Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-260163 | GOOG-14-710100 | SV-260163r948694_rule | Medium |
Description |
---|
If the user can add a personal email account (POP3, IMAP, EAS) to the work email app, it could be used to forward sensitive DOD data to unauthorized recipients. Restricting email account addition to the administrator or restricting email account addition to allowlisted accounts mitigates this vulnerability. SFR ID: FMT_SMF_EXT.1.1 #47 |
STIG | Date |
---|---|
Google Android 14 MDFPP 3.3 BYOAD Security Technical Implementation Guide | 2024-02-20 |
Check Text ( C-63894r948692_chk ) |
---|
Review the managed Google Android 14 work profile configuration settings to confirm that users are prevented from adding personal email accounts to the work email app. This procedure is performed on both the EMM Administrator console and the managed Google Android 14 device. On the EMM console: 1. Open "Set user restrictions". 2. Verify "Disallow modify accounts" is toggled to "ON". On the managed Google Android 14 device: 1. Open Settings. 2. Tap "Passwords & accounts". 3. Select "Work". 4. Tap "Add account". 5. Verify a message is displayed to the user stating, "Blocked by your IT admin". If on the EMM console the restriction to "Disallow modify accounts" is not set, or on the managed Android 14 device the user is able to add an account in the Work section, this is a finding. |
Fix Text (F-63801r948693_fix) |
---|
Configure the Google Android 14 device to prevent users from adding personal email accounts to the work email app. On the EMM console: 1. Open "Set user restrictions". 2. Toggle "Disallow modify accounts" to "ON". Refer to the EMM documentation to determine how to provision users' work email accounts for the work email app. |