Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the configuration to determine if the Samsung Android devices are enrolled in a DOD-approved use case. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, verify the default enrollment is set as "Fully managed". On the Samsung Android device: 1. Open Settings >> Security and privacy >> More security settings >> Device admin apps. 2. Verify the management tool Agent is listed. If on the management tool the default enrollment is not set as "Fully managed" or the management tool Agent is not listed, this is a finding.
Enroll the Samsung Android devices in a DOD-approved use case. On the management tool, configure the default enrollment as "Fully managed". Refer to the management tool documentation to determine how to configure the device enrollment.
Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool and the Samsung Android device. Validation procedure for Method #1: Place the DOD warning banner in the user agreement signed by each Samsung Android device user (preferred method). Review the signed user agreements for several Samsung Android device users and verify the agreement includes the required DOD warning banner text. Validation procedure for Method #2: Configure the warning banner text in the Lock screen message on each managed mobile device. On the management tool, in the device restrictions section, verify "Lock Screen Message" is set to the DOD-mandated warning banner text. On the Samsung Android device, verify the required DOD warning banner text is displayed on the Lock screen. If the warning text has not been placed in the signed user agreement, or if on the management tool "Lock Screen Message" is not set to the DOD-mandated warning banner text, or on the Samsung Android device the required DOD warning banner text is not displayed on the Lock screen, this is a finding.
Configure the DOD warning banner by either of the following methods (required text is found in the Vulnerability Description): Method #1: Place the DOD warning banner in the user agreement signed by each Samsung Android device user (preferred method). Method #2: Configure the warning banner text in the lock screen message on each managed mobile device. On the management tool, in the device restrictions section, set "Lock Screen Message" to the DOD-mandated warning banner text.
Review the configuration to determine if the Samsung Android devices are disallowing passwords containing more than four repeating or sequential characters. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device password policies, verify "minimum password quality" is set to "Numeric(Complex)" or better. On the Samsung Android device: 1. Open Settings >> Lock screen >> Screen lock type. 2. Authenticate using current method. 3. Tap "PIN". 4. Verify PINs with more than four repeating or sequential numbers are not accepted. If on the management tool "minimum password quality" is not set to "Numeric(Complex)" or better, or on the Samsung Android device a password with more than four repeating or sequential numbers is accepted, this is a finding.
Configure the Samsung Android devices to disallow passwords containing more than four repeating or sequential characters. On the management tool, in the device password policies, set "minimum password quality" to "Numeric(Complex)" or better. If the management tool does not support "Numeric(Complex)" but does support "Numeric", Knox Platform for Enterprise (KPE) can be used to achieve STIG compliance. In this case, configure this policy with value "Numeric" and use an additional KPE policy (innately by the management tool or via Knox Service Plugin [KSP] "Maximum Numeric Sequence Length" with a value of "4".
Verify requirement KNOX-14-110030 (minimum password quality) has been implemented. If a minimum password quality has not been implemented, this is a finding.
Implement a minimum password quality (refer to requirement KNOX-14-110030).
Review the configuration to determine if the Samsung Android devices are enforcing a minimum password length of six characters. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device password policies, verify "minimum password length" is set to "6". On the Samsung Android device: 1. Open Settings >> Lock screen >> Screen lock type. 2. Enter current password. 3. Tap "PIN". 4. Verify the text "PIN must contain at least", followed by a value of at least "6 digits", appears above the PIN entry. If on the management tool "minimum password length" is not set to "6", or on the Samsung Android device the text "PIN must contain at least" is followed by a value of less than "6 digits", this is a finding.
Configure the Samsung Android devices to enforce a minimum password length of six characters. On the management tool, in the device password policies, set "minimum password length" to "6".
Review the configuration to determine if the Samsung Android devices are allowing only 10 or fewer consecutive failed authentication attempts. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device password policies, verify "max password failures for local wipe" is set to "10" or fewer attempts. On the Samsung Android device: 1. Open Settings >> Lock screen. 2. Verify "Secure lock settings" is present and tap it. 3. Enter current password. 4. Verify "Auto factory reset" is grayed out and cannot be configured. Note: When "Auto factory reset" is grayed out, this indicates the Administrator (MDM) is in control of the setting to wipe the device after 10 or fewer consecutive failed authentication attempts. If on the management tool "max password failures for local wipe" is not set to "10" or fewer attempts, or on the Samsung Android device the "Auto factory reset" menu can be configured, this is a finding.
Configure the Samsung Android devices to allow only 10 or fewer consecutive failed authentication attempts. On the management tool, in the device password policies, set "max password failures for local wipe" to "10" or fewer attempts. A device password must be set for "max password failures for local wipe" to become active.
Review the configuration to determine if the Samsung Android devices are locking the device display after 15 minutes (or less) of inactivity. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device password policies, verify "max time to screen lock" is set to "15 minutes" or less. On the Samsung Android device: 1. Open Settings >> Lock screen. 2. Verify "Secure lock settings" is present and tap it. 3. Enter current password. 4. Tap "Auto lock when screen turns off". 5. Verify the listed timeout values are 15 minutes or less. If on the management tool "max time to screen lock" is not set to "15 minutes" or less, or on the Samsung Android device "Secure lock settings" is not present and the listed Screen timeout values include durations of more than 15 minutes, this is a finding.
Configure the Samsung Android devices to lock the device display after 15 minutes (or less) of inactivity. On the management tool, in the device password policies, set "max time to screen lock" to "15 minutes" or less. A device password must be set for "max time to screen lock" to become active.
Review the configuration to determine if the Samsung Android devices are disabling face recognition. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool in the device restrictions, verify "Face recognition" is set to "Disable". On the Samsung Android device: 1. Open Settings >> Lock screen >> Screen lock type. 2. Enter current password. 3. Verify "Face" is disabled and cannot be enabled. If on the management tool "Face recognition" is not set to "Disable", or on the Samsung Android device "Face" can be enabled, this is a finding.
Configure the Samsung Android devices to disable face recognition. On the management tool, in the device restrictions, set "Face recognition" to "Disable".
Review the configuration to determine if the Samsung Android devices are disabling Trust Agents. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device restrictions, verify "Trust Agents" are set to "Disable". On the Samsung Android device: 1. Open Settings >> Security and privacy >> More security settings >> Trust agents. 2. Verify all listed Trust Agents are disabled and cannot be enabled. If a Trust Agent is not disabled in the list, verify for that Trust Agent, all of its listed Trustlets are disabled and cannot be enabled. If on the management tool "Trust Agents" are not set to "Disable", or on the Samsung Android device a "Trust Agent" or "Trustlet" can be enabled, this is a finding. Note: If the management tool has been correctly configured but a Trust Agent is still enabled, configure the "List of approved apps listed in managed Google Play" to disable it; refer to KNOX-14-110190. Exception: Trust Agents may be used if the Authorizing Official (AO) allows a screen lock timeout after four hours (or more) of inactivity. This may be applicable to tactical use case.
Configure the Samsung Android devices to disable Trust Agents. On the management tool, in the device restrictions, set "Trust Agents" to "Disable".
Review the configuration to determine if the Samsung Android devices are disabling backup to remote systems (including commercial clouds). This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device restrictions section, verify "Backup service" is set to "Disable". On the Samsung Android device: 1. Open Settings >> Accounts and backup. 2. Verify any backup service listed cannot be configured to back up data. If on the management tool "Backup service" is not set to "Disable", or on the Samsung Android device a listed backup service can be configured to back up data, this is a finding.
Configure the Samsung Android devices to disable backup to remote systems (including commercial clouds). On the management tool, in the device restrictions, set "Backup service" to "Disable".
Review the configure to determine if the Samsung Android devices are disabling developer modes. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device restrictions, verify "Debugging Features" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> About phone >> Software information. 2. Tap on the Build Number to try to enable Developer Options and validate that action is blocked. If on the management tool "Debugging Features" is not set to "Disallow" or on the Samsung Android device "Developer options" action is not blocked, this is a finding.
Configure the Samsung Android devices to disable developer modes. On the management tool, in the device restrictions, set "Debugging Features" to "Disallow".
Review the Samsung documentation and inspect the configuration to verify the Samsung Android devices are paired only with devices that support HSP, HFP, SPP, A2DP, AVRCP, and PBAP Bluetooth profiles. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device restrictions section, verify "Bluetooth" is set to the AO-approved selection: "Allow" if the AO has approved the use of Bluetooth or "Disallow" if the AO has not approved its use. On the Samsung Android device: 1. Open Settings >> Connections >> Bluetooth. 2. Verify all listed paired Bluetooth devices use only authorized Bluetooth profiles. If on the management tool "Bluetooth" is not set to the AO-approved value, or the Samsung Android device is paired with a device that uses unauthorized Bluetooth profiles, this is a finding.
Configure the Samsung Android devices to disable Bluetooth, or if the AO has approved the use of Bluetooth (for example, for hands-free use), train users to only pair devices that support HSP, HFP, SPP, A2DP, AVRCP, and PBAP profiles. On the management tool, in the device restrictions section, set "Bluetooth" to the AO-approved selection: "Allow" if the AO has approved the use of Bluetooth or "Disallow" if the AO has not approved its use. The user training requirement is satisfied in requirement KNOX-14-110300.
Review the configuration to determine if the Samsung Android devices are either enabling data-at-rest protection for removable media or disabling their use. This requirement is not applicable for devices that do not support removable storage media. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device restrictions, verify "Mount physical media" is set to "Disallow". On the Samsung Android device, verify that a microSD card cannot be mounted. The device should ignore the inserted SD card and no notifications for the transfer of media files should appear, nor should any files be listed using a file browser, such as Samsung My Files. If on the management tool "Mount physical media" is not set to "Disallow", or on the Samsung Android device a microSD card can be mounted, this is a finding.
Configure the Samsung Android devices to enable data-at-rest protection for removable media, or alternatively, disable their use. This requirement is not applicable for devices that do not support removable storage media. On the management tool, in the device restrictions, set "Mount physical media" to "Disallow". This disables the use of all removable storage, e.g., microSD cards, USB thumb drives, etc. If the deployment requires the use of microSD cards, Knox Platform for Enterprise (KPE) can be used to allow them in a STIG-approved configuration. In this case, do not configure this policy, and instead replace with KPE policy (innately by the management tool or via Knox Service Plugin [KSP]) "Enforce external storage encryption" with value "enable".
Review the configuration to determine if the Samsung Android devices are disabling USB mass storage mode. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device restrictions, verify "USB file transfer" has been set to "Disallow". On the Samsung Android device, from the "USB for file transfer" notification, verify a "File Transfer" is not an option. If on the management tool "USB file transfer" is not set to "Disallow", or on the Samsung Android device a "File Transfer" is an option, this is a finding.
Configure the Samsung Android devices to disable USB mass storage mode. On the management tool, in the device restrictions, set "USB file transfer" to "Disallow". DeX drag and drop file transfer capabilities will be prohibited, but all other DeX capabilities remain usable.
Verify requirement KNOX-14-110140 (disallow USB file transfer) has been implemented. If disallow USB file transfer has not been implemented, this is a finding.
Ensure USB file transfer has been disallowed (refer to requirement KNOX-14-110140).
Review the configuration to determine if the Samsung Android devices are enabling authentication of personal hotspot connections to the device using a preshared key. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device restrictions, verify "Configure tethering" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> Connections. 2. Verify "Mobile Hotspot and Tethering" is grayed out. If on the management tool "Configure tethering" is not set to "Disallow", or on the Samsung Android device "Mobile Hotspot and Tethering" is not grayed out, this is a finding.
Configure the Samsung Android devices to enable authentication of personal hotspot connections to the device using a preshared key. On the management tool, in the device restrictions, set "Configure tethering" to "Disallow". If the deployment requires the use of Mobile Hotspot and Tethering, Knox Platform for Enterprise (KPE) policy can be used to allow its use in a STIG-approved configuration. In this case, do not configure this policy and instead replace with KPE policy (innately by the management tool or via Knox Service Plugin [KSP]) "Allow open Wi-Fi connection" with value "Disable" and add Training Topic "Don't use Wi-Fi Sharing". (Refer to Supplemental document for additional information.)
Review the configuration to determine if the Samsung Android devices disallow users from changing the date and time. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device restrictions, verify "Configure Date/Time" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> General management >> Date and time. 2. Verify "Automatic data and time" is on and the user cannot disable it. If on the management tool "Configure Date/Time" is not set to "Disallow", or on the Samsung Android device "Automatic date and time" is not set or the user can disable it, this is a finding.
Configure the Samsung Android devices to disallow users from changing the date and time. On the management tool, in the device restrictions, set "Configure Date/Time" to "Disallow".
Review the configuration to determine if the Samsung Android devices have the DOD root and intermediate PKI certificates installed. This validation procedure is performed on both the management tool and the Samsung Android device. The current DOD root and intermediate PKI certificates may be obtained in self-extracting zip files at https://cyber.mil/pki-pke (for NIPRNet). On the management tool, in the device policy management, verify the DOD root and intermediate PKI certificates are installed. On the Samsung Android device: 1. Open Settings >> Security and privacy >> More security settings >> View security certificates. 2. In the User tab, verify the DOD root and intermediate PKI certificates are listed in the device. If on the management tool the DOD root and intermediate PKI certificates are not listed in the device, or on the Samsung Android device the DOD root and intermediate PKI certificates are not listed in the device, this is a finding.
Install the DOD root and intermediate PKI certificates into the Samsung Android devices. The current DOD root and intermediate PKI certificates may be obtained in self-extracting zip files at https://cyber.mil/pki-pke (for NIPRNet). On the management tool, in the device policy management, install the DOD root and intermediate PKI certificates.
Review the configuration to determine if the Samsung Android devices are allowing users to install only applications that have been approved by the Authorizing Official (AO). This validation procedure is performed only on the management tool. On the management tool, in the app catalog for managed Google Play, verify only AO-approved apps are available. If on the management tool the app catalog for managed Google Play includes non-AO-approved apps, this is a finding.
Configure Samsung Android devices to allow users to install only applications that have been approved by the AO. In addition to any local policy, the AO must not approve applications that have certain prohibited characteristics. These are covered in KNOX-14-110200. On the management tool, in the app catalog for managed Google Play, add each AO-approved app to be available. Note: Managed Google Play is an allowed App Store.
Verify requirement KNOX-14-110190 (managed Google Play) has been implemented. If managed Google Play has not been implemented, this is a finding.
The Authorizing Official (AO) must not approve applications with the following characteristics for installation by users on the device: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; and - Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs, display screens (screen mirroring), or printers. Implement managed Google Play (refer to requirement KNOX-14-110190).
Review the configuration to determine if the Samsung Android devices are not displaying (Work Environment) notifications when the device is locked. Notifications of incoming phone calls are acceptable even when the device is locked. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device restrictions section, verify "Unredacted Notifications" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> Notifications. 2. Verify "Lock screen notifications" menu is disabled. If on the management tool "Unredacted Notifications" is not set to "Disallow", or on the Samsung Android device "Notifications" menu is not disabled, this is a finding.
Configure the Samsung Android devices to not display (Work Environment) notifications when the device is locked. On the management tool, in the device restrictions section, set "Unredacted Notifications" to "Disallow".
Review the configuration to determine if the Samsung Android devices are enabling audit logging. This validation procedure is performed on the management tool only. On the management tool, in the device restrictions, verify "Security logging" is set to "Enable". If on the management tool "Security logging" is not set to "Enable", this is a finding.
Configure the Samsung Android devices to enable audit logging. On the management tool, in the device restrictions section, set "Security logging" to "Enable".
Review the configuration to determine if the Samsung Android devices are preventing users from adding personal email accounts to the work email app. On the management tool, in the device restrictions section, verify "Modify accounts" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> Accounts and backup >> Manage accounts. 2. Verify no account can be added. If on the management tool "Modify accounts" is not set to "Disallow", or on the Samsung Android device an account can be added, this is a finding.
Configure the Samsung Android devices to prevent users from adding personal email accounts to the work email app. On the management tool, in the device restrictions, set "Modify accounts" to "Disallow".
Verify requirement KNOX-14-110230 (disallow modify accounts) has been implemented. If disallowing modify accounts has not been implemented, this is a finding.
Disallow modify accounts (refer to requirement KNOX-14-110230).
Review the configuration to determine if the Samsung Android devices are preventing users from removing DOD root and intermediate PKI certificates. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device restrictions, verify "Configure credentials" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> Security and privacy >> More security settings >> View security certificates. 2. In the System tab, verify no listed certificate in the device can be untrusted. 3. In the User tab, verify no listed certificate in the device can be removed. If on the management tool in the device restrictions "Configure credentials" is not set to "Disallow", or on the Samsung Android device a certificate can be untrusted or removed, this is a finding.
Configure the Samsung Android devices to prevent users from removing DOD root and intermediate PKI certificates. On the management tool, in the device restrictions, set "Configure credentials" to "Disallow".
Review the configuration to determine if the Samsung Android devices are disabling unauthorized application repositories. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device restrictions, verify "installs from unknown sources globally" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> Security and privacy >> More security settings >> Install unknown apps. 2. Verify each app listed has the status "Disabled" under the app name or that no apps are listed. If on the management tool "installs from unknown sources globally" is not set to "Disallow", or on the Samsung Android device an app is listed with a status other than "Disabled", this is a finding.
Configure the Samsung Android devices to disable unauthorized application repositories. On the management tool, in the device restrictions, set "installs from unknown sources globally" to "Disallow". Note: Google Play must not be disabled. Disabling Google Play will cause system instability and critical updates will not be received.
Review the configuration to determine if the Samsung Android devices are enabling CC mode. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device restrictions, verify "Common Criteria mode" is set to "Enable". On the Samsung Android device, put the device into "Download mode" (press and hold down the Home + Power + Volume Down buttons at the same time) and verify the text "Blocked by CC Mode" is displayed on the screen. If on the management tool "Common Criteria mode" is not set to "Enable", or on the Samsung Android device the text "Blocked by CC Mode" is not displayed in "Download mode", this is a finding.
Configure the Samsung Android devices to enable CC mode. On the management tool, in the device restrictions, set "Common Criteria mode" to "Enable".
Verify requirement KNOX-14-110280 (Common Criteria mode) has been implemented. If "Common Criteria mode" has not been implemented, this is a finding.
Implement "Common Criteria mode" (refer to requirement KNOX-14-110280).
Review a sample of site User Agreements for Samsung device users or similar training records and training course content. Verify Samsung device users have completed required training. The intent is that required training is renewed on a periodic basis in a time period determined by the AO. If any Samsung device user has not completed required training, this is a finding.
Have all Samsung device users complete training on the following topics. Users should acknowledge they have reviewed training via a signed User Agreement or similar written record. Training topics: - Operational security concerns introduced by unmanaged applications/unmanaged personal space, including applications using global positioning system (GPS) tracking. - Need to ensure no DOD data is saved to the personal space or transmitted from a personal app (for example, from personal email). - If the Purebred key management app is used, users are responsible for maintaining positive control of their credentialed device at all times. The DOD PKI certificate policy requires subscribers to maintain positive control of the devices that contain private keys and report any loss of control so that the credentials can be revoked. Upon device retirement, turn-in, or reassignment, ensure a factory data reset is performed prior to device handoff. Follow mobility service provider decommissioning procedures as applicable. - How to configure the following UBE controls (users must configure the control) on the Samsung device: 1. Secure use of Calendar Alarm. 2. Local screen mirroring and MirrorLink procedures (authorized/not authorized for use). 3. Do not connect Samsung devices (via either DeX Station or dongle) to any DOD network via Ethernet connection. 4. Do not upload DOD contacts via smart call and caller ID services. 5. Disable Wi-Fi Sharing. 6. Do not configure a DOD network (work) VPN profile on any third-party VPN client installed in the personal space. - AO guidance on acceptable use and restrictions, if any, on downloading and installing personal apps and data (music, photos, etc.) in the Samsung device personal space.
Review the configuration to confirm the Samsung Android devices have the most recently released version of Samsung Android installed. This procedure is performed on both the management tool and the Samsung Android device. In the management tool management console, review the version of Samsung Android installed on a sample of managed devices. This procedure will vary depending on the management tool product. Refer to the notes below to determine the latest available OS version. On the Samsung Android device, to determine the installed OS version: 1. Open Settings. 2. Tap "About phone". 3. Tap "Software information". If the installed version of Android OS on any reviewed Samsung devices is not the latest released by the wireless carrier, this is a finding. Note: Some wireless carriers list the version of the latest Android OS release by mobile device model online: ATT: https://www.att.com/devicehowto/dsm.html#!/popular/make/Samsung Verizon Wireless: https://www.verizonwireless.com/support/software-updates/ Google Android OS patch website: https://source.android.com/security/bulletin/ Samsung Android OS patch website: https://security.samsungmobile.com/securityUpdate.smsb
Install the latest released version of Samsung Android OS on all managed Samsung devices. Note: In most cases, OS updates are released by the wireless carrier (for example, Sprint, T-Mobile, Verizon Wireless, and ATT).
Review the configuration to confirm that revocation checking is enabled. Verify the revocation checklist is set to "All Applications". This procedure is performed on the management tool. On the management tool: 1. Open "Certificates Policy >> Revocation" section. 2. Select "Get CRL". 3. Verify Toast message "Get revocation check: true". If on the management tool the revocation check is disabled, this is a finding.
Configure the Samsung Android devices to enable CRL revocation checks for all applications. On the management tool, in the Certificate Policy restrictions, enable "Revocation Checks" for "All Applications".
Verify requirement KNOX-14-110160 ("Disallow config tethering") has been implemented. If "Disallow config tethering" has not been implemented, this is a finding.
Implement "Disallow config tethering" (refer to requirement KNOX-14-110160).
Review the configuration to confirm the system application disable list is enforced. This setting is enforced by default. Verify that only approved system apps have been placed on the core allowlist. This procedure is performed on the management tool. Review the system app allowlist and verify only approved apps are on the list. On the management tool: 1. Open "Apps management" section. 2. Select "Unhide apps". 3. Verify names of apps are listed. If on the management tool the system app allowlist contains unapproved core apps, this is a finding.
Configure the Samsung Android 14 device to enforce the system application disable list. The required configuration is the default configuration when the device is enrolled. If the device configuration is changed, use the following procedure to bring the device back into compliance: On the management tool: 1. Open "Apps management" section. 2. Select "Hide apps". 3. Enter names of apps to hide. Configure a list of approved Samsung core and preinstalled apps in the core app allowlist.
Review the managed Samsung Android 14 configuration settings to confirm that no third-party keyboards are enabled. This procedure is performed on the management tool. On the management tool: 1. Open "Input methods". 2. Tap "Set input methods". 3. Verify only the approved keyboards are selected. If third-party keyboards are allowed, this is a finding.
Configure the Samsung Android 14 device to disallow the use of third-party keyboards. On the management tool: 1. Open "Input methods". 2. Tap "Set input methods". 3. Select only the approved keyboard. Additionally, Administrators can configure application allowlists for Google Play that do not have any third-party keyboards for user installation.
Review the device configuration to confirm the USB port is disabled except for charging the device. On the management tool: Verify "Enable USB data signaling" is toggled to "OFF". If on the management tool the USB port is not disabled, this is a finding.
Configure Samsung Android 14 device to disable the USB port (except for charging the device). On the management tool: Toggle "Enable USB data signaling" to "OFF".
Review the management tool to confirm Phone Hub has been disabled. On the management tool: 1. Open "Nearby notification streaming policy". 2. Verify "Nearby notification streaming policy" is set to "Disabled". 3. Open "Nearby app streaming policy". 4. Verify "Nearby app streaming policy" is set to "Disabled". If on the management tool the "Nearby Streaming Policy" is not set to "Disabled", this is a finding. Note: From a Chromebook, if a device is connected to the Phone Hub, try to set up the Notifications. It will fail to connect to the device to complete the setup if Phone Hub has been disabled on the DOD Android device.
Configure the Samsung Android 14 device to disable the nearby notification and app streaming policy to disable Phone Hub. On the management tool: 1. Open "Nearby notification streaming policy". 2. Set "Nearby notification streaming policy" to "Disabled". 3. Open "Nearby app streaming policy". 4. Set "Nearby app streaming policy" to "Disabled".
Review the configuration to determine if the Samsung Android devices are disallowing Wi-Fi Direct. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the user restrictions, verify "Wi-Fi Direct" has been set to "Disallow". On the Samsung Android device: 1. Open Settings >> Connections >> Wi-Fi. 2. From the hamburger menu, select Wi-Fi Direct. 3. Verify no available devices are listed. If on the management tool "Wi-Fi Direct" is not set to "Disallow", or on the Samsung Android device a Wi-Fi direct device is listed that can be connected to, this is a finding.
Configure the Samsung Android devices to disallow Wi-Fi Direct. On the management tool, in the user restrictions, set "Wi-Fi Direct" to "Disallow". Wi-Fi direct connections and pairing between devices will become unavailable.