Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Note: This validation procedure is identical to the one for KNOX-39-015600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to AOs. This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "CC Mode" settings in the "Android Restrictions" rule. 2. Verify the value is enabled. Note: If the MDM does not support CC Mode, ask the MDM Administrator if the Samsung APK has been installed and CC Mode enabled. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "About Device". 3. Verify the value of "Security software version" displays "Enforced". If the CC mode setting is not enabled, or if the "Security software version" on the device does not display "Enforced", this is a finding.
Configure the mobile operating system to use a FIPS 140-2 validated cryptographic module. Configure the operating system to enable CC mode. On the MDM Administration Console, enable the "CC mode" setting in the "Android Restrictions" rule. If this setting is not available on the console, install the CC mode APK, and enable CC mode from this application. This APK will be made available by Samsung.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Storage Encryption" check box in the "Android Restrictions" rule. (**) 2. Verify the "Storage Encryption" check box is selected. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Security". 3. Verify "Encrypt device" is grayed out and "Encrypted" is displayed. 4. Select "Encrypt external SD card". 5. Verify "The encryption policy has been applied" is displayed at the bottom of the screen. Note: If no SD card is inserted, Step 5 should display "SD card is not inserted" at the bottom of the screen. If the specified encryption settings are not set to the appropriate values, this is a finding. (**) On some MDM vendor consoles, "Storage Encryption" enables both internal and external storage encryption.
Configure the MOS to enable data-at-rest protection for built-in storage media. Configure the OS to encrypt all data at rest on the mobile device. On the MDM Administration Console, check the "Storage Encryption" check box in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Storage Encryption" and "External Storage Encryption" check box in the "Android Restrictions" rule. (**) 2. Verify the "Storage Encryption" and "External Storage Encryption" check box are selected. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Security". 3. Verify "Encrypt device" is grayed out and "Encrypted" is displayed. 4. Select "Encrypt external SD card". 5. Verify "The encryption policy has been applied" is displayed at the bottom of the screen. Note: If no SD card is inserted, Step 5 should display "SD card is not inserted" at the bottom of the screen. If the specified encryption settings are not set to the appropriate values, this is a finding. (**) On some MDM vendor consoles, "Storage Encryption" enables both internal and external storage encryption.
Configure the MOS to enable data-at-rest protection for removable media. Configure the OS to encrypt all data at rest on the mobile device. On the MDM Administration Console, select the "Storage Encryption" and "External Storage Encryption" check box in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Min Length" setting in the "Android Password Restrictions" rule. 2. Verify the value of the setting is the same or greater than the required length. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Lock screen". 3. Select "Screen lock". 4. Enter current password. 5. Select Password. 6. Attempt to enter a password with fewer characters than the required length. 7. Verify the password is not accepted. If the configured value of the "Min Length" setting is less than the required length or if device accepts a password of less than the required length, this is a finding. (**) When device encryption is enabled, Samsung Knox for Android automatically enforces a minimum length 6.
Configure the MOS to enforce a minimum password length of 6 characters. On the MDM Administration Console, set the "Min Length" value to 6 or greater in the "Android Password Restrictions" rule. (**) When device encryption is enabled (always enabled by the DoD configuration), Samsung Knox for Android automatically enforces a minimum length 6.
This validation procedure is performed only on the MDM Administration Console. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Maximum Failed Attempts" field in the "Android Password Restrictions" rule for the device unlock password. 2. Verify the value of the setting is 10 or less. This configuration is not available on the Samsung Knox for Android device. If the "Maximum Failed Attempts" field in the "Android Password Restrictions" rule for the device unlock password is not set to 10 or less, this is a finding.
Configure the MOS to allow only 10 or less consecutive failed authentication attempts. On the MDM Administration Console, set the "Maximum Failed Attempts" to 10 or less in the "Android Password Restrictions" rule for the device unlock password.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Max Time to Lock" setting in the "Android Password Restrictions" rule. 2. Verify the value of the setting is 15 minutes or less. On the Samsung Knox for Android device: 1. Unlock the device. 2. Refrain from performing any activity on the device for 15 minutes. 3. Verify the device requires the user to enter the device unlock password to access the device. Note: Max time to lock is the sum of the display screen timeout and the lock screen delay on the device. On MDM configuration, the device makes a choice for these settings so that the sum is 15 minutes or less. If the user does not have to unlock the device after 15 minutes of inactivity, this is a finding.
Configure the MOS to lock the device display after 15 minutes (or less) of inactivity. On the MDM Administration Console, configure the "Max Time to Lock" option to 15 minutes in the "Android Password Restrictions" rule.
This check procedure is performed on both the MDM Administration Console and the Samsung Knox device. Check that the appropriate setting is configured on the MDM Administration Console. 1. Ask the MDM administrator to display the "Max Time to Lock" setting in the "Android Knox Container -> Container Password Restrictions" rule. 2. Verify the value of the setting is the organization-defined value (15 min) or less. On the Samsung Knox for Android device: 1. Open the Knox Container. 2. Refrain from using the Knox Container for 15 min. 3. Verify the selected value is organization-defined value (15 min) or less. If the selected value is larger than 15 min, or if the Knox Container does not lock after 15 min, this is a finding.
Configure the OS to initiate a session lock after a time period of inactivity. Configure the mobile operating system to lock the device after no more than 15 minutes of inactivity. On the MDM Console, set the "Max Time to Lock" to organization-defined value (15 min) in the "Android Knox Container -> Container Password Restrictions" rule.
Configuring an application installation policy on Samsung Knox for Android by specifying an application repository involves two steps: (1) Disabling Google Play, (2) Disabling unknown application sources. This validation procedure covers the first of these steps. It is performed on both the MDM Administration Console and the Samsung Knox for Android device. On the MDM Administration Console: 1. Ask the MDM administrator to display the "Enable Google Play" setting in the "Android Restrictions" rule. 2. Verify it is disabled. On the Samsung Knox for Android device: 1. Attempt to locate the "Google Play" application. 2. Verify it is not present on the device. If the "Enable Google Play" is not disabled, or if a user can successfully launch Google Play on the device, this is a finding.
Configure the MOS to disable unauthorized application repositories. Configure the OS to disable Google Play. On the MDM Administration Console, disable "Enable Google Play" in the "Android Restrictions" rule.
Configuring an application installation policy on Samsung Knox for Android by specifying an application repository involves two steps: (1) Disabling Google Play, (2) Disabling unknown application sources. This validation procedure covers the second of these steps. It is performed on both the MDM Administration Console and the Samsung Knox for Android device. On the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow Unknown Sources" settings in the "Android Restrictions" rule. 2. Verify it is disabled. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Security". 3. Attempt to enable "Unknown sources". 4. Verify it cannot be enabled. If the "Enable Google Play" setting is not disabled, or if a user can successfully enable "Unknown sources" on the device, this is a finding.
Configure the MOS to disable unauthorized application repositories. Configure the mobile operating system to disable application installations from unknown sources. On the MDM Administration Console, disable "Allow Unknown Sources" in the "Android Restrictions" rule.
This validation procedure is performed on the MDM Administration Console. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the list of white-listed applications in the "Android Applications" rule. 2. Verify the list of white-listed applications has been approved by the Approving official (AO). Note: Refer to the Supplemental document for additional information. Note: This list can be empty if no applications have been approved. If any of the applications on white-listed applications on the MDM Administration Console have not been approved by the AO, this is a finding.
Configure the MOS to use an application whitelist. On the MDM Administration Console, configure the list of white-listed applications in the "Android Applications" rule and ensure only AO-approved applications are on the list. Note: This list can be empty if no applications have been approved. Note: Refer to the Supplemental document for additional information.
This check procedure is performed on both the MDM Administration Console and the Samsung Knox device. Check that the appropriate setting is configured on the MDM Administration Console. 1. Ask the MDM administrator to display the "Disable Developer Mode" settings in the "Android Restrictions" rule. 2. Verify that the "Disable Developer Mode" setting is enabled. Note: Disabling Developer Mode will also disable USB Debugging and Mock locations. On the Samsung Knox for Android Device: 1. Open the device settings. 2. Select "Developer options". (**) 3. Attempt to enable "Developer options". If the "Disable Developer Mode" setting in the MDM console is disabled, or if the user is able to enable "Developer options" on the device, this is a finding. Note: The "Developer Modes" configuration setting may not be available in older MDM consoles. Disabling USB Debugging and Mock Locations also disables developer modes on the mobile device. (**) "Developer options" is initially hidden to users. To unhide this menu item, 1. Open the device settings. 2. Select "About phone". 3. Rapidly tap on "Build number" multiple times until device displays the developer options menu item.
Configure the MOS to disable developer modes. Configure the platform to disable Developer Mode. On the MDM Administration Console, enable the "Disable Developer Mode" setting in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. The current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://iase.disa.mil/pki-pke (for NIPRNet) or http://iase.rel.disa.smil.mil/pki-pke/function_pages/tools.html (for SIPRNet). Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the list of server authentication certificates in the "Android Certificate Configuration" rule. 2. Verify the DoD root and intermediate PKI certificates are present. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Security". 3. Select "Trusted Credentials". 4. Review Certificate Authorities listed under the "System" and "User" tabs. 5. Verify the presence of the DoD root and intermediate certificates. If the DoD root and intermediate certificates are not present in the MDM Console whitelist or on the device, this is a finding.
Install DoD root and intermediate certificates on the device. On the MDM Console, add the PEM encoded representations of the DoD root and intermediate certificates to the certificate whitelist in the "Android Certificate Configuration" rule. The current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://iase.disa.mil/pki-pke (for NIPRNet) or http://iase.rel.disa.smil.mil/pki-pke/function_pages/tools.html (for SIPRNet).
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow New Admin Install" setting in the "Android Restrictions" rule. 2. Verify the setting is disabled. Note: With some MDM consoles, this policy is automatically configured when the user enrolls with the MDM. Note: Android Device Manager must be deactivated if activated in order for this rule to be enforced on the device. This can only be done manually on the device by going to Settings >> Security >> Other security settings >> Phone adminstrators and checking that the setting is off for Android Device Manager. On the Samsung Knox for Android device: 1. Attempt to install an application that requires admin permissions. 2. Verify that the application is blocked from being installed. If the "Allow New Admin Install" setting in the MDM console is enabled, or if the user is able to install another application requiring admin permissions on the device, this is a finding.
Configure the mobile operating system to disallow new admin installations. On the MDM Administration Console, disable the "Allow New Admin Install" setting in the "Android Restrictions" rule.
This validation procedure is performed on the MDM Administration Console. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Application install blacklist" setting in the "Android Applications" rule. 2. Verify the setting is configured to include all applications (specified by the wildcard string ".*"). If the "Application install blacklist" setting in the MDM console does not include all applications, this is a finding.
Configure the mobile operating system to add all applications to the install blacklist. On the MDM Administration Console, add all applications to the "Application install blacklist" setting in the "Android Applications" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule. 2. Verify the list contains all pre-installed (core) applications not approved for DoD use by the Approving Official (AO). Note: Refer to the Supplemental document for additional information. If the "Application disable list" configuration is not properly configured, or if the user is able to launch the applications on the list, this is a finding. Note: Core applications are pre-installed on the device and include applications integrated into the Android OS by Google and applications added to the OS load by Samsung or by the carrier.
Configure the MOS application whitelist to exclude applications with the following characteristics: -all pre-installed (core) applications not approved for DoD use by the Approving Official (AO). Configure the mobile operating system to disable pre-installed applications not approved for DoD use. On the MDM Administration Console, add all pre-installed applications not approved for DoD to the "Application disable list" setting in the "Android Applications" rule. Note: Refer to the Supplemental document for additional information.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule. 2. Verify the list contains all pre-installed applications which allow synchronization of data or applications between devices associated with user. Note: The following applications are known to be pre-installed applications which allow synchronization of data or applications between devices associated with user, but other applications can be found on other devices: Google Drive, Dropbox, Verizon Cloud, AT&T Locker, Microsoft OneDrive, and Microsoft OneNote. Note: Refer to the Supplemental document for additional information. If the "Application disable list" configuration is not properly configured, or if the user is able to launch the applications on the list, this is a finding.
Configure the MOS application whitelist to exclude applications with the following characteristics: -allows synchronization of data or applications between devices associated with user Configure the mobile operating system to disable all pre-installed applications which allow synchronization of data or applications between devices associated with user. On the MDM Administration Console, add all pre-installed applications which allow synchronization of data or applications between devices associated with user to the "Application disable list" setting in the "Android Applications" rule. Note: Refer to the Supplemental document for additional information.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule. 2. Verify the list contains all pre-installed payment processing applications. Note: The following applications are known to be pre-installed payment processing applications, but other applications can be found on other devices: Wallet, Isis Wallet, Softcard. Note: Refer to the Supplemental document for additional information. If the "Application disable list" configuration is not properly configured, or if the user is able to launch the applications on the list, this is a finding.
Configure the MOS application whitelist to exclude applications with the following characteristics: -payment processing Configure the mobile operating system to disable pre-installed payment processing applications. On the MDM Administration Console, add all pre-installed payment processing applications to the "Application disable list" setting in the "Android Applications" rule. Note: Refer to the Supplemental document for additional information.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule. 2. Verify the list contains all pre-installed applications which backup MD data to non-DoD cloud servers (including user and application access to cloud backup services). Note: The following applications are known to be pre-installed public cloud applications, but other applications can be found on other devices: Google Drive, Dropbox, Verizon Cloud, AT&T Locker, Microsoft OneDrive, and Microsoft OneNote. Note: The following applications allows a user to configure a Samsung Account on the device which allows the user to backup files (including S Health data) to Samsung servers, as well as download applications from Samsung Apps (Galaxy Apps) store: Samsung Account application. Note: Refer to the Supplemental document for additional information. If the "Application disable list" configuration is not properly configured, or if the user is able to launch the applications on the list, this is a finding.
Configure the MOS application whitelist to exclude applications with the following characteristics: -backup MD data to non-DoD cloud servers (including user and application access to cloud backup services) Configure the mobile operating system to disable pre-installed applications which backup MD data to non-DoD cloud servers (including user and application access to cloud backup services). On the MDM Administration Console, add all pre-installed applications which backup MD data to non-DoD cloud servers (including user and application access to cloud backup services) to the "Application disable list" setting in the "Android Applications" rule. Note: Refer to the Supplemental document for additional information.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow Google Backup" and "Google Auto Sync" settings in the "Android Restrictions" rule. 2. Verify the settings are disabled. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Backup and reset". 3. Verify "Back up my data" is disabled and cannot be enabled. and 1. Open the device settings. 2. Select Accounts. 3. Configure a Google account. 4. Select the configured Google account. 5. Verify that all sync check boxes are unselected. If the "Allow Google Backup" or “Google Auto Sync" setting is enabled, or if the user is able to enable the settings on the device, or if the "Application disable list" configuration in the MDM console does not contain all pre-installed public cloud backup applications, or if the user is able to successfully launch an application on this list, this is a finding.
Configure the MOS to disable backup to remote systems (including commercial clouds). Configure the mobile device to disable backups to Google servers, disable Google Auto Sync, and disable all pre-installed public cloud backup applications. On the MDM Administration Console, disable the "Allow Google backup" and "Google Auto Sync" settings in the "Android Restrictions" rule.
Disabling automatic transfer of diagnostic data to an external device on Samsung Knox for Android involves three steps: (1) Disable Google Crash report, (2) Configure a KNOX on premise license, and (3) Disable Report diagnostic info. This validation procedure covers the first of these steps. This validation procedure is performed on the MDM Administration Console. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Google Crash Report" setting in the "Android Restrictions" rule. 2. Verify the setting is disabled. If the "Google Crash Report" configuration in the MDM console is enabled, this is a finding.
Configure the MOS to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. Configure the mobile operating system to disable Google Crash Report. On the MDM Administration Console, disable the "Google Crash Report" setting in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "USB host storage" setting in the "Android Restrictions" rule. 2. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Connect a Micro USB to USB OTG adaptor to the device. 2. Connect a USB thumb drive to the adaptor. 3. Verify the device cannot access the USB thumb drive. If the "USB host storage" configuration in the MDM console is enabled, or if the user is able to access the USB thumb drive from the device, this is a finding.
Configure the mobile operating system to disable USB host storage. On the MDM Administration Console, disable the "USB host storage" setting in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Max Sequential Characters" and "Max Sequential Numbers" settings in the "Android Password Restrictions" rule. 2. Verify the value of the setting is the same or less than the required length. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Lock screen". 3. Select "Screen lock". 4. Enter current password. 5. Select Password. 6. Attempt to enter a password that contains sequential characters or sequential numbers of length greater than the required length. 7. Verify the password is not accepted. If the configured values of the "Max Sequential Character" and "Max Sequential Number" settings are greater than the required length, or if device accepts a password that contains sequential characters or sequential numbers of length greater than the required length, this is a finding. Note: On some MDM servers there may only be one configuration setting ("Max Sequential Characters") since this API actually disables both sequential and repeating characters.
Configure the MOS to prevent passwords from containing more than two repeating or sequential characters. On the MDM Administration Console, set the "Max Sequential Characters" and "Max Sequential Numbers" values to 2 in the "Android Password Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow multi-user mode" settings in the "Android Restrictions" rule. 2. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Open the device settings. 2. Attempt to add a user in the "User" setting. 3. Verify that the "User" setting is not available or verify that a new user cannot be added and set up. If the "Allow multi-user mode" setting is enabled, or if the user is able to add a user and set up a new user, this is a finding.
Configure the mobile operating system to disable multi-user modes. On the MDM Administration Console, disable the "Allow multi-user mode" setting in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Enable S Voice" settings in the "Android Restrictions" rule. 2. Verify the value is disabled. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Applications". 3. Verify the S Voice application cannot be selected. If the "Enable S Voice" setting is enabled, or if the S Voice application can be launched or configured, this is a finding.
Configure the operating system to disable S Voice. On the MDM Administration Console, disable the "Enable S Voice" setting in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow NFC" setting in the "Android Restrictions" rule. 2. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Open device settings. 2. Select "NFC". 3. Verify the setting is disabled. If the "Allow NFC" configuration in the MDM console is enabled, or if the setting is enabled on the device, this is a finding.
Configure the mobile operating system to disable NFC. On the MDM Administration Console, disable the "Allow NFC" setting in the "Android Restrictions" rule.
This validation procedure is performed on the Samsung Knox for Android device. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Nearby devices". 3. Verify this is disabled. If setting is enabled and cannot be disabled, this is a finding. Note: This setting cannot be managed by the MDM administrator and is a User Based Enforcement (UBE) requirement.
Configure the mobile operating system to disable nearby devices.
This validation procedure is performed on both the MDM Administration Console and the PC. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Disable USB Media Player" check box in the "Android Restrictions" rule. 2. Verify the "Disable USB Media Player" check box is selected. Note: Disabling USB Media Player will also disable USB MTP, USB mass storage, USB vendor protocol (KIES). On the Samsung Knox for Android device: 1. Connect the device to a PC USB connection. Note: Do not use a DoD network-managed PC for this test! On the PC: 1. Verify the device is not shown in the PC finder. If the specified setting is not set to the appropriate value, or if the device is shown in the PC finder, this is a finding.
Configure the MOS to disable USB mass storage mode. On the MDM Administration Console, select the "Disable USB Media Player" check box in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow FOTA" setting in the "Android Restrictions" rule. 2. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Open device settings. 2. Select "About device". 3. Attempt to select "Software update". Note: Location of this menu can vary between models. If the "Allow FOTA" configuration in the MDM console is enabled, or if the user is able to successfully select software update, this is a finding. Note: After reviewing the update and adjusting any necessary policies (i.e. disabling applications determined to pose risk), the administrator can re-enable FOTA.
Configure the mobile operating system to disable automatic updates of system software. Configure the mobile operating system to disable FOTA. On the MDM Administration Console, disable the "Allow FOTA" setting in the "Android Restrictions" rule.
This check procedure is performed on both the MDM Administration Console and the Samsung Knox device. Check that the appropriate setting is configured on the MDM Administration Console. 1. Ask the MDM administrator to display the "Notifications on lock screen" settings in the "Android Restrictions" rule. 2. Verify that the "Hide content" or "Do not show notification" setting is enabled and "Show content" setting is disabled. On the Samsung Knox for Android Device: 1. Open the device settings. 2. Select "Notifications". 3. Select "Notifications on lock screen". 4. Attempt to enable "Show content". If the "Show content" setting in the MDM console is enabled, or if the user is able to enable "Show content" on the device, this is a finding.
Configure the MOS to not display notifications when the device is locked. Configure the platform to disable notifications on the lock screen or hide notification details on the lock screen. On the MDM Administration Console, enable the "Hide content" or "Do not show notification" and disable "Show content" in the "Notifications on lock screen" setting in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the PC. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Disable USB Media Player" check box in the "Android Restrictions" rule. 2. Verify the "Disable USB Media Player" check box is selected. Note: Disabling USB Media Player will also disable USB MTP, USB mass storage, USB vendor protocol (KIES). On the Samsung Knox for Android device: 1. Connect the device to a PC USB connection. Note: Do not use a DoD network-managed PC for this test! On the PC: 1. Install and launch Samsung KIES on the PC. 2. Verify the device does not connect with the Samsung KIES program. If the specified setting is not set to the appropriate value, or if the device is connects with the Samsung KIES program, this is a finding.
Configure the MOS to disable backup to locally connected systems. Configure the mobile operating system to disable USB KIES. On the MDM Administration Console, select the "Disable USB Media Player" check box in the "Android Restrictions" rule. Note: Disabling USB Media Player will also disable USB MTP, USB mass storage, USB vendor protocol (KIES).
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the list of configured VPN profiles in the "VPN profiles" rule. 2. Verify the list includes the organization VPN profile. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "More connection settings". 3. Select "VPN". 4. Verify the list includes the organization VPN profile. If the organization VPN profile is not included in either list, this is a finding.
Configure the MOS to enable VPN protection. Configure the mobile operating system with the organization VPN profile. On the MDM Administration Console, configure the organization VPN profile in the "VPN profiles" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Minimum Password Complexity" setting in the "Android Restrictions" rule. 2. Verify the settings are Alphanumeric. 3. Ask the MDM administrator to display the "Enable Fingerprint for Lock screen authentication" setting in the "Android Restrictions" rule. 4. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Lock screen and security". 3. Select "Lock screen type". 4. Verify "Swipe", "Pattern", "PIN", "Fingerprints", "None" are disabled (grayed out) and cannot be enabled. If Fingerprint for Lock screen authentications enabled, or if Minimum Password Complexity is not configured to Alphanumeric, or if the user is able to enable the settings on the device, this is a finding.
Configure the MOS to not allow authentication mechanisms other than a Password Authentication Factor where the authentication provides user access to protected data Configure the mobile operating system to configure Minimum Password Complexity and disable finger print for the lock screen password. On the MDM Administration Console, configure "Minimum Password Complexity" to Alphanumeric and disable "Enable Fingerprint for Lock screen authentication" setting in the "Android Restrictions" rule.
Note: This validation procedure is identical to the one for KNOX-39-015600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to AOs. This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "CC Mode" settings in the "Android Restrictions" rule. 2. Verify the value is enabled. Note: If the MDM does not support CC Mode, ask the MDM Administrator if the Samsung APK has been installed and CC Mode enabled. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "About Device". 3. Verify the value of "Security software version" displays "Enforced". If the CC mode setting is not enabled, or if the "Security software version" on the device does not display "Enforced", this is a finding.
Configure the mobile operating system to disable VPN split-tunneling (if the MD provides a configurable control). Configure the operating system to enable CC mode. On the MDM Administration Console, enable the "CC mode" setting in the "Android Restrictions" rule. If this setting is not available on the console, install the CC mode APK, and enable CC mode from this application. This APK will be made available by Samsung.
Note: This validation procedure is identical to the one for KNOX-39-015400. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to AOs. This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Android Knox Container" rule. 2. Verify the existence of this rule. 3. Pushing this rule to the device that does not have a container installed will result in creation of the container. On the Samsung Knox for Android device: 1. From the device home screen, pull down the notification bar. 2. Verify the existence of the KNOX icon. 3. If available on the MDM agent, verify the container rule in the list of rules received by the MDM agent. If the MDM Administrator cannot configure the "Android Knox Container" rule, or if the KNOX icon is not present in the notification bar, or if the container rule is not found in the MDM agent rule list (MDM vendor-specific check), this is a finding.
On the MDM Administration Console, create the "Android Knox Container" rule and push this rule to the device.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow Admin Remove" settings in the "Android Restrictions" rule. 2. Verify the value is disabled. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Lock screen and security". 3. Select "Other security settings". 4. Select "Device administrators". 5. Verify the enterprise MDM agent is on and cannot be turned off. If the "Allow Admin Remove" setting is enabled, or if the MDM agent on the device can be turned off, this is a finding.
Configure the operating system to disable admin removal by the user. On the MDM Administration Console, disable the "Allow Admin Remove" setting in the "Android Restrictions" rule.
This validation procedure is performed on the MDM Administration Console. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Enable Certificate Revocation Status (CRL) Check" settings in the "Android Restrictions" rule. 2. Verify the value is enabled and configured for all applications. If the setting is disabled, this is a finding.
Configure the operating system to configure certification revocation status checking (CRL). On the MDM Administration Console, "Enable Certificate Revocation Status (CRL) Check" settings for all applications in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Minimum Password Complexity" setting in the "Android Restrictions" rule. 2. Verify the settings are Alphanumeric. 3. Ask the MDM administrator to display the "Enable Smart Lock" setting in the "Android Restrictions" rule. 4. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Lock screen and security". 3. Select "Secure lock settings". 4. Verify "Smart Lock" is disabled (grayed out) and cannot be enabled. If "Smart Lock" is enabled or if the user is able to enable the settings on the device, this is a finding.
Configure the MOS to not allow authentication mechanisms other than a Password Authentication Factor where the authentication provides user access to protected data Configure the mobile operating system to disable Smart Lock. On the MDM Administration Console, disable "Enable Smart Lock" setting in the "Android Restrictions" rule.
Disabling automatic transfer of diagnostic data to an external device on Samsung Knox for Android involves three steps: (1) Disable Google Crash report, (2) Configure a KNOX on premise license, and (3) Disable Report diagnostic info. This validation procedure covers the second of these steps. This validation procedure is performed on the MDM Administration Console. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Knox License" settings in the "Knox Management" rule. 2. Verify the correct DoD-issued Knox license is configured. If the correct DoD-issued Knox license is not configured in the "Knox License" setting this is a finding.
Configure the MOS to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. Configure the DoD-issued Knox license. On the MDM Administration Console configure the DoD-issued Knox license in the "Knox Management" rule.
Disabling automatic transfer of diagnostic data to an external device on Samsung Knox for Android involves three steps: (1) Disable Google Crash report, (2) Configure a KNOX on premise license, and (3) Disable Report diagnostic info. This validation procedure covers the third of these steps. This validation procedure is performed on the Samsung Knox for Android device. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Privacy and safety" or "About device". 3. Verify Report diagnostic info setting is not checked. If the setting is checked (enabled), this is a finding. (Note: This setting cannot be managed by the MDM administrator and is a User Based Enforcement (UBE) requirement.)
Configure the MOS to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. Configure the mobile operating system to disable Report diagnostic info. On the Samsung Knox for Android device uncheck the Report diagnostic info setting.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Enable DoD Banner" check box and "Banner Text" field in the "Android Restrictions" rule. 2. Verify the "Enable DoD Banner" check box is selected. 3. Verify the correct DoD-specified warning text is displayed in the Banner Text field or the field is blank. Note: The default device banner matches the required DoD banner. If the DoD banner is enabled without entering any text, the device will display a default text. On the Samsung Knox for Android device: 1. Reboot the device. 2. Verify the device displays the DoD banner. 3. Verify the DoD banner is set to one of the authorized messages. If the specified setting is not set to the appropriate value, or the device does not display the DoD banner on reboot, this is a finding.
Configure the MOS to display the DoD-mandated warning banner text. On the MDM Administration Console, select the "Enable DoD Banner" check box, and enter the correct text in the "Banner Text" field in the "Android Restrictions" rule. (**) On some MDM vendor consoles, the logon banner automatically is displayed upon reboot while the device is MDM enrolled. On these consoles, this control is not configurable through the MDM server or on the device.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Disable Manual Date Time Changes" check box in the "Android Restrictions" rule. 2. Verify the check box is selected. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "Date and time". 3. Verify the "Automatic date and time" check box is checked. 4. Verify a user cannot deselect the "Automatic date and time" check box. If either the "Disable Manual Date Time Changes" check box is not checked on the MDM administration console; or the "Automatic date and time" check box is not selected on the device; or if it is possible to deselect this option on the device, this is a finding.
Configure the mobile operating system to synchronize the internal clock at least once every 24 hours with an authoritative time server or the Global Positioning System. On the MDM Console, select the "Disable Manual Date Time Changes" check box in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Min Length" setting in the "Android Knox Container -> Container Password Restrictions" rule. 2. Verify the value of the setting is the same or greater than the required length. On the Samsung Knox for Android device: 1. Open the Knox Container. 2. Select "Knox Settings". 3. Select "Change password". 4. Enter current password. 5. Attempt to enter a password with fewer characters than the required length. 6. Verify the password is not accepted. If the configured value of the "Min Length" setting is less than the required length, or if Samsung Knox for Android accepts a container password with fewer characters than the required length, this is a finding. Note: This configuration setting will allow users to implement fingerprint unlock for the container, which is approved for use. However, this approval does not extend to fingerprint unlock for the Samsung device or any other DoD mobile device. The use of a password to move between container and personal areas is only required if the password is needed to provide data separation between the two processing environments. For the Samsung devices, the password is required to enable the container and implement data separation.
Configure the mobile device to enforce a minimum password length of 4 characters. On the MDM Console, set the "Min Length" value to 4 or greater in the "Android Knox Container -> Container Password Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow Export Calendar to Personal Mode" setting in the "Android Knox Container -> Container Restrictions" rule. 2. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Open the Knox container. 2. Select "Knox Settings". 3. Select "Share data". 4. Verify "Export to Personal Mode - Calendar" is disabled and attempt to enable this setting. If the "Allow Export Calendar to Personal Mode" configuration in the MDM console is enabled, or if the user is able to successfully enable this setting, this is a finding.
Configure the mobile operating system to disable sharing of calendar information outside the container. On the MDM Administration Console, disable the "Allow Export Calendar to Personal Mode" setting in the "Android Knox Container -> Container Restrictions" rule.
This validation procedure is performed on the MDM Administration Console only. Check whether the device lock screen setting is configured on the MDM server. 1. Ask the MDM administrator to display the "Maximum Failed Attempts" field in the "Android Knox Container -> Container Password Restrictions" rule. 2. Verify the value of the setting is 10 or less. If there is no value configured for the "Maximum Failed Attempts" field, or if it is greater than 10, this is a finding.
Configure the mobile operating system to allow only 10 or less consecutive failed authentication attempts. On the MDM Administration Console, set the "Maximum Failed Attempts" to the organization-defined value in the "Android Knox Container -> Container Password Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow Export Contact to Personal Mode" setting in the "Android Knox Container -> Container Restrictions" rule. 2. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Open the Knox container. 2. Select "Knox Settings". 3. Select "Share data". 4. Verify "Export to Personal Mode - Contact" is disabled and attempt to enable this setting. If the "Allow Export Contact to Personal Mode" configuration in the MDM console is enabled, or if the user is able to successfully enable this setting, this is a finding.
Configure the mobile operating system to disable sharing of contact information outside the container. On the MDM Administration Console, disable the "Allow Export Contact to Personal Mode" setting in the "Android Knox Container -> Container Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow Show detailed notifications" setting in the "Android Knox Container -> Container Restrictions" rule. 2. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Open the Knox container. 2. Select "Knox Settings". 3. Verify "Show detailed notifications" is disabled and attempt to enable this setting. If the "Allow Show detailed notifications" configuration in the MDM console is enabled, or if the user is able to successfully enable this setting, this is a finding.
Configure the mobile operating system to disable sharing of notification details outside the container. On the MDM Administration Console, disable the "Allow Show detailed notifications" setting in the "Android Knox Container -> Container Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Android Knox Container" rule. 2. Verify the existence of this rule. 3. Pushing this rule to the device that does not have a container installed will result in creation of the container. On the Samsung Knox for Android device: 1. From the device home screen, pull down the notification bar. 2. Verify the existence of the KNOX icon. 3. If available on the MDM agent, verify the container rule in the list of rules received by the MDM agent. If the MDM Administrator cannot configure the "Android Knox Container" rule, or if the KNOX icon is not present in the notification bar, or if the container rule is not found in the MDM agent rule list (MDM vendor-specific check), this is a finding.
On the MDM Administration Console, create the "Android Knox Container" rule and push this rule to the device.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "CC Mode" settings in the "Android Restrictions" rule. 2. Verify the value is enabled. Note: If the MDM does not support CC Mode, ask the MDM Administrator if the Samsung APK has been installed and CC Mode enabled. On the Samsung Knox for Android device: 1. Open the device settings. 2. Select "About Device". 3. Verify the value of "Security software version" displays "Enforced". If the CC mode setting is not enabled, or if the "Security software version" on the device does not display "Enforced", this is a finding.
Configure the operating system to enable CC mode. On the MDM Administration Console, enable the "CC mode" setting in the "Android Restrictions" rule. If this setting is not available on the console, install the CC mode APK, and enable CC mode from this application. This APK will be made available by Samsung.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Bluetooth Profiles" settings in the "Android Restrictions" rule. 2. Verify the only profiles allowed are HSP, HFP, and SPP. On the Samsung Knox for Android device: 1. Attempt to pair a Bluetooth peripheral that uses profiles other than HSP, HFP, and SPP (e.g., a Bluetooth keyboard). 2. Verify the Bluetooth peripheral does not pair with the Samsung Knox for Android device. If the Bluetooth profiles other than HSP, HFP, and SPP are configured to be allowed, or if the device is able to pair with a Bluetooth keyboard, this is a finding.
Configure the MOS to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-free Profile), and SPP (Serial Port Profile). On the MDM Administration Console, configure the "Bluetooth Profiles" setting to only allow HSP, HFP, and SPP in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the list of white-listed applications in the "Android Knox Container -> Container Applications" rule. 2. Verify the list of white-listed applications have been approved by the Approving official (AO). Note: Refer to the Supplemental document for additional information. Note: This list can be empty if no applications have been approved. On the Samsung Knox for Android device: 1. Open the Knox Container. 2. Attempt to install an application that is not in the application whitelist. If any of the applications on white-listed applications on the MDM Administration Console have not been approved by the AO, or the device allows the user to successfully install the application, this is a finding.
Configure the mobile device to use an application whitelist. On the MDM Administration Console, configure the list of white-listed applications in the "Android Knox Container -> Container Applications" rule and ensure only AO-approved applications are on the list. Note: This list can be empty if no applications have been approved. Note: Refer to the Supplemental document for additional information.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Application install blacklist" setting in the "Android Knox Container -> Container Application" rule. 2. Verify the setting is configured to all applications (specified by the wildcard string ".*"). On the Samsung Knox for Android device: 1. Attempt to install any application that is not configured in the application install whitelist. 2. Verify that the application is blocked from being installed. If the "Application install blacklist" configuration in the MDM console has the wrong value, or if the user is able to install the application, this is a finding.
Configure the mobile operating system to add all applications to the install blacklist. On the MDM Administration Console, add all applications to the "Application install blacklist" setting in the "Android Knox Container -> Container Application" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Move Applications to Container" setting in the "Android Knox Container -> Container Restrictions" rule. 2. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Open the Knox Container. 2. Select "Knox Settings". 3. Verify "Select apps to install" cannot be selected. If the "Move Applications to Container" configuration in the MDM console is enabled, or if the user is able to select "Select apps to install", this is a finding.
Configure the mobile operating system to disable Move Applications to Container. On the MDM Administration Console, disable the "Move Applications to Container" setting in the "Android Knox Container -> Container Application" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Move Files from Container to Personal" setting in the "Android Knox Container -> Container Restrictions" rule. 2. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Open the Knox Container. 2. Select "My Files" application. 3. Select a file by long pressing a selection. 4. Select settings. 5. Select "Move to Personal mode". 6. Verify that this operation is blocked. If the "Move Files from Container to Personal" configuration in the MDM console is enabled, or if the user is able to successfully move the selected file to the personal space, this is a finding.
Configure the mobile operating system to disable Move Files from Container to Personal. On the MDM Administration Console, disable the "Move Files from Container to Personal" setting in the "Android Knox Container -> Container Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Knox Container -> Container Application" rule. 2. Verify the list contains all core and pre-installed applications not approved for DoD use by the Approving Official (AO). Note: Refer to the Supplemental document for additional information. On the Samsung Knox for Android device: 1. Open the Knox container. 2. Attempt to launch an application that is included on the disable list. Note: This application should not be visible. If the "Application disable list" configuration in the MDM console does not contain all core and pre-installed applications not approved by DoD, or if the user is able to successfully launch an application on this list, this is a finding. Note: Core applications are apps installed in the operating system by the OS developer. In addition, third-party pre-installed apps are included in the OS build by the device vendor or wireless carrier.
Configure the mobile operating system to disable all pre-installed container applications that are not DoD-approved. On the MDM Administration Console, add all pre-installed container applications that are not DoD-approved to the "Application disable list" setting in the "Android Knox Container -> Container Application" rule. Note: Refer to the Supplemental document for additional information.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow browser auto-fill" setting in the "Android Knox Container -> Container Restrictions" rule. 2. Verify the setting is disabled. On the Samsung Knox for Android device: 1. Open the Knox container. 2. Launch the browser application. 3. Select the application's setting menu. 4. Select "Auto fill forms". 5. Verify "Auto fill forms" is disabled and attempt to enable this setting. If the "Allow browser auto-fill" configuration in the MDM console is enabled, or if the user is able to successfully enable this setting, this is a finding.
Configure the mobile operating system to disable browser auto-fill for the container browser application. On the MDM Administration Console, disable the "Allow browser auto-fill" setting in the "Android Knox Container -> Container Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Max Sequential Characters" and "Max Sequential Numbers" settings in the "Android Knox Container -> Container Password Restrictions" rule. 2. Verify the value of the setting is the same or less than the required length. On the Samsung Knox for Android device: 1. Open the Knox Container. 2. Select "Knox Settings". 3. Select "Unlock method". 4. Enter current password. 5. Select Password. 6. Attempt to enter a password that contains sequential characters or sequential numbers of length greater than the required length. 7. Verify the password is not accepted. If the configured values of the "Max Sequential Character" and "Max Sequential Number" settings are greater than the required length, or if device accepts a password that contains sequential characters or sequential numbers of length greater than the required length, this is a finding.
Configure the mobile device to enforce a password that does not contain more than two sequential or repeating characters or numbers. On the MDM Administration Console, set the "Max Sequential Characters" and "Max Sequential Numbers" values to 2 in the "Android Knox Container -> Container Password Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Account whitelist" setting in the "Container Accounts" rule. 2. Verify the whitelist only contains DoD-approved email domains (for example, mail.mil). Note: Proper configuration of Account blacklist is required for this configuration to function correctly. On the Samsung Knox for Android device: 1. Open the Knox Container. 2. Open Settings. 3. Select Accounts. 4. Select Add account. 5. Select Email (and repeat for Microsoft Exchange ActiveSync) and attempt to add an email account with a DoD-approved domain. 6. Verify that the email account can be added. 7. Attempt to add an email account with a domain not approved by DoD. 8. Verify that the email account cannot be added. If the "Account whitelist" is not properly configured, or if the user is able to successfully configure the email account with a domain not approved by DoD, or if the user is not able to install the DoD-approved email account, this is a finding.
Configure the mobile operating system to add DoD-approved email domains to the account whitelist. On the MDM Administration Console, add all DoD-approved email domains to the "Account whitelist" setting in the "Container Accounts" rule. Note: Recommended to add ".*@mail.mil"
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Account blacklist" setting in the "Container Accounts" rule. 2. Verify the setting is configured to all email domains not approved by DoD. Note: All email domains is specified by the wildcard string ".*" On the Samsung Knox for Android device: 1. Open the Knox Container. 2. Open Settings. 3. Select Accounts. 4. Select Add account. 5. Select Email (and repeat for Microsoft Exchange ActiveSync) and attempt to add an email account with a non-approved domain. 6. Verify that the email account cannot be added. If the "Account blacklist" is not properly configured, or if the user is able to successfully configure the non-DoD approved email account, this is a finding.
Configure the mobile operating system to add email domains not approved by DoD to the account blacklist. On the MDM Administration Console, add all email domains not approved by DoD to the "Account blacklist" setting in the "Container Accounts" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Minimum Complexity" setting in the "Android Knox Container -> Container Password Restrictions" rule. 2. Verify the value of the setting is Alphanumeric. On the Samsung Knox for Android device: 1. Open the Knox Container. 2. Select "Knox Settings". 3. Select "Unlock method". 4. Enter current password. 5. Verify PIN and Pattern are grayed out and cannot be selected. If the configured value of the "Min Complexity" setting is not Alphanumeric, or if the user is able to select PIN or Pattern, this is a finding. Note: This configuration setting will allow users to implement fingerprint unlock for the container, which is approved for use. However, this approval does not extend to fingerprint unlock for the Samsung device or any other DoD mobile device.
Configure the mobile device to enforce a minimum password complexity of alphanumeric. On the MDM Console, set the "Min Complexity" value to Alphanumeric in the "Android Knox Container -> Container Password Restrictions" rule.