Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-250442 | GOOG-12-010100 | SV-250442r802684_rule | Medium |
Description |
---|
If the user is able to add a personal email account (POP3, IMAP, EAS) to the work email app, it could be used to forward sensitive DoD data to unauthorized recipients. Restricting email account addition to the administrator or restricting email account addition to allowlisted accounts mitigates this vulnerability. SFR ID: FMT_SMF_EXT.1.1 #47 |
STIG | Date |
---|---|
Google Android 12 COPE Security Technical Implementation Guide | 2021-09-17 |
Check Text ( C-53877r802682_chk ) |
---|
Review the managed Google Android 12 Work Profile configuration settings to confirm that users are prevented from adding personal email accounts to the work email app. This procedure is performed on both the EMM Administrator console and the managed Google Android 12 device. COPE: On the EMM console: 1. Open "Set user restrictions". 2. Verify that "Disallow modify accounts" is toggled to ON. On the managed Google Android 12 device: 1. Open Settings. 2. Tap "Passwords & accounts". 3. Select "Work". 4. Tap "Add account". 5. Verify that message is displayed to the user stating "Action not allowed". If on the EMM console the restriction to "Disallow modify accounts" is not set, or on the managed Android 12 device the user is able to add an account in the Work section, this is a finding. |
Fix Text (F-53831r802683_fix) |
---|
Configure the Google Android 12 device to prevent users from adding personal email accounts to the work email app. On the EMM console: COPE: 1. Open "Set user restrictions". 2. Toggle "Disallow modify accounts" to ON. Refer to the EMM documentation to determine how to provision users' work email accounts for the work email app. |