UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Microsoft Android 11 Work Profile must be configured to prevent users from adding personal email accounts to the work email app.


Overview

Finding ID Version Rule ID IA Controls Severity
V-255228 MSFT-11-009200 SV-255228r870840_rule Medium
Description
If the user is able to add a personal email account (POP3, IMAP, EAS) to the work email app, it could be used to forward sensitive DOD data to unauthorized recipients. Restricting email account addition to the administrator or restricting email account addition to allow listed accounts mitigates this vulnerability. SFR ID: FMT_SMF_EXT.1.1 #47
STIG Date
Microsoft Android 11 COPE Security Technical Implementation Guide 2022-11-14

Details

Check Text ( C-58841r870775_chk )
Review the Microsoft Android 11 Work Profile configuration settings to confirm that users are prevented from adding personal email accounts to the work email app.

This procedure is performed on both the EMM Administrator console and the Microsoft Android 11 device.

On the EMM console:
1. Open "Set user restrictions".
2. Verify that "Disallow modify accounts" is toggled to "On".

On the Microsoft Android 11 device:
1. Open "Settings".
2. Tap "Accounts".
3. Verify that "Add account" is grayed out under the "Work" section.

If on the EMM console the restriction to "Disallow modify accounts" is not set, or on the Microsoft Android 11 device the user is able to add an account in the Work section, this is a finding.
Fix Text (F-58785r869300_fix)
Configure Microsoft Android 11 device to prevent users from adding personal email accounts to the work email app.

On the EMM console:
1. Open "Set user restrictions".
2. Toggle "Disallow modify accounts" to "On".

Refer to the EMM documentation to determine how to provision users' work email accounts for the work email app.