if the Samsung Android devices are allowing only 10 or fewer consecutive failed authentication attempts. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device password policies, verify "max password failures for local wipe" is set to "10" attempts or less. On the Samsung Android device: 1. Open Settings >> Lock screen and AOD. 2. Verify "Secure lock settings" is present and tap it. 3. Enter current password. 4. Verify "Auto factory reset" is grayed out, and cannot be configured. Note: When "Auto factory reset" is grayed out, this indicates the Administrator (MDM) is in control of the setting to wipe the device after 10 or fewer consecutive failed authentication attempts. If on the management tool "max password failures for local wipe" is not set to "10" attempts or less, or on the Samsung Android device the "Auto factory reset" menu can be configured, this is a finding.

Fix: F-80727r1139522_fix

Configure the Samsung Android devices to allow only 10 or fewer consecutive failed authentication attempts. On the management tool, in the device password policies, set "max password failures for local wipe" to "10" attempts or fewer. A device password must be set for "max password failures for local wipe" to become active. API: setMaximumFailedPasswordsForWipe

b
Samsung Android must be configured to lock the display after 15 minutes (or less) of inactivity.
AC-11 - Medium - CCI-000057 - V-276668 - SV-276668r1139526_rule
RMF Control
AC-11
Severity
M
CCI
CCI-000057
Version
KNOX-16-005100
Vuln IDs
  • V-276668
Rule IDs
  • SV-276668r1139526_rule
The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum timeout period of 15 minutes has been selected to balance functionality and security; shorter timeout periods may be appropriate depending on the risks posed to the mobile device. SFR ID: FMT_SMF.1.1 #2
Checks: C-80823r1139524_chk

Review the configuration to determine if the Samsung Android devices are locking the device display after 15 minutes (or less) of inactivity. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device password policies, verify "max time to screen lock" is set to "15 minutes" or less. On the Samsung Android device: 1. Open Settings >> Lock screen and AOD. 2. Verify "Secure lock settings" is present and tap it. 3. Enter current password. 4. Tap "Auto lock when screen turns off". 5. Verify the listed timeout values are 15 minutes or less. If on the management tool "max time to screen lock" is not set to "15 minutes" or less, or on the Samsung Android device "Secure lock settings" is not present and the listed Screen timeout values include durations of more than 15 minutes, this is a finding.

Fix: F-80728r1139525_fix

Configure the Samsung Android devices to lock the device display after 15 minutes (or less) of inactivity. On the management tool, in the device password policies, set "max time to screen lock" to "15 minutes" or less. A device password must be set for "max time to screen lock" to become active. API: setMaximumTimeToLock

a
The Samsung Android device must be configured to perform the following management function: Disable Phone Hub.
SC-4 - Low - CCI-001090 - V-276669 - SV-276669r1139529_rule
RMF Control
SC-4
Severity
L
CCI
CCI-001090
Version
KNOX-16-010400
Vuln IDs
  • V-276669
Rule IDs
  • SV-276669r1139529_rule
It may be possible to transfer work profile data on a DOD Android device to an unauthorized Chromebook if the user has the same Google Account set up on the Chromebook. This may result in the exposure of sensitive DOD data. SFR ID: FMT_MOF_EXT.1.2 #47
Checks: C-80824r1139527_chk

Review the management tool to confirm Phone Hub has been disabled. On the management tool: 1. Open "Nearby notification streaming policy". 2. Verify "Nearby notification streaming policy" is set to "Disabled". 3. Open "Nearby app streaming policy". 4. Verify "Nearby app streaming policy" is set to "Disabled". If on the management tool the "Nearby Streaming Policy" is not set to "Disabled", this is a finding. Note: From a Chromebook, if a device is connected to the Phone Hub, try to set up the Notifications. It will fail to connect to the device to complete the setup if Phone Hub has been disabled on the DOD Android device.

Fix: F-80729r1139528_fix

Configure the Samsung device to disable the nearby notification and app streaming policy to disable Phone Hub. On the management tool: 1. Open "Nearby notification streaming policy". 2. Set "Nearby notification streaming policy" to "Disabled". 3. Open "Nearby app streaming policy". 4. Set "Nearby app streaming policy" to "Disabled". API: setNearbyNotificationStreamingPolicy

b
Samsung Android must be configured to enforce a minimum password length of six characters.
Medium - CCI-004066 - V-276670 - SV-276670r1139532_rule
RMF Control
Severity
M
CCI
CCI-004066
Version
KNOX-16-004900
Vuln IDs
  • V-276670
Rule IDs
  • SV-276670r1139532_rule
Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can complete each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise. SFR ID: FMT_SMF.1.1 #1
Checks: C-80825r1139530_chk

Review the configuration to determine if the Samsung Android devices are enforcing a minimum password length of six characters. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device password policies, verify "minimum password length" is set to "6". On the Samsung Android device: 1. Open Settings >> Lock screen and AOD >> Screen lock and biometrics. 2. Enter current password. 3. Tap "PIN". 4. Verify the text "PIN must contain at least", followed by a value of at least "6 digits", appears above the PIN entry. If on the management tool "minimum password length" is not set to "6", or on the Samsung Android device the text "PIN must contain at least" is followed by a value of less than "6 digits", this is a finding.

Fix: F-80730r1139531_fix

Configure the Samsung Android devices to enforce a minimum password length of six characters. On the management tool, in the device password policies, set "minimum password length" to "6". API: setPasswordMinimumLength

b
Samsung Android must be configured to not allow passwords that include more than four repeating or sequential characters.
Medium - CCI-004066 - V-276671 - SV-276671r1139535_rule
RMF Control
Severity
M
CCI
CCI-004066
Version
KNOX-16-005000
Vuln IDs
  • V-276671
Rule IDs
  • SV-276671r1139535_rule
Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or sequential characters are significantly easier to guess than those that do not. Therefore, disallowing repeating or sequential characters increases password strength and decreases risk. SFR ID: FMT_SMF.1.1 #1
Checks: C-80826r1139533_chk

Review the configuration to determine if the Samsung Android devices are disallowing passwords containing more than four repeating or sequential characters. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device password policies, verify "minimum password quality" is set to "Numeric(Complex)" or better. On the Samsung Android device: 1. Open Settings >> Lock screen and AOD >> Screen lock and biometrics. 2. Enter current password. 3. Tap "PIN". 4. Verify PINs with more than four repeating or sequential numbers are not accepted. If on the management tool "minimum password quality" is not set to "Numeric(Complex)" or better, or on the Samsung Android device a password with more than four repeating or sequential numbers is accepted, this is a finding.

Fix: F-80731r1139534_fix

Configure the Samsung Android devices to disallow passwords containing more than four repeating or sequential characters. On the management tool, in the device password policies, set "minimum password quality" to "Numeric(Complex)" or better. If the management tool does not support "Numeric(Complex)" but does support "Numeric", Knox Platform for Enterprise (KPE) can be used to achieve STIG compliance. In this case, configure this policy with value "Numeric" and use an additional KPE policy (innately by the management tool or via KSP) "Maximum Numeric Sequence Length" with value "4". API: setPasswordQuality or setRequiredPasswordComplexity

a
The Samsung Android device must be configured to disable the use of third-party keyboards.
CM-6 - Low - CCI-000366 - V-276672 - SV-276672r1139538_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
KNOX-16-010200
Vuln IDs
  • V-276672
Rule IDs
  • SV-276672r1139538_rule
Many third-party keyboard applications are known to contain malware. SFR ID: FMT_SMF.1.1 #47
Checks: C-80827r1139536_chk

Review the managed Samsung device configuration settings to confirm that no third-party keyboards are enabled. This procedure is performed on the management tool. On the management tool: 1. Open "Input methods". 2. Tap "Set input methods". 3. Verify only the approved keyboards are selected. If third-party keyboards are allowed, this is a finding.

Fix: F-80732r1139537_fix

Configure the Samsung device to disallow the use of third-party keyboards. On the management tool: 1. Open "Input methods". 2. Tap "Set input methods". 3. Select only the approved keyboard. Additionally, Administrators can configure application allowlists for Google Play that do not have any third-party keyboards for user installation. API: setPermittedInputMethods

a
Samsung Android 16 must disable screen capture.
CM-6 - Low - CCI-000366 - V-276673 - SV-276673r1139778_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
KNOX-16-011300
Vuln IDs
  • V-276673
Rule IDs
  • SV-276673r1139778_rule
The feature screen capture could lead to the exposure of sensitive DOD information. SFR ID: FMT_MOF_EXT.1.2 #47
Checks: C-80828r1139539_chk

Review configuration settings to confirm screen capture has been disabled. This check procedure is performed on the device management tool and the Samsung Android 16 device. On the MDM console: COBO/COPE procedures: 1. Open Camera >> Screen Capture >> Audio section. 2. Verify that "Disable Screen Capture" setting is enabled. On the managed Samsung Android 16 device: COBO and COPE: 1. Press the Power button and the volume down button at the same time. Verify the message "Taking screenshots is blocked by your admin". If screen capture has not been disabled, this is a finding.

Fix: F-80733r1139777_fix

Configure Samsung Android 16 to disable screen capture. On the MDM console, do the following: COBO Procedures: 1. Open Camera >> Screen Capture >> Audio section. 2. Enable the "Disable Screen Capture" setting. COPE procedures: 1. Open Camera >> Screen Capture >> Audio section. 2. Enable the "Disable Screen Capture" setting. API: setScreenCaptureDisabled

b
Samsung Android's Work profile must be configured to enable audit logging.
CM-6 - Medium - CCI-000366 - V-276674 - SV-276674r1139544_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-16-009100
Vuln IDs
  • V-276674
Rule IDs
  • SV-276674r1139544_rule
Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks so that breaches can either be prevented or limited in their scope. They facilitate analysis to improve performance and security. SFR ID: FMT_MOF_EXT.1.2 #47
Checks: C-80829r1139542_chk

COPE: Review the configuration to determine if the Samsung Android devices' Work profile is enabling audit logging. This validation procedure is performed on the management tool only. On the management tool, in the Work profile restrictions, verify "Security logging" is set to "Enable". If on the management tool "Security logging" is not set to "Enable", this is a finding. COBO: Review the configuration to determine if the Samsung Android devices are enabling audit logging. This validation procedure is performed on the management tool only. On the management tool, in the device restrictions, verify "Security logging" is set to "Enable". If on the management tool "Security logging" is not set to "Enable", this is a finding.

Fix: F-80734r1139543_fix

Configure the Samsung Android devices' Work profile to enable audit logging. (COPE) Configure the Samsung Android devices to enable audit logging. (COBO) On the management tool, in the Work profile restrictions section, set "Security logging" to "Enable". API: setSecurityLoggingEnabled

b
The Samsung Android device must be configured to disable all data signaling over [assignment: list of externally accessible hardware ports (for example, USB)].
AC-6 - Medium - CCI-002235 - V-276675 - SV-276675r1139547_rule
RMF Control
AC-6
Severity
M
CCI
CCI-002235
Version
KNOX-16-010300
Vuln IDs
  • V-276675
Rule IDs
  • SV-276675r1139547_rule
If a user is able to configure the security setting, the user could inadvertently or maliciously set it to a value that poses unacceptable risk to DOD information systems. An adversary could exploit vulnerabilities created by the weaker configuration to compromise DOD sensitive information. SFR ID: FMT_MOF_EXT.1.2 #24
Checks: C-80830r1139545_chk

Review the device configuration to confirm the USB port is disabled except for charging the device. On the management tool: Verify "Disallow usb file transfer" is toggled to "OFF". If on the management tool the USB port is not disabled, this is a finding.

Fix: F-80735r1139546_fix

Configure the Samsung device to disable the USB port (except for charging the device). On the management tool: Toggle "Disallow usb file transfer" to "OFF". API: setUsbDataSignalingEnabled

b
The Samsung Android device must be configured to enable Certificate Revocation List (CRL) status checking.
CM-6 - Medium - CCI-000366 - V-276676 - SV-276676r1139550_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-16-009600
Vuln IDs
  • V-276676
Rule IDs
  • SV-276676r1139550_rule
A CRL allows a certificate issuer to revoke a certificate for any reason, including improperly issued certificates and compromise of the private keys. Checking the revocation status of the certificate mitigates the risk associated with using a compromised certificate. For this reason, users must not be able to disable this configuration. Samsung Android can control CRL checking but only using Knox APIs. Alternatively, CRL checking is based on app development best practice. SFR ID: FMT_MOF_EXT.1.2 #47
Checks: C-80831r1139548_chk

Review the configuration to confirm that revocation checking is enabled. Verify the revocation checklist is set to the required applications. This procedure is performed on the management tool. On the management tool: 1. Open Certificates Policy >> Revocation section. 2. Select "Get CRL". 3. Verify Toast message "Get revocation check: true". If on the management tool the revocation check is disabled, this is a finding.

Fix: F-80736r1139549_fix

Configure the Samsung Android devices to enable CRL revocation checks for required applications. These revocation checks must be enabled using the Knox KPE APIs. On the management tool, in the Certificate Policy restrictions, enable "Revocation Checks" for required applications. KPE provides an API to check for Certificate revocation.

b
Samsung Android allowlist must be configured to not include artificial intelligence (AI) applications that process device data in the cloud, including Google Gemini.
IA-7 - Medium - CCI-000803 - V-276677 - SV-276677r1139553_rule
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
KNOX-16-005700
Vuln IDs
  • V-276677
Rule IDs
  • SV-276677r1139553_rule
Sensitive DOD data could be exposed when an AI app processes device data in the cloud. SFR ID: FMT_SMF.1.1 #8
Checks: C-80832r1139551_chk

Review managed Samsung Android 16 device configuration settings to determine if the mobile device has an AI application that processes device data in the cloud, including Google Gemini. Verify requirement KNOX-16-009200 (disallow modify accounts) has been implemented. Verify the KPE API "isIntelligenceOnlineProcessingAllowed()" returns false or that the KSP configuration has the restriction "Allow process data only on device" set to true. If any AI applications that processes data in the cloud are included in the MDM console of allowed apps or "Allow process data only on device" is not set to true, this is a finding.

Fix: F-80737r1139552_fix

This validation procedure is performed only on the EMM Administration Console. On the EMM console: 1. Review the list of selected Managed Google Play apps. 2. Verify no AI applications that processes device data in the cloud, including Google Gemini, are included. Note: This restriction does not include Galaxy on device AI. Galaxy on device AI is a "built-in" capability of Android 16 and processes device data on the device. If the EMM console device policy includes AI applications that processes device data in the cloud, including Google Gemini, this is a finding. Disallow modify accounts (refer to requirement KNOX-16-009200). If "disallow modify accounts" has not been implemented, this is a finding. Apply the "Disallow Intelligence Online Processing" using the KPE API or KSP. The KPE API is allowIntelligenceOnlineProcessing(false) and the KSP restriction is "Allow process data only on device", which should be set to true. KPE: allowIntelligenceOnlineProcessing

b
Samsung Android's Work profile must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: Names.
CM-7 - Medium - CCI-001764 - V-276722 - SV-276722r1139688_rule
RMF Control
CM-7
Severity
M
CCI
CCI-001764
Version
KNOX-16-005500
Vuln IDs
  • V-276722
Rule IDs
  • SV-276722r1139688_rule
The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications, or the MD must provide an alternate method of restricting user access/execution to core and preinstalled applications. Core application: Any application integrated into the OS by the OS or MD vendors. Preinstalled application: Additional noncore applications included in the OS build by the OS vendor, MD vendor, or wireless carrier. Requiring all authorized applications to be in an application allowlist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the allowlist. Failure to configure an application allowlist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DOD data accessible by these applications. The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the OS by the OS vendor) and preinstalled applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and preinstalled applications. SFR ID: FMT_SMF.1.1 #8
Checks: C-80877r1139686_chk

COPE: Review the configuration to determine if the Work profile on the Samsung Android device is allowing users to install only applications that have been approved by the authorizing official (AO). COBO: Review the configuration to determine if the Samsung Android devices are allowing users to install only applications that have been approved by the AO. This validation procedure is performed only on the management tool. On the management tool, in the app catalog for managed Google Play, verify that only AO-approved apps are available. If on the management tool the app catalog for managed Google Play includes non-AO-approved apps, this is a finding.

Fix: F-80782r1139687_fix

COPE: Configure the Work profile on Samsung Android devices to allow users to install only applications that have been approved by the AO. COBO: Configure Samsung Android devices to allow users to install only applications that have been approved by the AO. In addition to any local policy, the AO must not approve applications that have certain prohibited characteristics; these are covered in KNOX-16-005600. On the management tool, in the app catalog for managed Google Play, add each AO-approved app to be available. Note: Managed Google Play is an allowed App Store.

b
Samsung Android's Work profile must be configured to not allow installation of applications with the following characteristics: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-2/140-3-validated) data sharing with other MDs or printers. - Apps that backup their own data to a remote system. - Apps that render TV shows and movies.
IA-7 - Medium - CCI-000803 - V-276723 - SV-276723r1139691_rule
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
KNOX-16-005600
Vuln IDs
  • V-276723
Rule IDs
  • SV-276723r1139691_rule
Requiring all authorized applications to be in an application allowlist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the allowlist. Failure to configure an application allowlist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DOD data accessible by these applications. Applications with the listed characteristics have features that can cause the compromise of sensitive DOD data or have features with no known application in the DOD environment. Application note: The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications, or the MD must provide an alternate method of restricting user access/execution to core and preinstalled applications. Core application: Any application integrated into the OS by the OS or MD vendors. Preinstalled application: Additional noncore applications included in the OS build by the OS vendor, MD vendor, or wireless carrier. SFR ID: FMT_SMF.1.1 #8
Checks: C-80878r1139689_chk

Verify requirement KNOX-16-005500 (managed Google Play) has been implemented. Verify no apps with unapproved apps are listed in approved apps. If managed Google Play has not been implemented or unapproved apps are allowed, this is a finding.

Fix: F-80783r1139690_fix

The authorizing official (AO) must not approve applications with the following characteristics for installation by users in the Work profile: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; and - Allows unencrypted (or encrypted but not FIPS 140-2/140-3-validated) data sharing with other MDs, display screens (screen mirroring), or printers. - Apps that backup their own data to a remote system. - Apps that render TV shows and movies. Implement managed Google Play (refer to requirement KNOX-16-005500).

b
Samsung Android must be enrolled as a COPE device.
CM-6 - Medium - CCI-000366 - V-276739 - SV-276739r1139739_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-16-008800
Vuln IDs
  • V-276739
Rule IDs
  • SV-276739r1139739_rule
The Work profile is the designated application group for the COPE use case. SFR ID: FMT_MOF_EXT.1.2 #47
Checks: C-80894r1139737_chk

Review the configuration to determine if the Samsung Android devices are enrolled in a DOD-approved use case. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, verify the default enrollment is set to "Work profile for company-owned devices". On the Samsung Android device: 1. Open Settings >> Security and privacy >> More security settings >> Device admin apps. 2. Verify the management tool Agent is listed. 3. Go to the app drawer. 4. Verify a "Personal" and "Work" tab are present. If on the management tool the default enrollment is not set as "Work profile for company-owned devices", or on the Samsung Android device the "Personal" and "Work" tabs are not present or the management tool Agent is not listed, this is a finding.

Fix: F-80799r1139738_fix

Enroll the Samsung Android devices in a DOD-approved use case. On the management tool, configure the default enrollment as "Work profile for company-owned devices". Refer to the management tool documentation to determine how to configure the device enrollment.

b
Samsung Android device users must complete required training.
CM-6 - Medium - CCI-000366 - V-276740 - SV-276740r1139774_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-16-009400
Vuln IDs
  • V-276740
Rule IDs
  • SV-276740r1139774_rule
The security posture of Samsung devices requires the device user to configure several required policy rules on their device. User-Based Enforcement (UBE) is required for these controls. In addition, if the authorizing official (AO) has approved the use of an unmanaged personal space, the user must receive training on risks. If a user is not aware of their responsibilities and does not comply with UBE requirements, the security posture of the Samsung mobile device may become compromised, and DOD sensitive data may become compromised. SFR ID: FMT_MOF_EXT.1.2 #47
Checks: C-80895r1139740_chk

Review a sample of site User Agreements for Samsung device users or similar training records and training course content. Verify Samsung device users have completed required training. The intent is that required training is renewed on a periodic basis in a time period determined by the AO. If any Samsung device user has not completed required training, this is a finding.

Fix: F-80800r1139773_fix

Have all Samsung device users complete training on the following topics. Users should acknowledge they have reviewed training via a signed User Agreement or similar written record. Training topics: - Operational security concerns introduced by unmanaged applications/unmanaged personal space including applications using Global Positioning System (GPS) tracking. - Need to ensure no DOD data is saved to the personal space or transmitted from a personal app (for example, from personal email). - If the Purebred key management app is used, users are responsible for maintaining positive control of their credentialed device at all times. The DOD PKI certificate policy requires subscribers to maintain positive control of the devices that contain private keys and report any loss of control so the credentials can be revoked. Upon device retirement, turn-in, or reassignment, ensure a factory data reset is performed prior to device hand-off. Follow Mobility service provider decommissioning procedures as applicable. How to configure the following UBE controls (users must configure the control) on the Samsung device: 1. Secure use of Calendar Alarm. 2. Local screen mirroring and MirrorLink procedures (authorized/not authorized for use). 3. Do not connect Samsung devices (via either DeX Station or dongle) to any DOD network via Ethernet connection. 4. Do not upload DOD contacts via smart call and caller ID services. 5. Do not configure a DOD network (work) VPN profile on any third-party VPN client installed in the personal space. 6. If Bluetooth connections are approved for mobile device, types of allowed connections (for example car hands-free, but not Bluetooth wireless keyboard). 7. How to perform a full device wipe. 8. Use default Wi-Fi hotspot password: 15-character complex Wi-Fi hotspot preshared password enabled ("WPA2/WPA3-personal"). AO guidance on acceptable use and restrictions, if any, on downloading and installing personal apps and data (music, photos, etc.) in the Samsung device personal space.

c
The Samsung Android device must have the latest available Samsung Android operating system (OS) installed.
CM-6 - High - CCI-000366 - V-276741 - SV-276741r1140694_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
KNOX-16-009500
Vuln IDs
  • V-276741
Rule IDs
  • SV-276741r1140694_rule
Required security features are not available in earlier OS versions. In addition, earlier versions may have known vulnerabilities. SFR ID: FMT_MOF_EXT.1.2 #47
Checks: C-80896r1139743_chk

Review the configuration to confirm if the Samsung Android devices have the most recently released version of Samsung Android installed. This procedure is performed on both the management tool and the Samsung Android device. In the management tool management console, review the version of Samsung Android installed on a sample of managed devices. This procedure will vary depending on the management tool product. Refer to the notes below to determine the latest available OS version. On the Samsung Android device, to determine the installed OS version: 1. Open Settings. 2. Tap "About phone". 3. Tap "Software information". If the installed version of Android OS on any reviewed Samsung devices is not the latest released by the wireless carrier, this is a finding. Note: Some wireless carriers list the version of the latest Android OS release by mobile device model online: ATT: https://www.att.com/devicehowto/dsm.html#!/popular/make/Samsung Verizon Wireless: https://www.verizonwireless.com/support/software-updates/ Google Android OS patch website: https://source.android.com/security/bulletin/ Samsung Android OS patch website: https://security.samsungmobile.com/securityUpdate.smsb

Fix: F-80801r1140693_fix

Install the latest released version of Samsung Android OS on all managed Samsung devices. Note: In most cases, OS updates are released by the wireless carrier (for example, T-Mobile, Verizon Wireless, and ATT).

b
The Samsung Android device must be provisioned as a fully managed device and configured to create a work profile.
CM-6 - Medium - CCI-000366 - V-276742 - SV-276742r1139748_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-16-009900
Vuln IDs
  • V-276742
Rule IDs
  • SV-276742r1139748_rule
The Android Enterprise work profile is the designated application group for the COPE use case. SFR ID: FMT_SMF.1.1 #47
Checks: C-80897r1139746_chk

Verify requirement KNOX-16-008800 (COPE enrollment) has been implemented. If "COPE enrollment" has not been implemented, this is a finding."

Fix: F-80802r1139747_fix

Implement "COPE enrollment" (refer to requirement KNOX-16-008800).

b
Samsung Android 16 devices must have a Mobile Threat Detection (MTD) app installed.
CM-6 - Medium - CCI-000366 - V-276743 - SV-276743r1139781_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-16-011400
Vuln IDs
  • V-276743
Rule IDs
  • SV-276743r1139781_rule
DOD mobile devices are in constant risk of cyber threats. MTD apps mitigate these risks by providing real-time threat detection, malware prevention, and vulnerability analysis. SFR ID: FMT_MOF_EXT.1.2 #47
Checks: C-80898r1139749_chk

Confirm an MTD app is installed on managed Samsung Android devices. This check procedure is performed on both the device management tool and the Samsung Android device. In the MDM console, verify an MTD app is listed as a managed app being deployed to site managed devices. On the Samsung Android device: 1. Open the Settings app. 2. Tap "Apps", then "See all apps". 3. Verify an MTD app is listed. If an MTD app is not installed on the device, this is a finding.

Fix: F-80803r1139750_fix

Install an MTD app on managed Samsung Android devices.

b
Samsung Android 16 must implement the management setting: disable Camera.
CM-6 - Medium - CCI-000366 - V-276744 - SV-276744r1139780_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-16-011500
Vuln IDs
  • V-276744
Rule IDs
  • SV-276744r1139780_rule
Authorizing official (AO) approval is required before the mobile device camera can be enabled for a specific user or group of users, based on a risk assessment of the operational environment. Camera use may lead to the exposure of sensitive DOD information in some operational environment. SFR ID: FMT_MOF_EXT.1.2 #47
Checks: C-80899r1139779_chk

Determine if the site AO has approved the use of device cameras. Look for a document showing approval for a specific user or group of users. If not approved, review configuration settings to confirm "Allow Camera" is disabled. If approved, this requirement is not applicable. Review configuration settings to confirm the device camera has been disabled. This check procedure is performed on the device management tool and the Samsung Android 16 device. On the MDM console: COBO/COPE procedures: 1. Open "Camera". 2. Verify that "disable camera" setting is disabled. On the managed Samsung Android 16 device: COBO and COPE: Verify the camera cannot be used on the mobile device. If the device camera has not been disabled, this is a finding.

Fix: F-80804r1139753_fix

If the AO has not approved the use of Samsung device camera, configure Samsung Android 16 to disable the device camera. On the MDM console, do the following: COBO/COPE Procedures: 1. Open "Camera". 2. Select "Disable camera". API: disableCamera

b
Samsung Android 16 must implement the management setting: disable the Bluetooth radio.
CM-6 - Medium - CCI-000366 - V-279246 - SV-279246r1140684_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-16-010600
Vuln IDs
  • V-279246
Rule IDs
  • SV-279246r1140684_rule
Authorizing official (AO) approval is required before the Samsung device Bluetooth radio can be enabled. All AO approvals must be documented and based on critical mission need. Use of Bluetooth may lead to the exposure of sensitive DOD information in some operational environments. SFR ID: FMT_MOF_EXT.1.2 #47
Checks: C-83796r1140684_chk

Determine if the site AO has approved the use of Samsung device Bluetooth radios. Locate a document showing AO approval. All AO approvals must be documented and based on critical mission need. If not approved, review configuration settings on the MDM server to confirm Bluetooth has been disabled, and on the Samsung device, verify Bluetooth cannot be enabled. If approved, this requirement is not applicable. This check procedure is performed on both the device management tool and managed Samsung device. Note: If an organization has multiple configuration profiles, the Check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the management tool, verify Bluetooth is disabled ("DISALLOW_BLUETOOTH" enabled) in the configuration profile. On the managed Samsung device verify the Bluetooth radio is disabled and cannot be enabled: Settings >> Connected devices >> Connection preferences >> Bluetooth If Bluetooth has not been disabled in the device's MDM configuration profile or if Bluetooth can be enabled on the Samsung device, this is a finding.

Fix: F-83701r1139801_fix

If the AO has not approved the use of the Samsung device Bluetooth radio, install a configuration profile to disable Bluetooth use. On the MDM console: In the configuration profile for the device, disable Bluetooth (enable "DISALLOW_BLUETOOTH")

b
The Samsung Android device must be configured to disable Wi-Fi Aware for Work Profile apps.
CM-6 - Medium - CCI-000366 - V-279247 - SV-279247r1140700_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
KNOX-16-010500
Vuln IDs
  • V-279247
Rule IDs
  • SV-279247r1140700_rule
Wi-Fi Aware allows direct connections between nearby devices for fast data transfer, video streaming, and multiplayer gaming. It allows full peer-to-peer device discovery and communication where two or more devices are publishing and/or subscribing to the same known service name. There is risk that sensitive DOD information could be transferred from a DOD mobile device to a non-DOD device or from Work Profile apps on a DOD device to Personal Profile apps on a Non-DOD device.
Checks: C-83797r1140699_chk

Review device configuration settings to confirm Wi-Fi Aware is disabled for each work profile app. This procedure is performed on the EMM console. For each Work Profile app, verify the app is configured to deny the NEARBY_WIFI_DEVICE permission. Note: Not all apps will support Wi-Fi Aware and have the NEARBY_WIFI_DEVICE permission. If on the EMM console, if the NEARBY_WIFI_DEVICE permission is not set to "deny" for all Work Profile apps that support Wi-Fi Aware, this is a finding.

Fix: F-83702r1139804_fix

Configure the Samsung Android 16 device to disable Wi-Fi Aware for all Work Profile apps. On the EMM console: For each Work Profile app, configure the NEARBY_WIFI_DEVICE permission to "deny" to block the use of Wi-Fi Aware, if the app supports this feature. If the app does not support Wi-Fi Aware, there may not be a NEARBY_WIFI_DEVICE permission available.