Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Note: This validation procedure is identical to the one for KNOX-39-015600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on the first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to Authorizing Officials (AOs). This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "CC Mode" settings in the "Android Restrictions" rule. 2. Verify the value is enabled. Note: If the MDM does not support CC mode, ask the MDM administrator if the Samsung APK has been installed and CC mode enabled. On the Samsung KNOX for Android device: 1. Open the device settings. 2. Select "About Device". 3. Select "Software info". (Note: On some devices, this step is not needed.) 4. Verify the value of "Security software version" displays "Enforced". If the CC mode setting is not enabled, or if the "Security software version" on the device does not display "Enforced", this is a finding.
Configure the mobile operating system to use a FIPS 140-2 validated cryptographic module. Configure the operating system to enable CC mode. On the MDM Administration Console, enable the "CC mode" setting in the "Android Restrictions" rule. If this setting is not available on the console, install the CC mode APK, and enable CC mode from this application. This APK will be made available by Samsung.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Storage Encryption" check box in the "Android Restrictions" rule. (**) 2. Verify the "Storage Encryption" check box is selected. On the Samsung KNOX for Android device: 1. Open the device settings. 2. Select "Lock screen and security". 3. Select "Secure startup". (Note: On some devices, shown as "Protect encrypted data".) 4. Verify "Do not require" is grayed out and "Require password when device turns on" is selected. (Note: On some devices, shown as "Require screen lock to decrypt data when device turns on".) 5. Insert a MicroSD card into the device. 6. If the MicroSD card is not already encrypted, select "Encrypt SD card". Verify "The security policy restricts use of SD cards that are not encrypted" is displayed. 7. If the MicroSD card is encrypted, verify "Decrypt SD card" is displayed and cannot be selected. If the specified encryption settings are not set to the appropriate values, this is a finding. (**) On some MDM vendor consoles, "Storage Encryption" enables both internal and external storage encryption. Note: Starting with the Galaxy S7, new devices that ship with Android 6.0 will have device encryption enabled by default that cannot be disabled.
Configure the mobile operating system to enable data-at-rest protection for built-in storage media. Configure the OS to encrypt all data at rest on the mobile device. On the MDM Administration Console, check the "Storage Encryption" check box in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Storage Encryption" check box in the "Android Restrictions" rule. (**) 2. Verify the "Storage Encryption" check box is selected. On the Samsung KNOX for Android device: 1. Open the device settings. 2. Select "Lock screen and security". 3. Insert a MicroSD card into the device. 4. If the MicroSD card is not already encrypted, select "Encrypt SD card". Verify "The security policy restricts use of SD cards that are not encrypted" is displayed. 5. If the MicroSD card is encrypted, verify "Decrypt SD card" is displayed and cannot be selected. If the specified encryption settings are not set to the appropriate values, this is a finding. (**) On some MDM vendor consoles, "Storage Encryption" enables both internal and external storage encryption. Note: Starting with the Galaxy S7, new devices that ship with Android 6.0 will have device encryption enabled by default that cannot be disabled.
Configure the mobile operating system to enable data-at-rest protection for removable media. Configure the OS to encrypt all data at rest on the mobile device. On the MDM Administration Console, select the "Storage Encryption" and "External Storage Encryption" check box in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Min Length" setting in the "Android Password Restrictions" rule. 2. Verify the value of the setting is the same or greater than the required length. On the Samsung KNOX for Android device: 1. Open the device settings. 2. Select "Lock screen and security". 3. Select "Screen lock type". 4. Enter current password. 5. Select "Password". 6. Attempt to enter a password with fewer characters than the required length. 7. Verify the password is not accepted. If the configured value of the "Min Length" setting is less than the required length or if the device accepts a password of less than the required length, this is a finding.
Configure the mobile operating system to enforce a minimum password length of six characters. On the MDM Administration Console, set the "Min Length" value to "6" or greater in the "Android Password Restrictions" rule. Note: When device encryption is enabled (always enabled by the DoD configuration), Samsung KNOX for Android automatically enforces a minimum length of "6".
This validation procedure is performed only on the MDM Administration Console. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Maximum Failed Attempts" field in the "Android Password Restrictions" rule for the device unlock password. 2. Verify the value of the setting is 10 or less. This configuration is not available on the Samsung KNOX for Android device. If the "Maximum Failed Attempts" field in the "Android Password Restrictions" rule for the device unlock password is not set to "10" or less, this is a finding.
Configure the mobile operating system to allow only 10 or less consecutive failed authentication attempts. On the MDM Administration Console, set the "Maximum Failed Attempts" to "10" or less in the "Android Password Restrictions" rule for the device unlock password.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Max Time to Lock" setting in the "Android Password Restrictions" rule. 2. Verify the value of the setting is 15 minutes or less. On the Samsung KNOX for Android device: 1. Unlock the device. 2. Refrain from performing any activity on the device for 15 minutes. 3. Verify the device requires the user to enter the device unlock password to access the device. Note: On some devices, the max time to lock is the sum of the display screen timeout setting and the secured lock time setting on the device. On MDM configuration, the device makes a choice for these settings so the sum is 15 minutes or less. If the user does not have to unlock the device after 15 minutes of inactivity, this is a finding.
Configure the mobile operating system to lock the device display after 15 minutes (or less) of inactivity. On the MDM Administration Console, configure the "Max Time to Lock" option to 15 minutes in the "Android Password Restrictions" rule.
This check procedure is performed on both the MDM Administration Console and the Samsung KNOX device. Check that the appropriate setting is configured on the MDM Administration Console. 1. Ask the MDM administrator to display the "Max Time to Lock" setting in the "Android KNOX Container >> Container Password Restrictions" rule. 2. Verify the value of the setting is the organization-defined value (15 minutes) or less. On the Samsung KNOX for Android device: 1. Open the KNOX Container. 2. Refrain from using the KNOX Container for 15 minutes. 3. Verify the selected value is the organization-defined value (15 minutes) or less. If the selected value is larger than 15 minutes, or if the KNOX Container does not lock after 15 minutes, this is a finding.
Configure the mobile operating system to initiate a session lock after a time period of inactivity. Configure the mobile operating system to lock the device after no more than 15 minutes of inactivity. On the MDM Console, set the "Max Time to Lock" to the organization-defined value (15 minutes) in the "Android KNOX Container >> Container Password Restrictions" rule.
Configuring an application installation policy on Samsung KNOX for Android by specifying an application repository involves two steps: 1. Disabling Google Play 2. Disabling unknown application sources This validation procedure covers the first of these steps. It is performed on both the MDM Administration Console and the Samsung KNOX for Android device. On the MDM Administration Console: 1. Ask the MDM administrator to display the "Enable Google Play" setting in the "Android Restrictions" rule (non-work environment). 2. Verify it is disabled. On the Samsung KNOX for Android device: 1. Attempt to locate the "Google Play" application. 2. Verify it is not present on the device. If the "Enable Google Play" is not disabled, or if a user can successfully launch Google Play on the device, this is a finding.
Configure the mobile operating system to disable unauthorized application repositories. Configure the mobile operating system to disable Google Play. On the MDM Administration Console, disable "Enable Google Play" in the "Android Restrictions" rule.
Configuring an application installation policy on Samsung KNOX for Android by specifying an application repository involves two steps: 1. Disabling Google Play 2. Disabling unknown application sources This validation procedure covers the second of these steps. It is performed on both the MDM Administration Console and the Samsung KNOX for Android device. On the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow Unknown Sources" settings in the "Android Restrictions" rule. 2. Verify it is disabled. On the Samsung KNOX for Android device: 1. Open the device settings. 2. Select "Lock screen and security". 3. Attempt to enable "Unknown sources". 4. Verify it cannot be enabled. If the "Allow Unknown Sources" setting is not disabled, or if a user can successfully enable "Unknown sources" on the device, this is a finding.
Configure the mobile operating system to disable unauthorized application repositories. Configure the mobile operating system to disable application installations from unknown sources. On the MDM Administration Console, disable "Allow Unknown Sources" in the "Android Restrictions" rule.
This validation procedure is performed on the MDM Administration Console. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the list of whitelisted applications in the "Android Applications" rule. 2. Verify the list of whitelisted applications has been approved by the Authorizing Official (AO). Note: This list can be empty if no applications have been approved. Note: Refer to the Supplemental document for additional information. If any of the applications on the list of whitelisted applications on the MDM Administration Console have not been approved by the Authorizing Official (AO), this is a finding.
Configure the mobile operating system to use an application whitelist. On the MDM Administration Console, configure the list of whitelisted applications in the "Android Applications" rule and ensure only AO-approved applications are on the list. Note: This list can be empty if no applications have been approved. Note: Refer to the Supplemental document for additional information.
This check procedure is performed on both the MDM Administration Console and the Samsung KNOX device. Check that the appropriate setting is configured on the MDM Administration Console. 1. Ask the MDM administrator to display the "Disable Developer Mode" settings in the "Android Restrictions" rule. 2. Verify that the "Disable Developer Mode" setting is enabled. Note: Disabling Developer mode will also disable USB Debugging and Mock Locations. On the Samsung KNOX for Android device: 1. Open the device settings. 2. Select "Developer options". (**) 3. Attempt to enable "Developer options". If the "Disable Developer Mode" setting in the MDM console is disabled, or if the user can enable "Developer options" on the device, this is a finding. Note: The "Developer Modes" configuration setting may not be available in older MDM consoles. Disabling USB Debugging and Mock Locations also disables Developer modes on the mobile device. (**) "Developer options" is initially hidden to users. To unhide this menu item: 1. Open the device settings. 2. Select "About device". 3. Select "Software info". (Note: On some devices, this step is not needed.) 4. Rapidly tap on "Build number" multiple times until the device displays the Developer Options menu item.
Configure the mobile operating system to disable Developer modes. Configure the platform to disable Developer mode. On the MDM Administration Console, enable the "Disable Developer Mode" setting in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. The current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://iase.disa.mil/pki-pke (for NIPRNet) or http://iase.rel.disa.smil.mil/pki-pke/function_pages/tools.html (for SIPRNet). Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the list of server authentication certificates in the "Android Certificate Configuration" rule. 2. Verify the DoD root and intermediate PKI certificates are present. On the Samsung KNOX for Android device: 1. Open the device settings. 2. Select "Lock screen and security". 3. Select "Other security settings". 4. Select "View security certificates". 5. Review Certificate Authorities listed under the "System" and "User" tabs. 6. Verify the presence of the DoD root and intermediate certificates. If the DoD root and intermediate certificates are not present in the MDM Console whitelist or on the device, this is a finding.
Install DoD root and intermediate certificates on the device. On the MDM Console, add the PEM encoded representations of the DoD root and intermediate certificates to the certificate whitelist in the "Android Certificate Configuration" rule. The current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://iase.disa.mil/pki-pke (for NIPRNet) or http://iase.rel.disa.smil.mil/pki-pke/function_pages/tools.html (for SIPRNet).
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow New Admin Install" setting in the "Android Restrictions" rule. 2. Verify the setting is disabled. Note: With some MDM consoles, this policy is automatically configured when the user enrolls with the MDM. Note: Android Device Manager must first be disabled on the device in order to successfully apply this policy. This can only be done manually on the device by selecting "Lock screen and security", then "Other security settings", then "Device administrators", and then disable Android Device Manager. On the Samsung KNOX for Android device: 1. Attempt to install an application that requires admin permissions. 2. Verify the application is blocked from being installed. If the "Allow New Admin Install" setting in the MDM console is enabled, or if the user is able to install another application requiring admin permissions on the device, this is a finding.
Configure the mobile operating system to disallow new admin installations. On the MDM Administration Console, disable the "Allow New Admin Install" setting in the "Android Restrictions" rule.
This validation procedure is performed on the MDM Administration Console. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Application install blacklist" setting in the "Android Applications" rule. 2. Verify the setting is configured to include all applications (specified by the wildcard string ".*"). If the "Application install blacklist" setting in the MDM console does not include all applications, this is a finding.
Configure the mobile operating system to add all applications to the install blacklist. On the MDM Administration Console, add all applications to the "Application install blacklist" setting in the "Android Applications" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule. 2. Verify the list contains all pre-installed (core) applications not approved for DoD use by the Authorizing Official (AO). Note: Refer to the Supplemental document for additional information. If the "Application disable list" configuration is not properly configured, or if the user is able to launch the applications on the list, this is a finding. Note: Core applications are pre-installed on the device and include applications integrated into the Android OS by Google and applications added to the OS load by Samsung or by the carrier.
Configure the mobile operating system application whitelist to exclude applications with the following characteristics: - all pre-installed (core) applications not approved for DoD use by the Authorizing Official (AO). Configure the mobile operating system to disable pre-installed applications not approved for DoD use. On the MDM Administration Console, add all pre-installed applications not approved for DoD to the "Application disable list" setting in the "Android Applications" rule. Note: Refer to the Supplemental document for additional information.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule. 2. Verify the list contains all pre-installed applications that allow synchronization of data or applications between devices associated with user. Note: The following applications are known to be pre-installed applications that allow synchronization of data or applications between devices associated with user, but other applications can be found on other devices: Google Drive, Dropbox, Verizon Cloud, AT&T Locker, Microsoft OneDrive, and Microsoft OneNote. Note: Refer to the Supplemental document for additional information. If the "Application disable list" configuration is not properly configured, or if the user is able to launch the applications on the list, this is a finding.
Configure the mobile operating system application whitelist to exclude applications with the following characteristics: - allows synchronization of data or applications between devices associated with user Configure the mobile operating system to disable all pre-installed applications that allow synchronization of data or applications between devices associated with user. On the MDM Administration Console, add all pre-installed applications that allow synchronization of data or applications between devices associated with user to the "Application disable list" setting in the "Android Applications" rule. Note: Refer to the Supplemental document for additional information.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule. 2. Verify the list contains all pre-installed payment processing applications. Note: The following applications are known to be pre-installed payment processing applications, but other applications can be found on other devices: Wallet, Isis Wallet, Softcard, Samsung Pay. Note: Refer to the Supplemental document for additional information. If the "Application disable list" configuration is not properly configured, or if the user is able to launch the applications on the list, this is a finding.
Configure the mobile operating system application whitelist to exclude applications with the following characteristics: - payment processing Configure the mobile operating system to disable pre-installed payment processing applications. On the MDM Administration Console, add all pre-installed payment processing applications to the "Application disable list" setting in the "Android Applications" rule. Note: Refer to the Supplemental document for additional information.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule. 2. Verify the list contains all pre-installed applications that back up mobile device data to non-DoD cloud servers (including user and application access to cloud backup services). Note: The following applications are known to be pre-installed public cloud applications, but other applications can be found on other devices: Google Drive, Dropbox, Verizon Cloud, AT&T Locker, Microsoft OneDrive, and Microsoft OneNote. Note: The following applications allows a user to configure a Samsung Account on the device that allows the user to back up files (including S Health data) to Samsung servers, as well as download applications from Samsung Apps (Galaxy Apps) store: Samsung Account application. Note: Refer to the Supplemental document for additional information. If the "Application disable list" configuration is not properly configured, or if the user is able to launch the applications on the list, this is a finding.
Configure the mobile operating system application whitelist to exclude applications with the following characteristics: - back up mobile device data to non-DoD cloud servers (including user and application access to cloud backup services) Configure the mobile operating system to disable pre-installed applications that back up mobile device data to non-DoD cloud servers (including user and application access to cloud backup services). On the MDM Administration Console, add all pre-installed applications that back up mobile device data to non-DoD cloud servers (including user and application access to cloud backup services) to the "Application disable list" setting in the "Android Applications" rule. Note: Refer to the Supplemental document for additional information.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow Google Backup" and "Google Auto Sync" settings in the "Android Restrictions" rule. 2. Verify the settings are disabled. On the Samsung KNOX for Android device: 1. Open the device settings. 2. Select "Backup and reset" under the Google account section. 3. Verify "Back up my data" is disabled and cannot be enabled. If the "Allow Google Backup" or “Google Auto Sync" setting is enabled, this is a finding. If the user can enable the settings on the device, this is a finding. If the "Application disable list" configuration in the MDM console does not contain all pre-installed public cloud backup applications, or if the user is able to successfully launch an application on this list, this is a finding.
Configure the mobile operating system to disable backup to remote systems (including commercial clouds). Configure the mobile device to disable backups to Google servers, disable Google Auto Sync, and disable all pre-installed public cloud backup applications. On the MDM Administration Console, disable the "Allow Google backup" and "Google Auto Sync" settings in the "Android Restrictions" rule.
Disabling automatic transfer of diagnostic data to an external device on Samsung KNOX for Android involves three steps: 1. Disable Google Crash report 2. Configure a KNOX on-premise license 3. Disable Report diagnostic info. This validation procedure covers the first of these steps. This validation procedure is performed on the MDM Administration Console. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Google Crash Report" setting in the "Android Restrictions" rule. 2. Verify the setting is disabled. If the "Google Crash Report" configuration in the MDM console is enabled, this is a finding.
Configure the mobile operating system to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. Configure the mobile operating system to disable Google Crash Report. On the MDM Administration Console, disable the "Google Crash Report" setting in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "USB host storage" setting in the "Android Restrictions" rule. 2. Verify the setting is disabled. On the Samsung KNOX for Android device: 1. Connect a Micro USB to USB OTG adaptor to the device. 2. Connect a USB thumb drive to the adaptor. 3. Verify the device cannot access the USB thumb drive. If the "USB host storage" configuration in the MDM console is enabled, or if the user is able to access the USB thumb drive from the device, this is a finding.
Configure the mobile operating system to disable USB host storage. On the MDM Administration Console, disable the "USB host storage" setting in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Max Sequential Characters" and "Max Sequential Numbers" settings in the "Android Password Restrictions" rule. 2. Verify the value of the setting is the same or less than the required length. On the Samsung KNOX for Android device: 1. Open the device settings. 2. Select "Lock screen and security". 3. Select "Screen lock type". 4. Enter current password. 5. Select "Password". 6. Attempt to enter a password that contains sequential characters or sequential numbers of length greater than the required length. 7. Verify the password is not accepted. If the configured values of the "Max Sequential Character" and "Max Sequential Number" settings are greater than the required length, or if the device accepts a password that contains sequential characters or sequential numbers of length greater than the required length, this is a finding. Note: On some MDM servers, there may only be one configuration setting ("Max Sequential Characters") since this API actually disables both sequential and repeating characters.
Configure the mobile operating system to prevent passwords from containing more than two repeating or sequential characters. On the MDM Administration Console, set the "Max Sequential Characters" and "Max Sequential Numbers" values to "2" in the "Android Password Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow multi-user mode" settings in the "Android Restrictions" rule. 2. Verify the setting is disabled. On the Samsung KNOX for Android device: 1. Open the device settings. 2. Attempt to add a user in the "User" setting. 3. Verify that the "User" setting is not available. If the "Allow multi-user mode" setting is enabled, or if the user is able to add a user, this is a finding.
Configure the mobile operating system to disable multi-user modes. On the MDM Administration Console, disable the "Allow multi-user mode" setting in the "Android Restrictions" rule. Note: This requirement is only applicable for tablet devices.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Enable S Voice" settings in the "Android Restrictions" rule. 2. Verify the value is disabled. On the Samsung KNOX for Android device: 1. Open the device settings. 2. Select "Applications". 3. Verify the S Voice application cannot be selected. If the "Enable S Voice" setting is enabled, or if the S Voice application can be launched or configured, this is a finding.
Configure the operating system to disable S Voice. On the MDM Administration Console, disable the "Enable S Voice" setting in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow NFC" setting in the "Android Restrictions" rule. 2. Verify the setting is disabled. On the Samsung KNOX for Android device: 1. Open device settings. 2. Select "NFC and payment". 3. Verify the setting is disabled. If the "Allow NFC" configuration in the MDM console is enabled, or if the setting is enabled on the device, this is a finding.
Configure the mobile operating system to disable NFC. On the MDM Administration Console, disable the "Allow NFC" setting in the "Android Restrictions" rule.
This validation procedure is performed on the Samsung KNOX for Android device. On the Samsung KNOX for Android device: 1. Open the device settings. 2. Select "More connection settings". 3. Select "Nearby devices". 4. Verify this is disabled. If the setting is enabled and cannot be disabled, this is a finding. Note: This setting cannot be managed by the MDM administrator and is a User Based Enforcement (UBE) requirement.
Configure the mobile operating system to disable "Nearby devices". Note: Most carriers have removed this feature. If the feature is not present as described, this requirement is Not Applicable (NA).
This validation procedure is performed on both the MDM Administration Console and the PC. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Disable USB Media Player" check box in the "Android Restrictions" rule. 2. Verify the "Disable USB Media Player" check box is selected. Note: Disabling USB Media Player will also disable USB MTP, USB mass storage, USB vendor protocol (Smart Switch, KIES). On the Samsung KNOX for Android device: Connect the device to a PC USB connection. Note: Do not use a DoD network-managed PC for this test! On the PC: Verify the device is not shown in the PC finder. If the specified setting is not set to the appropriate value, or if the device is shown in the PC finder, this is a finding.
Configure the mobile operating system to disable USB mass storage mode. On the MDM Administration Console, select the "Disable USB Media Player" check box in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow FOTA" setting in the "Android Restrictions" rule. 2. Verify the setting is disabled. On the Samsung KNOX for Android device: 1. Open device settings. 2. Select "About device". 3. Attempt to select "Software update" or "Download updates manually". Note: Location of this menu can vary between models. If the "Allow FOTA" configuration in the MDM console is enabled, or if the user is able to successfully select software update, this is a finding. Note: After reviewing the update and adjusting any necessary policies (i.e., disabling applications determined to pose risk), the administrator can re-enable FOTA.
Configure the mobile operating system to disable automatic updates of system software. Configure the mobile operating system to disable FOTA. On the MDM Administration Console, disable the "Allow FOTA" setting in the "Android Restrictions" rule.
This check procedure is performed on both the MDM Administration Console and the Samsung KNOX device. Check that the appropriate setting is configured on the MDM Administration Console. 1. Ask the MDM administrator to display the "Notifications on lock screen" settings in the "Android Restrictions" rule. 2. Verify that the "Hide content" or "Do not show notification" setting is enabled and "Show content" setting is disabled. On the Samsung KNOX for Android device: 1. Lock the device while there are notifications shown in the notification bar. 2. Turn the display on and verify that notification contents are hidden ("Hide content") or that no notifications are shown ("Do not show notification") on the lock screen. If the "Show content" setting in the MDM console is enabled, or if the user is able to see notification content on the device lock screen, this is a finding.
Configure the mobile operating system to not display notifications when the device is locked. Configure the platform to disable notifications on the lock screen or hide notification details on the lock screen. On the MDM Administration Console, enable "Hide content" or "Do not show notification" and disable "Show content" in the "Notifications on lock screen" setting in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the PC. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Disable USB Media Player" check box in the "Android Restrictions" rule. 2. Verify the "Disable USB Media Player" check box is selected. Note: Disabling USB Media Player will also disable USB MTP, USB mass storage, and USB vendor protocol (Smart Switch, KIES). On the Samsung KNOX for Android device: Connect the device to a PC USB connection. Note: Do not use a DoD network-managed PC for this test! On the PC: 1. Install and launch Samsung Smart Switch (Note: Samsung KIES for older devices) on the PC. 2. Verify the device does not connect with the Samsung Smart Switch program. If the specified setting is not set to the appropriate value, or if the device connects with the Samsung Smart Switch or KIES program, this is a finding.
Configure the mobile operating system to disable backup to locally connected systems. Configure the mobile operating system to disable USB Smart Switch and USB KIES. On the MDM Administration Console, select the "Disable USB Media Player" check box in the "Android Restrictions" rule. Note: Disabling USB Media Player will also disable USB MTP, USB mass storage, and USB vendor protocol (Smart Switch, KIES).
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the list of configured VPN profiles in the "VPN profiles" rule. 2. Verify the list includes the organization VPN profile. On the Samsung KNOX for Android device: 1. Open the device settings. 2. Select "More connection settings". 3. Select "VPN". 4. Verify the list includes the organization VPN profile. If the organization VPN profile is not included in either list, this is a finding.
Configure the mobile operating system to enable VPN protection. Configure the mobile operating system with the organization VPN profile. On the MDM Administration Console, configure the organization VPN profile in the "VPN profiles" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Minimum Password Complexity" setting in the "Android Restrictions" rule. 2. Verify the settings are "Alphanumeric". 3. Ask the MDM administrator to display the "Enable Fingerprint for Lock screen authentication" setting in the "Android Restrictions" rule. 4. Verify the setting is disabled. On the Samsung KNOX for Android device: 1. Open the device settings. 2. Select "Lock screen and security". 3. Select "Lock screen type". 4. Verify "Swipe", "Pattern", "PIN", "Fingerprints", and "None" are disabled (grayed out) and cannot be enabled. If "Fingerprint for Lock screen authentications" is enabled, or if "Minimum Password Complexity" is not configured to "Alphanumeric", or if the user can enable the settings on the device, this is a finding.
Configure the mobile operating system to not allow authentication mechanisms other than a Password Authentication Factor, where the authentication provides user access to protected data. Configure the mobile operating system to configure Minimum Password Complexity and disable fingerprint for the lock screen password. On the MDM Administration Console, configure "Minimum Password Complexity" to Alphanumeric and disable "Enable Fingerprint for Lock screen authentication" setting in the "Android Restrictions" rule.
Note: This validation procedure is identical to the one for KNOX-39-024600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on the first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to Authorizing Officials (AOs). This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Minimum Password Complexity" setting in the "Android Restrictions" rule. 2. Verify the settings are "Alphanumeric". 3. Ask the MDM administrator to display the "Enable Fingerprint for Lock screen authentication" setting in the "Android Restrictions" rule. 4. Verify the setting is disabled. On the Samsung KNOX for Android device: 1. Open the device settings. 2. Select "Lock screen and security". 3. Select "Lock screen type". 4. Verify "Swipe", "Pattern", "PIN", "Fingerprints", and "None" are disabled (grayed out) and cannot be enabled. If "Fingerprint for Lock screen authentications" is enabled, or if "Minimum Password Complexity" is not configured to "Alphanumeric", or if the user can enable the settings on the device, this is a finding.
Configure the mobile operating system to not allow authentication mechanisms other than a Password Authentication Factor, where the authentication provides user access to protected data. Configure the mobile operating system to configure Minimum Password Complexity and disable fingerprint for the lock screen password. On the MDM Administration Console, configure "Minimum Password Complexity" to "Alphanumeric" and disable the "Enable Fingerprint for Lock screen authentication" setting in the "Android Restrictions" rule.
Note: This validation procedure is identical to the one for KNOX-39-015600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on the first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to Authorizing Officials (AOs). This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "CC Mode" settings in the "Android Restrictions" rule. 2. Verify the value is enabled. Note: If the MDM does not support CC mode, ask the MDM administrator if the Samsung APK has been installed and CC mode enabled. On the Samsung KNOX for Android device: 1. Open the device settings. 2. Select "About Device". 3. Select "Software info" (Note: On some devices, this step is not needed.) 4. Verify the value of "Security software version" displays "Enforced". If the CC mode setting is not enabled, or if the "Security software version" on the device does not display "Enforced", this is a finding.
Configure the mobile operating system to disable VPN split-tunneling (if the mobile device provides a configurable control). Configure the operating system to enable CC mode. On the MDM Administration Console, enable the "CC mode" setting in the "Android Restrictions" rule. If this setting is not available on the console, install the CC mode APK and enable CC mode from this application. This APK will be made available by Samsung.
Note: This validation procedure is identical to the one for KNOX-39-015400. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to Authorizing Officials (AOs). This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Android KNOX Container" rule. 2. Verify the existence of this rule. 3. Pushing this rule to the device that does not have a container installed will result in creation of the container. On the Samsung KNOX for Android device: 1. Verify the existence of the KNOX icon on the device home screen or application menu or the notification bar pull-down menu. 2. If available on the MDM agent, verify the container rule in the list of rules received by the MDM agent. If the MDM administrator cannot configure the "Android KNOX Container" rule, or if the KNOX icon is not present, or if the container rule is not found in the MDM agent rule list (MDM vendor-specific check), this is a finding.
On the MDM Administration Console, create the "Android KNOX Container" rule and push this rule to the device.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow Admin Remove" settings in the "Android Restrictions" rule. 2. Verify the value is disabled. On the Samsung KNOX for Android device: 1. Open the device settings. 2. Select "Lock screen and security". 3. Select "Other security settings". 4. Select "Device administrators". 5. Verify the enterprise MDM agent is on and cannot be turned off. If the "Allow Admin Remove" setting is enabled, or if the MDM agent on the device can be turned off, this is a finding.
Configure the operating system to disable admin removal by the user. On the MDM Administration Console, disable the "Allow Admin Remove" setting in the "Android Restrictions" rule.
This validation procedure is performed on the MDM Administration Console. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Enable Certificate Revocation Status (CRL) Check" settings in the "Android Restrictions" rule. 2. Verify the value is enabled and configured for all applications. If the setting is disabled, this is a finding.
Configure the operating system to configure certification revocation status checking (CRL). On the MDM Administration Console, configure "Enable Certificate Revocation Status (CRL) Check" settings for all applications in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Minimum Password Complexity" setting in the "Android Restrictions" rule. 2. Verify the settings are "Alphanumeric". 3. Ask the MDM administrator to display the "Enable Smart Lock" setting in the "Android Restrictions" rule. 4. Verify the setting is disabled. On the Samsung KNOX for Android device: 1. Open the device settings. 2. Select "Lock screen and security". 3. Select "Secure lock settings". 4. Select "Smart Lock". 5. Verify all items are disabled (grayed out) and cannot be enabled. If items are enabled or if the user can enable the settings on the device, this is a finding.
Configure the mobile operating system to not allow authentication mechanisms other than a Password Authentication Factor where the authentication provides user access to protected data. Configure the mobile operating system to disable Smart Lock. On the MDM Administration Console, disable the "Enable Smart Lock" setting in the "Android Restrictions" rule.
Disabling automatic transfer of diagnostic data to an external device on Samsung KNOX for Android involves three steps: 1. Disable Google Crash report 2. Configure a KNOX on-premise license 3. Disable Report diagnostic info This validation procedure covers the second of these steps. This validation procedure is performed on the MDM Administration Console. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "KNOX License" settings in the "KNOX Management" rule. 2. Verify the correct DoD-issued KNOX license is configured. If the correct DoD-issued KNOX license is not configured in the "KNOX License" setting, this is a finding.
Configure the mobile operating system to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. Configure the DoD-issued KNOX license. On the MDM Administration Console, configure the DoD-issued KNOX license in the "KNOX Management" rule.
Disabling automatic transfer of diagnostic data to an external device on Samsung KNOX for Android involves three steps: 1. Disable Google Crash report 2. Configure a KNOX on-premise license 3. Disable Report diagnostic info This validation procedure covers the third of these steps. This validation procedure is performed on the Samsung KNOX for Android device. On the Samsung KNOX for Android device: 1. Open the device settings. 2. Select "Privacy and safety" or "About device". 3. Verify "Report diagnostic info" setting is off. If the setting is on (enabled), this is a finding. Note: This setting cannot be managed by the MDM administrator and is a User Based Enforcement (UBE) requirement.
Configure the mobile operating system to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. Configure the mobile operating system to disable "Report diagnostic info". On the Samsung KNOX for Android device, uncheck the "Report diagnostic info" setting.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Enable DoD Banner" check box and "Banner Text" field in the "Android Restrictions" rule. 2. Verify the "Enable DoD Banner" check box is selected. 3. Verify the correct DoD-specified warning text is displayed in the Banner Text field or the field is blank. Note: The default device banner matches the required DoD banner. If the DoD banner is enabled without entering any text, the device will display a default text. On the Samsung KNOX for Android device: 1. Reboot the device. 2. Verify the device displays the DoD banner. 3. Verify the DoD banner is set to one of the authorized messages. If the specified setting is not set to the appropriate value, or the device does not display the DoD banner on reboot, this is a finding.
Configure the mobile operating system to display the DoD-mandated warning banner text. On the MDM Administration Console, select the "Enable DoD Banner" check box and enter the correct text in the "Banner Text" field in the "Android Restrictions" rule. Note: On some MDM vendor consoles, the logon banner automatically is displayed upon reboot while the device is MDM enrolled. On these consoles, this control is not configurable through the MDM server or on the device.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Disable Manual Date Time Changes" check box in the "Android Restrictions" rule. 2. Verify the check box is selected. On the Samsung KNOX for Android device: 1. Open the device settings. 2. Select "Date and time". 3. Verify the "Automatic date and time" is on. 4. Verify a user cannot turn off the "Automatic date and time". If the "Disable Manual Date Time Changes" check box is not checked on the MDM administration console or the "Automatic date and time" is set to "off" on the device, or if it is possible to turn off this option on the device, this is a finding.
Configure the mobile operating system to synchronize the internal clock at least once every 24 hours with an authoritative time server or the GPS. On the MDM Console, select the "Disable Manual Date Time Changes" check box in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Min Length" setting in the "Android KNOX Container >> Container Password Restrictions" rule. 2. Verify the value of the setting is the same or greater than the required length. On the Samsung KNOX for Android device: 1. Open the KNOX Container. 2. Select "KNOX Settings". 3. Select "Lock type". 4. Enter current password. 5. Attempt to enter a password with fewer characters than the required length. 6. Verify the password is not accepted. If the configured value of the "Min Length" setting is less than the required length, or if Samsung KNOX for Android accepts a container password with fewer characters than the required length, this is a finding. Note: This configuration setting will allow users to implement fingerprint unlock for the container, which is approved for use. However, this approval does not extend to fingerprint unlock for the Samsung device or any other DoD mobile device. The use of a password to move between container and personal areas is only required if the password is needed to provide data separation between the two processing environments. For the Samsung devices, the password is required to enable the container and implement data separation.
Configure the mobile device to enforce a minimum password length of "4" characters. On the MDM Console, set the "Min Length" value to "4" or greater in the "Android KNOX Container >> Container Password Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow Export Calendar to Personal Mode" setting in the "Android KNOX Container >> Container Restrictions" rule. 2. Verify the setting is disabled. On the Samsung KNOX for Android device: 1. Open the KNOX container. 2. Select "KNOX Settings". 3. Select "Share contacts and calendars". 4. Verify "Export to Personal Mode – Calendar (from KNOX)" (on some devices, shown as "Export to Personal Mode - S Planner") is disabled and attempt to enable this setting. If the "Allow Export Calendar to Personal Mode" configuration in the MDM console is enabled, or if the user is able to successfully enable this setting, this is a finding.
Configure the mobile operating system to disable sharing of calendar information outside the container. On the MDM Administration Console, disable the "Allow Export Calendar to Personal Mode" setting in the "Android KNOX Container >> Container Restrictions" rule.
This validation procedure is performed on the MDM Administration Console only. Check whether the device lock screen setting is configured on the MDM server. 1. Ask the MDM administrator to display the "Maximum Failed Attempts" field in the "Android KNOX Container >> Container Password Restrictions" rule. 2. Verify the value of the setting is "10" or less. If there is no value configured for the "Maximum Failed Attempts" field, or if it is greater than "10", this is a finding.
Configure the mobile operating system to allow only "10" or less consecutive failed authentication attempts. On the MDM Administration Console, set the "Maximum Failed Attempts" to the organization-defined value in the "Android KNOX Container >> Container Password Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow Export Contact to Personal Mode" setting in the "Android KNOX Container >> Container Restrictions" rule. 2. Verify the setting is disabled. On the Samsung KNOX for Android device: 1. Open the KNOX container. 2. Select "KNOX Settings". 3. Select "Share contacts and calendars". 4. Verify "Export to Personal Mode - Contacts (from KNOX)" is disabled and attempt to enable this setting. If the "Export Contacts to Personal Mode" configuration in the MDM console is enabled, or if the user is able to successfully enable this setting, this is a finding.
Configure the mobile operating system to disable sharing of contact information outside the container. On the MDM Administration Console, disable the "Allow Export Contact to Personal Mode" setting in the "Android KNOX Container -> Container Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow Show detailed notifications" setting in the "Android KNOX Container >> Container Restrictions" rule. 2. Verify the setting is disabled. On the Samsung KNOX for Android device: 1. Open the KNOX container. 2. Select "KNOX Settings". 3. Select "Notifications". 4. Verify "Show details" is disabled and attempt to enable this setting. If the "Allow Show detailed notifications" configuration in the MDM console is enabled, or if the user is able to successfully enable this setting, this is a finding.
Configure the mobile operating system to disable sharing of notification details outside the container. On the MDM Administration Console, disable the "Allow Show detailed notifications" setting in the "Android KNOX Container >> Container Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Android KNOX Container" rule. 2. Verify the existence of this rule. 3. Pushing this rule to the device that does not have a container installed will result in creation of the container. On the Samsung KNOX for Android device: 1. Verify the existence of the KNOX icon on the device home screen or application menu or the notification bar pull-down menu. 2. If available on the MDM agent, verify the container rule in the list of rules received by the MDM agent. If the MDM administrator cannot configure the "Android KNOX Container" rule, or if the KNOX icon is not present, or if the container rule is not found in the MDM agent rule list (MDM vendor-specific check), this is a finding.
On the MDM Administration Console, create the "Android KNOX Container" rule and push this rule to the device.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "CC Mode" settings in the "Android Restrictions" rule. 2. Verify the value is enabled. Note: If the MDM does not support CC mode, ask the MDM administrator if the Samsung APK has been installed and CC mode enabled. On the Samsung KNOX for Android device: 1. Open the device settings. 2. Select "About Device". 3. Select "Software info". (Note: On some devices, this step is not needed.) 4. Verify the value of "Security software version" displays "Enforced". If the CC mode setting is not enabled, or if the "Security software version" on the device does not display "Enforced", this is a finding.
Configure the operating system to enable CC mode. On the MDM Administration Console, enable the "CC mode" setting in the "Android Restrictions" rule. If this setting is not available on the console, install the CC mode APK and enable CC mode from this application. This APK will be made available by Samsung.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Bluetooth Profiles" settings in the "Android Restrictions" rule. 2. Verify the only profiles allowed are HSP, HFP, and SPP. On the Samsung KNOX for Android device: 1. Attempt to pair a Bluetooth peripheral that uses profiles other than HSP, HFP, and SPP (e.g., a Bluetooth keyboard). 2. Verify the Bluetooth peripheral does not pair with the Samsung KNOX for Android device. If Bluetooth profiles other than HSP, HFP, and SPP are configured to be allowed, or if the device is able to pair with a Bluetooth keyboard, this is a finding.
Configure the mobile operating system to disable all Bluetooth profiles except for HSP, HFP, and SPP. On the MDM Administration Console, configure the "Bluetooth Profiles" setting to only allow HSP, HFP, and SPP in the "Android Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the list of whitelisted applications in the "Android KNOX Container >> Container Applications" rule. 2. Verify the list of whitelisted applications have been approved by the Authorizing Official (AO). Note: Refer to the Supplemental document for additional information. Note: This list can be empty if no applications have been approved. On the Samsung KNOX for Android device: 1. Open the KNOX Container. 2. Attempt to install an application that is not in the application whitelist. If any of the applications on the MDM Administration Console have not been approved by the AO, or the device allows the user to successfully install the application, this is a finding.
Configure the mobile device to use an application whitelist. On the MDM Administration Console, configure the list of whitelisted applications in the "Android KNOX Container >> Container Applications" rule and ensure only AO-approved applications are on the list. Note: This list can be empty if no applications have been approved. Note: Refer to the Supplemental document for additional information.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Application install blacklist" setting in the "Android KNOX Container >> Container Application" rule. 2. Verify the setting is configured to all applications (specified by the wildcard string ".*"). On the Samsung KNOX for Android device: 1. Attempt to install any application that is not configured in the application install whitelist. 2. Verify that the application is blocked from being installed. If the "Application install blacklist" configuration in the MDM console has the wrong value, or if the user is able to install the application, this is a finding.
Configure the mobile operating system to add all applications to the install blacklist. On the MDM Administration Console, add all applications to the "Application install blacklist" setting in the "Android KNOX Container >> Container Application" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Move Applications to Container" setting in the "Android KNOX Container >> Container Restrictions" rule. 2. Verify the setting is disabled. On the Samsung KNOX for Android device: 1. Open the KNOX Container. 2. Select "KNOX Settings". 3. Verify "Install applications" cannot be selected. (Note: If the KNOX Container is configured as a folder type, a "+" icon should not be visible in the list of applications.) If the "Move Applications to Container" configuration in the MDM console is enabled, or if the user is able to select "Install applications", this is a finding.
Configure the mobile operating system to disable Move Applications to Container. On the MDM Administration Console, disable the "Move Applications to Container" setting in the "Android KNOX Container >> Container Application" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Move Files from Container to Personal" setting in the "Android KNOX Container >> Container Restrictions" rule. 2. Verify the setting is disabled. On the Samsung KNOX for Android device: 1. Open the KNOX Container. 2. Select "My Files" application. 3. Select a file by long pressing a selection. 4. Select "Settings". 5. Select "Move to Personal mode". 6. Verify this operation is blocked. If the "Move Files from Container to Personal" configuration in the MDM console is enabled, or if the user is able to successfully move the selected file to the personal space, this is a finding.
Configure the mobile operating system to disable "Move Files from Container to Personal". On the MDM Administration Console, disable the "Move Files from Container to Personal" setting in the "Android KNOX Container >> Container Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Application disable list" setting in the "Android KNOX Container >> Container Application" rule. 2. Verify the list contains all core and pre-installed applications not approved for DoD use by the Authorizing Official (AO). Note: Refer to the Supplemental document for additional information. On the Samsung KNOX for Android device: 1. Open the KNOX container. 2. Attempt to launch an application that is included on the disable list. Note: This application should not be visible. If the "Application disable list" configuration in the MDM console does not contain all core and pre-installed applications not approved by DoD, or if the user is able to successfully launch an application on this list, this is a finding. Note: Core applications are apps installed in the operating system (OS) by the OS developer. In addition, third-party pre-installed apps are included in the OS build by the device vendor or wireless carrier.
Configure the mobile operating system to disable all pre-installed container applications that are not DoD-approved. On the MDM Administration Console, add all pre-installed container applications that are not DoD-approved to the "Application disable list" setting in the "Android KNOX Container >> Container Application" rule. Note: Refer to the Supplemental document for additional information.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow browser auto-fill" setting in the "Android KNOX Container >> Container Restrictions" rule. 2. Verify the setting is disabled. On the Samsung KNOX for Android device: 1. Open the KNOX container. 2. Launch the browser application. 3. Select the application's setting menu. 4. Select "Auto fill profile". 5. Select "Auto fill profile" and attempt to create a profile. 6. Select "Privacy" from the setting menu. 7. Attempt to enable "Save sign-in info". If the "Allow browser auto-fill" configuration in the MDM console is enabled, or if the user is able to successfully create a profile or enable "Save sign-in info", this is a finding.
Configure the mobile operating system to disable browser auto-fill for the container browser application. On the MDM Administration Console, disable the "Allow browser auto-fill" setting in the "Android KNOX Container >> Container Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Max Sequential Characters" and "Max Sequential Numbers" settings in the "Android KNOX Container >> Container Password Restrictions" rule. 2. Verify the value of the setting is the same or less than the required length. On the Samsung KNOX for Android device: 1. Open the KNOX Container. 2. Select "KNOX Settings". 3. Select "Lock type. 4. Enter current password. 5. Select "Password". 6. Attempt to enter a password that contains sequential characters or sequential numbers of length greater than the required length. 7. Verify the password is not accepted. If the configured values of the "Max Sequential Character" and "Max Sequential Number" settings are greater than the required length, or if the device accepts a password that contains sequential characters or sequential numbers of length greater than the required length, this is a finding.
Configure the mobile device to enforce a password that does not contain more than two sequential or repeating characters or numbers. On the MDM Administration Console, set the "Max Sequential Characters" and "Max Sequential Numbers" values to "2" in the "Android KNOX Container >> Container Password Restrictions" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Account whitelist" setting in the "Container Accounts" rule. 2. Verify the whitelist only contains DoD-approved email domains (for example, mail.mil). Note: Proper configuration of Account blacklist is required for this configuration to function correctly. On the Samsung KNOX for Android device: 1. Open the KNOX Container. 2. Open "Settings". 3. Select "Accounts". 4. Select "Add account". 5. Select "Email" (and repeat for Microsoft Exchange ActiveSync) and attempt to add an email account with a DoD-approved domain. 6. Verify the email account can be added. 7. Attempt to add an email account with a domain not approved by DoD. 8. Verify that the email account cannot be added. If the "Account whitelist" is not properly configured, or if the user is able to successfully configure the email account with a domain not approved by DoD, or if the user is not able to install the DoD-approved email account, this is a finding.
Configure the mobile operating system to add DoD-approved email domains to the account whitelist. On the MDM Administration Console, add all DoD-approved email domains to the "Account whitelist" setting in the "Container Accounts" rule. Note: Recommended to add .*@mail.mil.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Account blacklist" setting in the "Container Accounts" rule. 2. Verify the setting is configured to all email domains not approved by DoD. Note: All email domains are specified by the wildcard string ".*" On the Samsung KNOX for Android device: 1. Open the KNOX Container. 2. Open "Settings". 3. Select "Accounts". 4. Select "Add account". 5. Select "Email" (and repeat for Microsoft Exchange ActiveSync) and attempt to add an email account with a non-approved domain. 6. Verify the email account cannot be added. If the "Account blacklist" is not properly configured, or if the user is able to successfully configure the non-DoD-approved email account, this is a finding.
Configure the mobile operating system to add email domains not approved by DoD to the account blacklist. On the MDM Administration Console, add all email domains not approved by DoD to the "Account blacklist" setting in the "Container Accounts" rule.
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Minimum Complexity" setting in the "Android KNOX Container >> Container Password Restrictions" rule. 2. Verify the value of the setting is Alphanumeric. On the Samsung KNOX for Android device: 1. Open the KNOX Container. 2. Select "KNOX Settings". 3. Select "Lock type". 4. Enter current password. 5. Verify "PIN" and "Pattern" are grayed out and cannot be selected. If the configured value of the "Min Complexity" setting is not "Alphanumeric", or if the user is able to select "PIN" or "Pattern", this is a finding. Note: This configuration setting will allow users to implement fingerprint unlock for the container, which is approved for use. However, this approval does not extend to fingerprint unlock for the Samsung device or any other DoD mobile device.
Configure the mobile device to enforce a minimum password complexity of "Alphanumeric". On the MDM Console, set the "Min Complexity" value to "Alphanumeric" in the "Android KNOX Container >> Container Password Restrictions" rule.
This check procedure is performed on both the MDM Administration Console and the Samsung KNOX device. Check that the appropriate setting is configured on the MDM Administration Console. 1. Ask the MDM administrator to display the "Enable Google Play" setting in the "Android Restrictions" rule (work environment container). 2. Verify it is enabled. On the Samsung KNOX for Android device: 1. Attempt to locate the "Google Play" application inside the KNOX container. 2. Verify it is present inside the KNOX container. If the "Enable Google Play" is not enabled inside the KNOX container, this is a finding. Play for Work Inside KNOX is optional, and must be AO approved. If Play for Work Inside KNOX is not used, this requirement is NA.
Configure the mobile operating system to enable Google Play Inside KNOX container only. On the MDM Administration Console, enable "Enable Google Play" in the "Android Restrictions" rule (work environment container).