Google Android 14 must be configured to disable multiuser modes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258426	GOOG-14-009000	SV-258426r928303_rule		Medium

Description
Multiuser mode allows multiple users to share a mobile device by providing a degree of separation between user data. To date, no mobile device with multiuser mode features meets DOD requirements for access control, data separation, and nonrepudiation for user accounts. In addition, the MDFPP does not include design requirements for multiuser account services. Disabling multiuser mode mitigates the risk of not meeting DOD multiuser account security policies. SFR ID: FMT_SMF_EXT.1.1 #47a

Description

Multiuser mode allows multiple users to share a mobile device by providing a degree of separation between user data. To date, no mobile device with multiuser mode features meets DOD requirements for access control, data separation, and nonrepudiation for user accounts. In addition, the MDFPP does not include design requirements for multiuser account services. Disabling multiuser mode mitigates the risk of not meeting DOD multiuser account security policies. SFR ID: FMT_SMF_EXT.1.1 #47a

STIG	Date
Google Android 14 COPE Security Technical Implementation Guide	2023-10-04

Details

Check Text ( C-62167r928301_chk )
Review documentation on the managed Google Android 14 device and inspect the configuration on the Google Android device to disable multiuser modes. This validation procedure is performed on both the EMM Administration Console and the managed Google Android 14 device. On the EMM console: COBO and COPE: 1. Open "User restrictions". 2. Open "Set user restrictions". 3. Verify "Disallow modify accounts" is toggled to "ON". On the managed Google Android 14 device: COBO and COPE: 1. Go to Settings >> Passwords & accounts >> Accounts for Owner. 2. Tap "Add account" (work profile). 3. Verify the action is not allowed. If the EMM console device policy is not set to disable multi-user modes or on the managed Google Android 14 device, the device policy is not set to disable multi-user modes, this is a finding.

Check Text ( C-62167r928301_chk )

Review documentation on the managed Google Android 14 device and inspect the configuration on the Google Android device to disable multiuser modes.

This validation procedure is performed on both the EMM Administration Console and the managed Google Android 14 device.

On the EMM console:

COBO and COPE:

1. Open "User restrictions".
2. Open "Set user restrictions".
3. Verify "Disallow modify accounts" is toggled to "ON".

On the managed Google Android 14 device:

COBO and COPE:

1. Go to Settings >> Passwords & accounts >> Accounts for Owner.
2. Tap "Add account" (work profile).
3. Verify the action is not allowed.

If the EMM console device policy is not set to disable multi-user modes or on the managed Google Android 14 device, the device policy is not set to disable multi-user modes, this is a finding.

Fix Text (F-62091r928302_fix)
Configure the Google Android 14 device to disable multi-user modes. On the EMM console: COBO and COPE: 1. Open "User restrictions". 2. Open "Set user restrictions". 3. Toggle "Disallow modify accounts" to "ON".