Samsung Android must be enrolled as a COPE/COBO device.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-231000	KNOX-11-018500	SV-231000r607691_rule		Medium

Description
The Knox Workspace is the designated application group for the COPE use case. SFR ID: FMT_SMF_EXT.1.1 #47

STIG	Date
Samsung Android 11 with Knox 3.x AE Security Technical Implementation Guide	2020-12-08

Details

Check Text ( C-33930r592492_chk )
Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. ** Validation Procedure for Method #1: Work profile for company-owned devices (COPE) On the management tool, verify that the default enrollment is set to "Work profile for company-owned devices". On the Samsung Android device: 1. Open Settings >> Work profile >> Other security settings >> Device admin apps. 2. Verify that the management tool Agent is listed. 3. Go to the app drawer. 4. Verify that a "Personal" and "Work" tab are present. If on the management tool the default enrollment is not set as "Work profile for company-owned devices", or on the Samsung Android device the "Personal" and "Work" tabs are not present or the management tool Agent is not listed, this is a finding. Validation Procedure for Method #2: Fully Managed (COBO) On the management tool, verify that the default enrollment is set as "Fully managed". On the Samsung Android device: 1. Open Settings >> Biometric and security >> Other security settings >> Device admin apps. 2. Verify that the management tool Agent is listed. ** If on the management tool the default enrollment is not set as "Fully managed", or the management tool Agent is not listed, this is a finding.

Check Text ( C-33930r592492_chk )

Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure.

This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.

****

Validation Procedure for Method #1: Work profile for company-owned devices (COPE)

On the management tool, verify that the default enrollment is set to "Work profile for company-owned devices".

On the Samsung Android device:
1. Open Settings >> Work profile >> Other security settings >> Device admin apps.
2. Verify that the management tool Agent is listed.
3. Go to the app drawer.
4. Verify that a "Personal" and "Work" tab are present.

If on the management tool the default enrollment is not set as "Work profile for company-owned devices", or on the Samsung Android device the "Personal" and "Work" tabs are not present or the management tool Agent is not listed, this is a finding.

****

Validation Procedure for Method #2: Fully Managed (COBO)

On the management tool, verify that the default enrollment is set as "Fully managed".

On the Samsung Android device:
1. Open Settings >> Biometric and security >> Other security settings >> Device admin apps.
2. Verify that the management tool Agent is listed.

****

If on the management tool the default enrollment is not set as "Fully managed", or the management tool Agent is not listed, this is a finding.

Fix Text (F-33903r592493_fix)
Enroll the Samsung Android device in a DoD-approved use case by either of the following methods: Method #1: Work profile for company-owned devices (COPE) On the management tool, configure the default enrollment as "Work profile for company-owned devices". ** Method #2: Fully Managed (COBO) On the management tool, configure the default enrollment as "Fully managed". ** Refer to the management tool documentation to determine how to configure the device enrollment.

Fix Text (F-33903r592493_fix)

Enroll the Samsung Android device in a DoD-approved use case by either of the following methods:

Method #1: Work profile for company-owned devices (COPE)

On the management tool, configure the default enrollment as "Work profile for company-owned devices".

****

Method #2: Fully Managed (COBO)

On the management tool, configure the default enrollment as "Fully managed".

****

Refer to the management tool documentation to determine how to configure the device enrollment.