The Google Android 14 work profile must be configured to prevent users from adding personal email accounts to the work email app.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258432	GOOG-14-010100	SV-258432r928321_rule		Medium

Description
If the user is able to add a personal email account (POP3, IMAP, EAS) to the work email app, it could be used to forward sensitive DOD data to unauthorized recipients. Restricting email account addition to the administrator or restricting email account addition to allowlisted accounts mitigates this vulnerability. SFR ID: FMT_SMF_EXT.1.1 #47

STIG	Date
Google Android 14 COPE Security Technical Implementation Guide	2023-10-04

Details

Check Text ( C-62173r928319_chk )
Review the managed Google Android 14 work profile configuration settings to confirm that users are prevented from adding personal email accounts to the work email app. This procedure is performed on both the EMM Administrator console and the managed Google Android 14 device. COPE: On the EMM console: 1. Open "Set user restrictions". 2. Verify "Disallow modify accounts" is toggled to "ON". On the managed Google Android 14 device: 1. Open Settings. 2. Tap "Passwords & accounts". 3. Select "Work". 4. Tap "Add account". 5. Verify a message is displayed to the user stating, "Action not allowed". If on the EMM console the restriction to "Disallow modify accounts" is not set, or on the managed Android 14 device the user is able to add an account in the Work section, this is a finding.

Check Text ( C-62173r928319_chk )

Review the managed Google Android 14 work profile configuration settings to confirm that users are prevented from adding personal email accounts to the work email app.

This procedure is performed on both the EMM Administrator console and the managed Google Android 14 device.

COPE:

On the EMM console:
1. Open "Set user restrictions".
2. Verify "Disallow modify accounts" is toggled to "ON".

On the managed Google Android 14 device:

1. Open Settings.
2. Tap "Passwords & accounts".
3. Select "Work".
4. Tap "Add account".
5. Verify a message is displayed to the user stating, "Action not allowed".

If on the EMM console the restriction to "Disallow modify accounts" is not set, or on the managed Android 14 device the user is able to add an account in the Work section, this is a finding.

Fix Text (F-62097r928320_fix)
Configure the Google Android 14 device to prevent users from adding personal email accounts to the work email app. On the EMM console: COPE: 1. Open "Set user restrictions". 2. Toggle "Disallow modify accounts" to "ON". Refer to the EMM documentation to determine how to provision users' work email accounts for the work email app.