The Samsung Android Work Environment must be configured to prevent users from adding personal email accounts to the work email app.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-230996	KNOX-11-017300	SV-230996r607691_rule		Medium

Description
If the user is able to add a personal email account (POP3, IMAP, EAS) to the work email app, it could be used to forward sensitive DoD data to unauthorized recipients. Restricting email account addition to the Administrator or to allowlisted accounts mitigates this vulnerability. SFR ID: FMT_SMF_EXT.1.1 #47

STIG	Date
Samsung Android 11 with Knox 3.x AE Security Technical Implementation Guide	2020-12-08

Details

Check Text ( C-33926r592480_chk )
Review Samsung Android Work Environment configuration settings to determine if users are prevented from adding personal email accounts to the work email app. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool: 1. In the Work Environment restrictions section, set "Account Management" to "Disable" for: Work email app. 2. Provision the user's email account on their behalf. For COPE: On the Samsung Android device: 1. Open Settings >> Work profile >> Accounts. 2. Verify that no account can be added. 3. Verify that the user's work email app has been provisioned with the work email account. For COBO: On the Samsung Android device: 1. Open Settings >> Accounts and backup >> Manage accounts. 2. Verify that no account can be added. 3. Verify that the user's Work email app has been provisioned with the work email account. If on the management tool "Account Management" is not set to "Disable" for the Work email app, or on the Samsung Android device an account can be added, this is a finding.

Check Text ( C-33926r592480_chk )

Review Samsung Android Work Environment configuration settings to determine if users are prevented from adding personal email accounts to the work email app.

This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.

On the management tool:
1. In the Work Environment restrictions section, set "Account Management" to "Disable" for: Work email app.
2. Provision the user's email account on their behalf.

For COPE: On the Samsung Android device:
1. Open Settings >> Work profile >> Accounts.
2. Verify that no account can be added.
3. Verify that the user's work email app has been provisioned with the work email account.

For COBO: On the Samsung Android device:
1. Open Settings >> Accounts and backup >> Manage accounts.
2. Verify that no account can be added.
3. Verify that the user's Work email app has been provisioned with the work email account.

If on the management tool "Account Management" is not set to "Disable" for the Work email app, or on the Samsung Android device an account can be added, this is a finding.

Fix Text (F-33899r592481_fix)
Configure the Samsung Android Work Environment to prevent users from adding personal email accounts to the work email app. Refer to the management tool documentation to determine how to provision users’ work email accounts for the work email app. On the management tool: 1. In the Work Environment restrictions section, set "Account Management" to "Disable" for: Work email app. 2. Provision the user's email account on their behalf.

Fix Text (F-33899r592481_fix)

Configure the Samsung Android Work Environment to prevent users from adding personal email accounts to the work email app.

Refer to the management tool documentation to determine how to provision users’ work email accounts for the work email app.

On the management tool:
1. In the Work Environment restrictions section, set "Account Management" to "Disable" for: Work email app.
2. Provision the user's email account on their behalf.