Samsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: all notifications.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-230981	KNOX-11-002700	SV-230981r607691_rule		Medium

Description
Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifications can contain sensitive information. When they are available on the lock screen, an adversary can see them merely by being in close physical proximity to the device. Configuring the MOS to not send notifications to the lock screen mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #19

Description

Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifications can contain sensitive information. When they are available on the lock screen, an adversary can see them merely by being in close physical proximity to the device. Configuring the MOS to not send notifications to the lock screen mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #19

STIG	Date
Samsung Android 11 with Knox 3.x AE Security Technical Implementation Guide	2020-12-08

Details

Check Text ( C-33911r592435_chk )
Review Samsung Android configuration settings to determine if Samsung Android displays (Work Environment) notifications on the lock screen. Notifications of incoming phone calls are acceptable even when the device is locked. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the Work Environment restrictions section, verify that "Unredacted Notifications" is set to "Disallow". For COPE: On the Samsung Android device: 1. Open Settings >> Work profile >> Notification and data. 2. Verify that "Show notification content" is disabled. If on the management tool "Unredacted Notifications" is not set to "Disallow", or on the Samsung Android device "Show notification content" is not disabled, this is a finding. *** For COBO: On the Samsung Android device: 1. Open Settings >> Lock screen. 2. Verify that "Notifications" menu is disabled. If on the management tool "Unredacted Notifications" is not set to "Disallow", or on the Samsung Android device "Notifications" menu is not disabled, this is a finding.

Check Text ( C-33911r592435_chk )

Review Samsung Android configuration settings to determine if Samsung Android displays (Work Environment) notifications on the lock screen. Notifications of incoming phone calls are acceptable even when the device is locked.

This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.

On the management tool, in the Work Environment restrictions section, verify that "Unredacted Notifications" is set to "Disallow".

For COPE: On the Samsung Android device:
1. Open Settings >> Work profile >> Notification and data.
2. Verify that "Show notification content" is disabled.

If on the management tool "Unredacted Notifications" is not set to "Disallow", or on the Samsung Android device "Show notification content" is not disabled, this is a finding.

***

For COBO: On the Samsung Android device:
1. Open Settings >> Lock screen.
2. Verify that "Notifications" menu is disabled.

If on the management tool "Unredacted Notifications" is not set to "Disallow", or on the Samsung Android device "Notifications" menu is not disabled, this is a finding.

Fix Text (F-33884r592436_fix)
Configure Samsung Android to not display (Work Environment) notifications when the device is locked. On the management tool, in the Work Environment restrictions section, set "Unredacted Notifications" to "Disallow".