The Honeywell Android Pie must wipe all data upon unenrollment from MDM.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-235053	HONW-09-007150	SV-235053r626530_rule		Medium

Description
When a mobile device is no longer going to be managed by MDM technologies, its protected/sensitive data must be sanitized because it will no longer be protected by the MDM software, so it is at much greater risk of unauthorized access and disclosure. At least one of the two options must be selected. SFR ID: FMT_SMF_EXT.2.1

STIG	Date
Honeywell Android 9.x COBO Security Technical Implementation Guide	2021-01-25

Details

Check Text ( C-38241r623069_chk )
Review Honeywell Android device configuration settings to determine if the mobile device is configured to prohibit the user from unenrolling the Honeywell device from MDM management. This validation procedure is performed only on the MDM Administration console. On the MDM console: Ensure "Disallow remove managed profile" is enabled. If the MDM console device policy is not configured to prohibit the user from unenrolling the Honeywell device from MDM management, this is a finding.

Check Text ( C-38241r623069_chk )

Review Honeywell Android device configuration settings to determine if the mobile device is configured to prohibit the user from unenrolling the Honeywell device from MDM management.

This validation procedure is performed only on the MDM Administration console.

On the MDM console:
Ensure "Disallow remove managed profile" is enabled.

If the MDM console device policy is not configured to prohibit the user from unenrolling the Honeywell device from MDM management, this is a finding.

Fix Text (F-38204r623070_fix)
On the MDM console: Enable "Disallow remove managed profile". Prior to unenrollment, the MDM administrator should issue a factory reset to ensure all data is wiped by doing the following in the MDM console: Wipe data.