acceptedSamsung Android 11 with Knox 3.x Legacy Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 20 Nov 20203.2.1.416661.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>PP-MDF-301010<GroupDescription></GroupDescription>KNOX-11-000200Samsung Android must be configured to enforce a minimum password length of six characters.<VulnDiscussion>Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise.
SFR ID: FMT_SMF_EXT.1.1 #1a</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000205Configure Samsung Android to enforce a minimum password length of six characters.
On the management tool:
1. Open the device password policies.
2. Set "minimum password quality" to "Numeric" (or better).
3. Set "minimum password length" to "6".Review Samsung Android device configuration settings to determine if the mobile device is enforcing a minimum password length of six characters.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
On the management tool:
1. Open the device password policies.
2. Verify "minimum password quality" is set to "Numeric" (or better).
3. Verify "minimum password length" is set to "6".
NOTE: The following text is written assuming a password quality of "Numeric" or "Numeric (Complex)" has been configured. If a password quality of "Alphabetic" (or better) has been configured, substitute the text "PIN" with "Password" and "6 digits" with "6 characters".
On the Samsung Android device:
1. Open Settings >> Lock screen >> Screen lock type.
2. Enter current password.
3. Tap "PIN".
4. Verify the text "PIN must contain at least", followed by a value of at least "6 digits", appears above the PIN entry.
If on the management tool the "minimum password quality" is not set to "Numeric" (or better) and "minimum password length" is not set to "6", or on the Samsung Android device the text "PIN must contain at least" is followed by a value of less than "6 digits", this is a finding.PP-MDF-301020<GroupDescription></GroupDescription>KNOX-11-000400Samsung Android must be configured to not allow passwords that include more than two repeating or sequential characters.<VulnDiscussion>Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or sequential characters are significantly easier to guess than those that do not contain repeating or sequential characters. Therefore, disallowing repeating or sequential characters increases password strength and decreases risk.
SFR ID: FMT_SMF_EXT.1.1 #1b</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366This requirement is not applicable if the password quality is set to Numeric (complex), or better.
Configure Samsung Android to prevent passwords from containing more than two repeating or sequential characters.
On the management tool, in the device password section, set the "maximum sequential numbers" to "2".This requirement is not applicable if the password quality is set to Numeric (complex) or better.
Review Samsung Android configuration settings to determine if the mobile device is prohibiting passwords with more than two repeating or sequential characters.
This validation procedure is performed on both the management tool and the Samsung Android device.
On the management tool, in the device password section, verify the "maximum sequential numbers" is set to "2".
On the Samsung Android device:
1. Open Settings.
2. Tap "Lock screen".
3. Tap "Screen lock type".
4. Enter current password.
5. Tap "Password".
6. Verify that passwords with two or more sequential numbers are not accepted.
If on the management tool "maximum sequential numbers" is more than "2", or on the Samsung Android device a password with two or more sequential numbers is accepted, this is a finding.PP-MDF-301030<GroupDescription></GroupDescription>KNOX-11-000600Samsung Android must be configured to lock the display after 15 minutes (or less) of inactivity.<VulnDiscussion>The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum timeout period of 15 minutes has been selected to balance functionality and security; shorter timeout periods may be appropriate depending on the risks posed to the mobile device.
Satisfies: PP-MDF-301030, PP-MDF-301040
SFR ID: FMT_SMF_EXT.1.1 #2a,
FMT_SMF_EXT.1.1 #2b</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000057Configure Samsung Android to lock the device display after 15 minutes (or less) of inactivity.
On the management tool:
1. Open the device password policies.
2. Set "minimum password quality" to "Numeric" (or better).
3. Set the "max time to screen lock" to "15 minutes" or less.Review Samsung Android configuration settings to determine if the mobile device has the screen lock timeout set to 15 minutes or less.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
On the management tool:
1. Open the device password policies.
2. Verify "minimum password quality" is set to "Numeric" (or better).
3. Verify the "max time to screen lock" is set to "15 minutes" or less.
On the Samsung Android device:
1. Open Settings >> Lock screen.
2. Verify "Secure lock settings" is present and tap it.
3. Enter current password.
4. Tap "Lock automatically".
5. Verify the listed timeout values are 15 minutes or less.
If on the management tool the "minimum password quality" is not set to "Numeric" (or better) and "max time to screen lock" is not set to "15 minutes" or less, or on the Samsung Android device "Secure lock settings" is not present and the listed Screen timeout values include durations of more than 15 minutes, this is a finding.PP-MDF-301050<GroupDescription></GroupDescription>KNOX-11-000800Samsung Android must be configured to not allow more than 10 consecutive failed authentication attempts.<VulnDiscussion>The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on the device. Setting a limit on the number of attempts mitigates this risk. Setting the limit at 10 or less gives authorized users the ability to make a few mistakes when entering the password but still provides adequate protection against dictionary or brute force attacks on the password.
SFR ID: FMT_SMF_EXT.1.1 #2c, FIA_AFL_EXT.1.5</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000044Configure Samsung Android to allow only 10 or fewer consecutive failed authentication attempts.
On the management tool:
1. Open the device password policies.
2. Set "minimum password quality" to "Numeric" (or better).
3. Set the "max password failures for local wipe" to "10" attempts or less.Review Samsung Android configuration settings to determine if the mobile device has the maximum number of consecutive failed authentication attempts set at 10 or less.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
On the management tool:
1. Open the device password policies.
2. Verify "minimum password quality" is set to "Numeric" (or better).
3. Verify the "max password failures for local wipe" is set to "10" attempts or less.
On the Samsung Android device:
1. Open Settings >> Lock screen.
2. Verify "Secure lock settings" is present and tap it.
3. Enter current password.
4. Verify that "Auto factory reset" menu is disabled.
If on the management tool the "minimum password quality" is not set to "Numeric" (or better) and "max password failures for local wipe" is not set to "10" attempts or less, or on the Samsung Android device the "Auto factory reset" menu is not disabled, this is a finding.PP-MDF-301080<GroupDescription></GroupDescription>KNOX-11-001400Samsung Android must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including DoD-approved commercial app repository, management tool server, or mobile application store.<VulnDiscussion>Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DoD data accessible by these unauthorized/malicious applications.
SFR ID: FMT_SMF_EXT.1.1 #8a</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366CCI-001806Configure Samsung Android to disable unauthorized application repositories.
On the management tool, in the device restrictions section, set "installs from unknown sources" to "Disallow".
NOTE: Google Play must not be disabled. Disabling Google Play will cause system instability and critical updates will not be received.Review Samsung Android configuration settings to determine if the mobile device has only approved application repositories (DoD-approved commercial app repository, management tool server, and/or mobile application store).
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
On the management tool, in the device restrictions section, verify that "installs from unknown sources" is set to "Disallow".
On the Samsung Android device:
1. Open Settings >> Apps >> (Overflow menu) >> Special access >> Install unknown apps.
2. Tap (Overflow menu) >> Show system apps.
3. In the "Personal" tab, ensure that each app listed has the status "Disabled" under the app name or that no apps are listed.
4. In the "Work" tab, ensure that each app listed has the status "Disabled" under the app name or that no apps are listed.
If on the management tool "installs from unknown sources" is not set to "Disallow", or on the Samsung Android device an app is listed with a status other than "Disabled", this is a finding.
NOTE: Google Play must not be disabled. Disabling Google Play will cause system instability and critical updates will not be received.PP-MDF-301090<GroupDescription></GroupDescription>KNOX-11-001800Samsung Android Work Environment must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: names.<VulnDiscussion>The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications, or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications.
Core application: Any application integrated into the OS by the OS or MD vendors.
Pre-installed application: Additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.
Requiring all authorized applications to be in an application allowlist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the allowlist. Failure to configure an application allowlist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications.
The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the OS by the OS vendor) and pre-installed applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications.
SFR ID: FMT_SMF_EXT.1.1 #8b</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366CCI-001806Configure Samsung Android Work Environment to use an application allowlist.
The application allowlist does not control user access to/execution of all core and preinstalled applications, and guidance for doing so is covered in KNOX-10-009300.
On the management tool, in the Work Environment KPE application section, add each AO-approved app to the "app installation allowlist".
NOTE: Refer to the management tool documentation to determine the following:
- If an application installation denylist is also required to be configured when enforcing an "app installation allowlist"; and
- If the management tool supports adding apps to the "app installation allowlist" by package name and/or digital signature or supports a combination of the two.Review the Samsung Android Work Environment configuration setting to determine if the mobile device has an application allowlist configured. Verify that all applications listed on the allowlist have been approved by the Approving Official (AO).
This validation procedure is performed only on the management tool Administration Console.
On the management tool, in the Work Environment KPE restrictions section, verify that only AO-approved apps are listed in the "app installation allowlist".
If on the management tool the Work Environment "app installation allowlist" contains non-AO-approved apps, this is a finding.PP-MDF-301100<GroupDescription></GroupDescription>KNOX-11-002000The Samsung Android Work Environment allowlist must be configured to not include applications with the following characteristics:
- back up MD data to non-DoD cloud servers (including user and application access to cloud backup services);
- transmit MD diagnostic data to non-DoD servers;
- voice assistant application if available when MD is locked;
- voice dialing application if available when MD is locked;
- allows synchronization of data or applications between devices associated with user; and
- allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.<VulnDiscussion>Requiring all authorized applications to be in an application allowlist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the allowlist. Failure to configure an application allowlist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. Applications with the listed characteristics have features that can cause the compromise of sensitive DoD data or have features with no known application in the DoD environment.
Application note: The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications, or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications.
Core application: Any application integrated into the OS by the OS or MD vendors.
Pre-installed application: Additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.
SFR ID: FMT_SMF_EXT.1.1 #8b</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366CCI-001806Configure Samsung Android Work Environment to use an application allowlist to not include applications with the following characteristics:
- back up MD data to non-DoD cloud servers (including user and application access to cloud backup services);
- transmit MD diagnostic data to non-DoD servers;
- voice assistant application if available when MD is locked;
- voice dialing application if available when MD is locked;
- allows synchronization of data or applications between devices associated with user; and
- allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
The application allowlist does not control user access to/execution of all core and preinstalled applications, and guidance for doing so is covered in KNOX-10-009300.
On the management tool, in the Work Environment application section, before adding an app to the "app installation allowlist", review the app details and privacy policy to ensure the app does not include prohibited characteristics.
NOTE: Refer to the management tool documentation to determine the following:
- If an application installation denylist is also required to be configured when enforcing an "app installation allowlist"; and
- If the management tool supports adding apps to the "app installation allowlist" by package name and/or digital signature or supports a combination of the two.Review Samsung Android Work Environment configuration setting to determine if the application allowlist is configured to not include applications with the following characteristics:
- back up MD data to non-DoD cloud servers (including user and application access to cloud backup services);
- transmit MD diagnostic data to non-DoD servers;
- voice assistant application if available when MD is locked;
- voice dialing application if available when MD is locked;
- allows synchronization of data or applications between devices associated with user; and
- allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
The application allowlist does not control user access to/execution of all core and preinstalled applications, and guidance for doing so is covered in KNOX-10-009300.
This validation procedure is performed only on the management tool Administration Console.
On the management tool, in the Work Environment restrictions section, for each approved app on the "app installation allowlist", review the app details and privacy policy to ensure the app does not include prohibited characteristics.
If on the management tool the Work Environment "app installation allowlist" includes apps with unauthorized characteristics, this is a finding.PP-MDF-301110<GroupDescription></GroupDescription>KNOX-11-002400Samsung Android must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (HandsFree Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile).<VulnDiscussion>Some Bluetooth profiles provide the capability for remote transfer of sensitive DoD data without encryption or otherwise do not meet DoD IT security policies and therefore should be disabled.
SFR ID: FMT_SMF_EXT.1.1 #18h</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366CCI-001761Configure Samsung Android to disable all Bluetooth profiles except for HSP, HFP, SPP, A2DP, AVRCP, and PBAP.
On the management tool, in the device Bluetooth section, add each DoD-approved profile UUID to the "Bluetooth UUID allowlist": HFP, HSP, SPP, A2DP, AVRCP, and PBAP.Review Samsung Android configuration settings to determine if all Bluetooth profiles are disabled except for HSP, HFP, SPP, A2DP, AVRCP, and PBAP.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
On the management tool, in the device Bluetooth section, verify that only DoD-approved profile UUIDs are listed in the "Bluetooth UUID allowlist": HFP, HSP, SPP, A2DP, AVRCP, and PBAP.
On the Samsung Android device:
1. Open Settings >> Connections >> Bluetooth.
2. Verify only Bluetooth devices that use DoD-approved profiles are listed.
If on the management tool the "Bluetooth UUID allowlist" contains non-DoD-approved profile UUIDs, or on the Samsung Android device Bluetooth devices that use non-DoD-approved profiles are listed, this is a finding.PP-MDF-301120<GroupDescription></GroupDescription>KNOX-11-002800Samsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: all notifications.<VulnDiscussion>Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifications can contain sensitive information. When they are available on the lock screen, an adversary can see them merely by being in close physical proximity to the device. Configuring the MOS to not send notifications to the lock screen mitigates this risk.
SFR ID: FMT_SMF_EXT.1.1 #19</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366CCI-000051Configure Samsung Android to not display (Work Environment) notifications when the device is locked.
This guidance is only applicable to the COPE use case.
On the management tool, in the Work Environment RCP section, set "Show detailed notifications" to "Disallow".Review Samsung Android configuration settings to determine if Samsung Android displays (Work Environment) notifications on the lock screen. Notifications of incoming phone calls are acceptable even when the device is locked.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
This procedure is only applicable to the COPE use case.
On the management tool, in the Work Environment RCP section, verify that "Show detailed notifications" is set to "Disallow".
On the COPE Samsung Android device:
1. Open Settings >> Work profile >> Notification and data.
2. Verify that "Show notification content" is disabled.
If on the management tool "Show detailed notifications" is not set to "Disallow", or on the Samsung Android device "Show notification content" is not disabled, this is a finding.
NOTE: For the COBO use case, the API to implement this policy has been impacted by DA deprecation, and no KPE alternative policy is available. If the device is deployed in COBO mode, this requirement is not met and is a permanent finding.PP-MDF-301140<GroupDescription></GroupDescription>KNOX-11-003600Samsung Android must be configured to enable encryption for data at rest on removable storage media or alternatively, the use of removable storage media must be disabled.<VulnDiscussion>The MOS must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read removable media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running.
SFR ID: FMT_SMF_EXT.1.1 #21, #47f</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-001199This requirement is not applicable for devices that do not support removable storage media.
Configure Samsung Android to enable data-at-rest protection for removable media, or alternatively, disable the use of removable storage media.
On the management tool, in the device restrictions section, set "SD Card" to "Disable".This requirement is not applicable for devices that do not support removable storage media.
If the mobile device does not support removable media, this requirement is not applicable.
Review Samsung Android configuration settings to determine if the use of removable storage media is disabled.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
On the management tool, in the device restrictions section, verify that "SD Card" is set to "Disable".
On the Samsung Android device, verify that a microSD card cannot be mounted.
NOTE: To mount the microSD card, insert it into the SIM/SD car tray in the slot marked "microSD", and push the tray firmly back into the device. The device should ignore the inserted SD card and no notifications for the transfer of media files should appear, nor should any files be listed using a file browser, such as Samsung My Files.
If on the management tool "SD Card" is not set to "Disable", or on the Samsung Android device a microSD card can be mounted, this is a finding.PP-MDF-301150<GroupDescription></GroupDescription>KNOX-11-004000Samsung Android must be configured to disable trust agents.
NOTE: This requirement is not applicable (NA) for specific biometric authentication factors included in the product Common Criteria evaluation.<VulnDiscussion>The fingerprint reader can be used to authenticate the user in order to unlock the mobile device. At this time, no mobile device biometric reader has been evaluated as meeting the security requirements of the MDFPP or been approved for DoD use on mobile devices. This technology could allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of non-password authentication mechanisms, users are forced to use passcodes that meet DoD passcode requirements.
SFR ID: FMT_SMF_EXT.1.1 #23, FIA_UAU.5.1</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000370CCI-000381CCI-000366Configure Samsung Android to disable Trust Agents.
On the management tool, in the device restrictions section, set "Trust Agents" to "Disable".Review Samsung Android configuration settings to determine if Trust Agents are disabled.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
On the management tool, in the device restrictions section, verify that "Trust Agents" are set to "Disable".
On the Samsung Android device:
1. Open Settings >> Biometrics and security >> Other security settings >> Trust agents.
2. Verify that all listed Trust Agents are disabled and cannot be enabled.
If on the management tool "Trust Agents" are not set to "Disable", or on the Samsung Android device a "Trust Agent" can be enabled, this is a finding.PP-MDF-301150<GroupDescription></GroupDescription>KNOX-11-004200Samsung Android must be configured to disable Face Recognition.
NOTE: This requirement is not applicable (NA) for specific biometric authentication factors included in the product Common Criteria evaluation.<VulnDiscussion>The fingerprint reader can be used to authenticate the user in order to unlock the mobile device. At this time, no mobile device biometric reader has been evaluated as meeting the security requirements of the MDFPP or been approved for DoD use on mobile devices. This technology could allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of non-password authentication mechanisms, users are forced to use passcodes that meet DoD passcode requirements.
SFR ID: FMT_SMF_EXT.1.1 #23, FIA_UAU.5.1</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366CCI-000381CCI-000370Configure the Samsung Android to disable Face Recognition.
On the management tool, in the device restrictions section, set "Face" to "Disable".Review Samsung Android configuration settings to determine if Face Recognition is disabled.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
On the management tool, in the device restrictions section, verify that "Face" is set to "Disable".
On the Samsung Android device:
1. Open Settings >> Lock screen >> Screen lock type.
2. Enter current password.
3. Verify that "Face" is disabled and cannot be enabled.
If on the management tool "Face" is not set to "Disable", or on the Samsung Android device "Face" can be enabled, this is a finding.PP-MDF-301170<GroupDescription></GroupDescription>KNOX-11-005200Samsung Android must be configured to disable developer modes.<VulnDiscussion>Developer modes expose features of the MOS that are not available during standard operation. An adversary may leverage a vulnerability inherent in a developer mode to compromise the confidentiality, integrity, and availability of DoD sensitive information. Disabling developer modes mitigates this risk.
SFR ID: FMT_SMF_EXT.1.1 #26</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000381Configure Samsung Android to disable developer modes.
On the management tool, in the device restrictions section, set the "Debugging Features" to "Disallow".Review Samsung Android configuration settings to determine whether a developer mode is enabled.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
For Legacy COPE deployments, this configuration is the default configuration. If the management tool does not provide the capability to enable/disable "debugging features", there is NO finding because the default setting cannot be changed.
On the management tool, in the device restrictions section, verify that "Debugging Features" is set to "Disallow".
On the Samsung Android device:
1. Open "Settings".
2. Verify "Developer options" is not listed.
If on the management tool "Debugging Features" is not set to "Disallow" or on the Samsung Android device "Developer options" is listed, this is a finding.PP-MDF-301200<GroupDescription></GroupDescription>KNOX-11-006400Samsung Android must be configured to display the DoD advisory warning message at startup or each time the user unlocks the device.<VulnDiscussion>The mobile operating system is required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Required banners help ensure that DoD can audit and monitor the activities of mobile device users without legal restriction.
System use notification messages can be displayed when individuals first access or unlock the mobile device. The banner must be implemented as a "click-through" banner at device unlock (to the extent permitted by the operating system). A "click-through" banner prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK".
The approved DoD text must be used exactly as required in the KS referenced in DoDI 8500.01. For devices accommodating banners of 1300 characters, the banner text is:
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
For devices with severe character limitations, the banner text is:
I've read & consent to terms in IS user agreem't.
The administrator must configure the banner text exactly as written without any changes.
SFR ID: FMT_SMF_EXT.1.1 #36</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000048Configure the DoD warning banner by either of the following methods (required text is found in the Discussion):
Method #1: Place the DoD warning banner in the user agreement signed by each Samsung Android device user (preferred method).
****
Method #2: Configure the warning banner text in the KPE Reboot Banner on each managed mobile device.
On the management tool, in the device Banner section, set "Banner Text" to the DoD-managed warning banner text.Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
****
Validation Procedure for Method #1: Place the DoD warning banner in the user agreement signed by each Samsung Android device user (preferred method).
Review the signed user agreements for several Samsung Android device users and verify that the agreement includes the required DoD warning banner text.
****
Validation Procedure for Method #2: Configure the warning banner text in the KPE Reboot Banner on each managed mobile device.
On the management tool, in the device Banner section, verify that "Banner Text" is set to the DoD-managed warning banner text.
On the Samsung Android device, verify that after a reboot the required DoD warning banner text is displayed.
****
If the warning text has not been placed in the signed user agreement, or if on the management tool "Banner Text" is not set to the DoD-mandated warning banner text, or on the Samsung Android device the required DoD warning banner text is not displayed after a reboot, this is a finding.PP-MDF-301210<GroupDescription></GroupDescription>KNOX-11-006600Samsung Android must be configured to disable USB mass storage mode.<VulnDiscussion>USB mass storage mode enables the transfer of data and software from one device to another. This software can include malware. When USB mass storage is enabled on a mobile device, it becomes a potential vector for malware and unauthorized data exfiltration. Prohibiting USB mass storage mode mitigates this risk.
SFR ID: FMT_SMF_EXT.1.1 #39a</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000381Configure Samsung Android to disable USB mass storage mode.
On the management tool, in the device restrictions section, set "USB file transfer" to "Disallow".Review Samsung Android configuration settings to determine if the mobile device has a USB mass storage mode and if it has been disabled.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
On the management tool, in the device restrictions section, verify that "USB file transfer" has been set to "Disallow".
On the PC, browse the mounted Samsung Android device and verify that it does not display any folders or files.
If on the management tool "USB file transfer" is not set to "Disallow", or the PC can mount and browse folders and files on the Samsung Android device, this is a finding.PP-MDF-301220<GroupDescription></GroupDescription>KNOX-11-007000Samsung Android must be configured to not allow backup of all applications, configuration data to locally connected systems.<VulnDiscussion>Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed up to an external system (either locally connected or cloud-based), many if not all of these mechanisms are no longer present. This leaves the backed-up data vulnerable to attack. Disabling backup to external systems mitigates this risk.
SFR ID: FMT_SMF_EXT.1.1 #40</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000097Verify "USB file transfer" has been "Disallowed" (see requirement KNOX-11-006600 [Legacy]).Verify requirement KNOX-11-006600 (Disallow USB file transfer) has been implemented.
If "Disallow USB file transfer" has not been implemented, this is a finding.PP-MDF-301230<GroupDescription></GroupDescription>KNOX-11-007400Samsung Android Work Environment must be configured to not allow backup of all applications, configuration data to remote systems (device management backup).
- Disable Backup Services<VulnDiscussion>Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the MOS. Where the remote backup involves a cloud-based solution, the backup capability is often used to synchronize data across multiple devices. In this case, DoD devices may synchronize DoD sensitive information to a user's personal device or other unauthorized computers that are vulnerable to breach. Disallowing remote backup mitigates this risk.
SFR ID: FMT_SMF_EXT.1.1 #40</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-002338Configure Samsung Android Work Environment to disable backup to remote systems (including commercial clouds) (device management backup).
This requirement is inherently met for COPE because data in a work profile cannot be backed up by default.
This guidance is applicable to COBO only.
On the management tool, in the Work Environment restrictions section, set "Backup service" to "Disallow".Review Samsung Android configuration settings to determine if the capability to back up to a remote system has been disabled.
This requirement is inherently met for COPE because data in a "Profile/Workspace" cannot be backed up by default.
This procedure is applicable to COBO only.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
On the management tool, in the Work Environment restrictions section, verify that "Backup service" is set to "Disallow".
On the COBO Samsung Android device:
1. Open Settings >> Accounts and backup.
2. Verify that any backup service listed cannot be configured to back up data.
If on the management tool "Backup service" is not set to "Disallow", or on the Samsung Android device a listed backup service can be configured to back up data, this is a finding.PP-MDF-301230<GroupDescription></GroupDescription>KNOX-11-007600Samsung Android Work Environment must be configured to not allow backup of all applications, configuration data to remote systems (account management backup).
- Disable Data Sync<VulnDiscussion>Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the MOS. Where the remote backup involves a cloud-based solution, the backup capability is often used to synchronize data across multiple devices. In this case, DoD devices may synchronize DoD sensitive information to a user's personal device or other unauthorized computers that are vulnerable to breach. Disallowing remote backup mitigates this risk.
SFR ID: FMT_SMF_EXT.1.1 #40</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-002338Configure Samsung Android Work Environment to disable backup to remote systems (including commercial clouds) (account management backup).
On the management tool:
1. In the Work Environment Account section, set "Account Addition Denylist" to "Denylist all" for Samsung accounts and Google accounts.
2. In the Work Environment, do not approve any app that uses accounts for data backup/sync.Review Samsung Android configuration settings to determine if the capability to back up to a remote system has been disabled.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
On the management tool:
1. In the Work Environment Account section, verify that "Account Addition Denylist" is set to "Denylist all" for Samsung accounts and Google accounts.
2. In the Work Environment, verify that no app that uses accounts for data backup/sync is approved.
For COPE: On the Samsung Android device:
1. Open Settings >> Work profile >> Accounts.
2. Verify that accounts are grayed out, or an account cannot be added.
For COBO: On the Samsung Android device:
1. Open Settings >> Accounts and backup >> Manage accounts
2. Verify that accounts are grayed out, or an account cannot be added.
If on the management tool "Account Addition Denylist" is not set to "Denylist all" for Samsung accounts and Google accounts, or on the Samsung Android device an account can be added, this is a finding.PP-MDF-301240<GroupDescription></GroupDescription>KNOX-11-008200Samsung Android must be configured to enable authentication of personal hotspot connections to the device using a pre-shared key.<VulnDiscussion>If no authentication is required to establish personal hotspot connections, an adversary may be able to use that device to perform attacks on other devices or networks without detection. A sophisticated adversary may also be able to exploit unknown system vulnerabilities to access information and computing resources on the device. Requiring authentication to establish personal hotspot connections mitigates this risk.
Application note: If hotspot functionality is permitted, it must be authenticated via a pre-shared key. There is no requirement to enable hotspot functionality.
SFR ID: FMT_SMF_EXT.1.1 #41a</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-002314Configure Samsung Android to enable authentication of personal hotspot connections to the device using a pre-shared key.
On the management tool, in the device Wi-Fi section, set "Unsecured hotspot" to "Disallow".Review Samsung Android configuration settings to determine if the mobile device has enabled authentication of personal hotspot connections to the device using a pre-shared key.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
On the management tool, in the device Wi-Fi section, verify that "Unsecured hotspot" is set to "Disallow".
On the Samsung Android device:
1. Open Settings >> Connections >> Mobile Hotspot and Tethering >> Mobile Hotspot >> Edit.
2. Tap option "Open" in the "Security" drop-down box.
3. Verify that "Save" is disabled.
If on the management tool "Unsecured hotspot" is not set to "Disallow", or on the Samsung Android device "Open" can be selected in the "Security" drop-down box and the configuration can be saved, this is a finding.PP-MDF-301260<GroupDescription></GroupDescription>KNOX-11-009000Samsung Android Work Environment must be configured to disable exceptions to the access control policy that prevents application processes, groups of application processes from accessing all, private data stored by other application processes, groups of application processes.
- Disable Move files to personal<VulnDiscussion>App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain access to DoD sensitive information. Data sharing restrictions mitigate this risk. If a user is allowed to make exceptions to the data sharing restriction policy, the user could enable unauthorized sharing of data, leaving it vulnerable to breach. Limiting the granting of exceptions to either the Administrator or common application developer mitigates this risk.
Copy/paste of data between applications in different application processes or groups of application processes is considered an exception to the access control policy and therefore, the Administrator must be able to enable/disable the feature. Other exceptions include allowing any data or application sharing between process groups.
SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366CCI-002191Configure Samsung Android Work Environment to enable the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes.
This guidance is for disabling the moving of files to the Personal Environment and is applicable to COPE only.
On the management tool, in the device restrictions section, set "Move files to personal" to "Disallow".
NOTE: "Move files to workspace" may be configured if there is a DoD mission need for this feature.Review Samsung Android Work Environment configuration settings to determine if the access control policy prevents groups of application processes from accessing all data stored by other groups of application processes.
This procedure is for verifying that the moving of files to the Personal Environment is disabled and is applicable to COPE only.
This procedure is performed on the management tool Administration console only.
This configuration is the default configuration. If the management tool does not provide the capability to configure "Move files to personal", there is NO finding because the default setting cannot be changed.
On the management tool, in the Work Environment RCP section, verify "Move files to personal" is set to "Disallow".
If the management tool provides the capability to configure the "Move files to personal" policy and it is not set to "Disallow", this is a finding.
If the management tool does not provide the capability to configure the policy, this requirement is inherently met and there is NO finding.PP-MDF-301260<GroupDescription></GroupDescription>KNOX-11-009200Samsung Android Work Environment must be configured to disable exceptions to the access control policy that prevents application processes, groups of application processes from accessing all, private data stored by other application processes, groups of application processes.
- Disable Copy and Paste data<VulnDiscussion>App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain access to DoD sensitive information. Data sharing restrictions mitigate this risk. If a user is allowed to make exceptions to the data sharing restriction policy, the user could enable unauthorized sharing of data, leaving it vulnerable to breach. Limiting the granting of exceptions to either the Administrator or common application developer mitigates this risk.
Copy/paste of data between applications in different application processes or groups of application processes is considered an exception to the access control policy and therefore, the Administrator must be able to enable/disable the feature. Other exceptions include allowing any data or application sharing between process groups.
SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366CCI-002191Configure Samsung Android Work Environment to enable the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes.
This guidance is for disabling the sharing of clipboard data from the Work Environment to the Personal Environment and is applicable to COPE only.
On the management tool, in the Work Environment RCP section, set "Sharing clipboard to personal" to "Disallow".Review Samsung Android Work Environment configuration settings to determine if the access control policy prevents groups of application processes from accessing all data stored by other groups of application processes.
This procedure is for verifying that the sharing of clipboard data from the Work Environment to the Personal Environment is disabled and is applicable to COPE only.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
On the management tool, in the Work Environment RCP section, verify that "Sharing clipboard to personal" is set to "Disallow".
On the Samsung Android device:
1. Using any Work Environment app, copy text to the clipboard.
2. Using any Personal Environment app, verify that the clipboard text cannot be pasted.
If on the management tool the "Sharing clipboard to personal" is not set to "Disallow", or on the Samsung Android device the clipboard text can be pasted into a Personal Environment app, this is a finding.PP-MDF-301260<GroupDescription></GroupDescription>KNOX-11-009400Samsung Android Work Environment must be configured to disable exceptions to the access control policy that prevents application processes, groups of application processes from accessing all, private data stored by other application processes, groups of application processes.
- Disable Sync Calendar to personal<VulnDiscussion>App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain access to DoD sensitive information. Data sharing restrictions mitigate this risk. If a user is allowed to make exceptions to the data sharing restriction policy, the user could enable unauthorized sharing of data, leaving it vulnerable to breach. Limiting the granting of exceptions to either the Administrator or common application developer mitigates this risk.
Copy/paste of data between applications in different application processes or groups of application processes is considered an exception to the access control policy and therefore, the Administrator must be able to enable/disable the feature. Other exceptions include allowing any data or application sharing between process groups.
SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366CCI-002191Configure Samsung Android Work Environment to enable the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes.
This guidance is for disallowing Calendar events created in the Work Environment from being displayed in the Personal Environment Calendar and is applicable to COPE only.
On the management tool, in the Work Environment RCP section, set "Sync calendar to personal" to "Disallow".Review Samsung Android Work Environment configuration settings to determine if the access control policy prevents groups of application processes from accessing all data stored by other groups of application processes.
This procedure is for verifying that Calendar events created in the Work Environment are disallowed from being displayed in the Personal Environment Calendar and is applicable to COPE only.
This procedure is performed on the management tool Administration console only.
On the management tool, in the Work Environment RCP section, verify that "Sync calendar to personal" is set to "Disallow".
On the COPE Samsung Android device:
1. Open Settings >> Work profile >> Notifications and data.
2. Verify that "Export to personal calendar" is disabled and cannot be enabled.
If on the management tool the "Sync calendar to personal" is not set to "Disallow", or on the Samsung Android device "Export to personal calendar" is enabled or can be enabled, this is a finding.PP-MDF-301280<GroupDescription></GroupDescription>KNOX-11-009800Samsung Android must be configured to disable multi-user modes (tablets only).<VulnDiscussion>NOTE: This requirement is only applicable to Samsung tablets.
Multi-user mode allows multiple users to share a mobile device by providing a degree of separation between user data. To date, no mobile device with multi-user mode features meets DoD requirements for access control, data separation, and non-repudiation for user accounts. In addition, the MDFPP does not include design requirements for multi-user account services. Disabling multi-user mode mitigates the risk of not meeting DoD multi-user account security policies.
SFR ID: FMT_SMF_EXT.1.1 #47b</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366CCI-002110Configure Samsung Android to disable multi-user modes.
On the management tool, in the device Multiuser section, set "Multi-user mode" to "Disallow".Review Samsung Android configuration settings to determine if multi-user mode is disabled.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
On the management tool, in the device Multiuser section, verify that "Multi-user mode" is set to "Disallow".
On the Samsung Android device, open Settings and verify that the "User" setting is not listed.
If on the management tool "Multi-user mode" is not set to "Disallow", or on the Samsung Android device the "User" setting is available, this is a finding.PP-MDF-302490<GroupDescription></GroupDescription>KNOX-11-014000Samsung Android must [not accept the certificate] when it cannot establish a connection to determine the validity of a certificate.<VulnDiscussion>Certificate-based security controls are dependent on the ability of the system to verify the validity of a certificate. If the MOS were to accept an invalid certificate, it could take unauthorized actions, resulting in unanticipated outcomes. At the same time, if the MOS were to disable functionality when it could not determine the validity of the certificate, this could result in a denial of service. Therefore, the ability to provide exceptions is appropriate to balance the tradeoff between security and functionality. Always accepting certificates when they cannot be determined to be valid is the most extreme exception policy and is not appropriate in the DoD context. Involving an Administrator or user in the exception decision mitigates this risk to some degree.
SFR ID: FIA_X509_EXT_2.2</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000185Implement CC Mode (see requirement KNOX-11-020200).Verify requirement KNOX-11-020200 (CC Mode) has been implemented.
If CC Mode has not been implemented, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-11-017400The Samsung Android Work Environment must be configured to prevent users from adding personal email accounts to the work email app.<VulnDiscussion>If the user is able to add a personal email account (POP3, IMAP, EAS) to the work email app, it could be used to forward sensitive DoD data to unauthorized recipients. Restricting email account addition to the Administrator or to allowlisted accounts mitigates this vulnerability.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366Configure the Samsung Android Work Environment to prevent users from adding personal email accounts to the work email app.
Refer to the management tool documentation to determine how to provision users’ work email accounts for the work email app.
On the management tool:
1. In the Work Environment Account section, set "Account Addition Denylist" to "Denylist all" for: Work email app.
2. Provision the user's email account on their behalf.Review Samsung Android Work Environment configuration settings to determine if users are prevented from adding personal email accounts to the work email app.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
On the management tool:
1. In the Work Environment Account section, set "Account Addition Denylist" to "Denylist all" for: Work email app.
2. Provision the user's email account on their behalf.
For COPE: On the Samsung Android device:
1. Open Settings >> Work profile >> Accounts.
2. Verify that no account can be added.
3. Verify that the user's work email app has been provisioned with the work email account.
For COBO: On the Samsung Android device:
1. Open Settings >> Accounts and backup >> Manage accounts.
2. Verify that no account can be added.
3. Verify that the user's work email app has been provisioned with the work email account.
If on the management tool "Account Addition Denylist" is not set to "Denylist all" for the Work email app, or on the Samsung Android device an account can be added, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-11-017800Samsung Android Personal Environment must be configured to enforce the system application disable list.<VulnDiscussion>The system application disable list controls user access/execution of all core and pre-installed applications.
Core application: Any application integrated into Samsung Android by Google or Samsung.
Pre-installed application: Additional non-core applications included in the Samsung Android build by Google, Samsung, or the wireless carrier.
Some system applications can compromise DoD data or upload users' information to non-DoD-approved servers. A user must be blocked from using applications that exhibit behavior that can result in compromise of DoD data or DoD user information.
The site Administrator must analyze all pre-installed applications on the device and disable all applications not approved for DoD use by configuring the system application disable list.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366Configure the Samsung Android device to enforce the system application disable list.
This guidance is only for the Personal Environment of a COPE deployment.
On the management tool, in the device application section, add all non-AO-approved system app packages to the "system app disable list".Review Samsung Android Personal Environment configuration settings to determine if the system application disable list is enforced.
This procedure is only for the Personal Environment of a COPE deployment.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
On the management tool, in the device application section, verify that the "system app disable list" contains all apps that have not been approved for DoD use by the Authorizing Official (AO).
On the Samsung Android device, review the Personal Environment apps and confirm that only approved core and preinstalled app are listed.
If on the management tool the "system app disable list" contains non-approved core and preinstalled apps, or on the Samsung Android device non-approved apps are listed, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-11-018000Samsung Android Work Environment must be configured to enforce the system application disable list.<VulnDiscussion>The system application disable list controls user access/execution of all core and pre-installed applications.
Core application: Any application integrated into Samsung Android by Google or Samsung.
Pre-installed application: Additional non-core applications included in the Samsung Android build by Google, Samsung, or the wireless carrier.
Some system applications can compromise DoD data or upload user's information to non-DoD-approved servers. A user must be blocked from using applications that exhibit behavior that can result in compromise of DoD data or DoD user information.
The site Administrator must analyze all pre-installed applications on the device and disable all applications not approved for DoD use by configuring the system application disable list.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366Configure Samsung Android Work Environment to enforce the system application disable list.
On the management tool, in the Work Environment application section, add all non-AO-approved system app packages to the "system app disable list".Review Samsung Android Work Environment configuration settings to determine if the system application disable list is enforced.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
On the management tool, in the Work Environment application section, verify that the "system app disable list" contains all apps that have not been approved for DoD use by the Authorizing Official (AO).
On the Samsung Android device, review the Work Environment apps and confirm that only apps that have been approved for DoD use by the Authorizing Official (AO) are listed.
If on the management tool the "system app disable list" contains non-approved core and preinstalled apps, or on the Samsung Android device non-approved apps are listed, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-11-018400Samsung Android must be configured to enable audit logging.<VulnDiscussion>Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks so that breaches can either be prevented or limited in their scope. They facilitate analysis to improve performance and security.
SFR ID: FAU_GEN.1.1 #8</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366Configure Samsung Android to enable audit logging.
On the management tool, in the device audit log section, set "Audit log" to "Enable".Review Samsung Android device configuration settings to confirm that audit logging is enabled.
This validation procedure is performed on the management tool Administration Console only.
On the management tool, for the device audit log section, verify that "Audit log" is set to "Enable".
If on the management tool the "Audit log" is not set to "Enable", this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-11-018600Samsung Android must be enrolled as a COPE/COBO device.<VulnDiscussion>The Knox Workspace is the designated application group for the COPE use case.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366Enroll the Samsung Android device in a DoD-approved use case by either of the following methods:
Method #1: Legacy managed with Legacy Workspace (COPE)
On the management tool, configure the default enrollment as "Legacy managed with Legacy Workspace".
****
Method #2: Legacy managed (COBO)
On the management tool, configure the default enrollment as "Legacy managed".
****
Refer to the management tool documentation to determine how to configure the device enrollment.Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
****
Method #1: Legacy managed with Legacy Workspace (COPE)
On the management tool, verify that the default enrollment is set to "Legacy managed with Legacy Workspace".
On the Samsung Android device:
1. Open Settings >> Biometric and security >> Other security settings >> Device admin apps.
2. Verify that the management tool Agent is listed.
3. Go to the app drawer.
4. Verify that a "Personal" and "Workspace" tab are present.
If on the management tool the default enrollment is not set as "Legacy managed with Legacy Workspace", or on the Samsung Android device the "Personal" and "Work" tabs are not present or the management tool Agent is not listed, this is a finding.
****
Method #2: Legacy managed (COBO)
On the management tool, verify that the default enrollment is set as "Legacy managed".
On the Samsung Android device:
1. Open Settings >> Biometric and security >> Other security settings >> Device admin apps.
2. Verify that the management tool Agent is listed.
If on the management tool the default enrollment is not set as "Legacy managed" or the management tool Agent is not listed, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-11-019000Samsung Android device users must complete required training.<VulnDiscussion>The security posture of Samsung devices requires the device user to configure several required policy rules on their device. User Based Enforcement (UBE) is required for these controls. In addition, if the Authorizing Official (AO) has approved the use of an unmanaged personal space, the user must receive training on risks. If a user is not aware of their responsibilities and does not comply with UBE requirements, the security posture of the Samsung mobile device may become compromised and DoD sensitive data may become compromised.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366Have all Samsung device users complete training on the following topics. Users should acknowledge they have reviewed training via a signed User Agreement or similar written record.
Training topics:
- Operational security concerns introduced by unmanaged applications/unmanaged personal space including applications using global positioning system (GPS) tracking.
- Need to ensure no DoD data is saved to the personal space or transmitted from a personal app (for example, from personal email).
- If the Purebred key management app is used, users are responsible for maintaining positive control of their credentialed device at all times. The DoD PKI certificate policy requires subscribers to maintain positive control of the devices that contain private keys and to report any loss of control so the credentials can be revoked. Upon device retirement, turn-in, or reassignment, ensure a factory data reset is performed prior to device hand-off. Follow Mobility service provider decommissioning procedures as applicable.
- How to configure the following UBE controls (users must configure the control) on the Samsung device:
1. Secure use of Calendar Alarm.
2. Local screen mirroring and MirrorLink procedures (authorized/not authorized for use).
3. Do not connect Samsung devices (either via DeX Station or dongle) to any DoD network via Ethernet connection.
4. Do not upload DoD contacts via smart call and caller ID services.
5. Disable Wi-Fi Sharing.
6. Do not configure a DoD network (work) VPN profile on any third-party VPN client installed in the personal space.
- AO guidance on acceptable use and restrictions, if any, on downloading and installing personal apps and data (music, photos, etc.) in the Samsung device personal space.Review a sample of site User Agreements of Samsung device users or similar training records and training course content.
Verify that Samsung device users have completed required training. The intent is that required training is renewed on a periodic basis in a time period determined by the AO.
If any Samsung device user has not completed required training, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-11-020200Samsung Android must be configured to enable Knox CC Mode.<VulnDiscussion>The KPE CC Mode feature is a superset of other features and behavioral changes that are mandatory MDFPP requirements. If CC mode is not implemented the device will not be operating in the NIAP-certified compliant CC Mode of operation.
CC Mode implements the following behavioral/functional changes to meet MDFPP requirements:
- Download Mode is disabled and all updates will occur via FOTA only.
In addition, CC Mode adds new restrictions, which are not to meet MDFPP requirements, but to offer better security above what is required:
- Force password info following FOTA update for consistency.
- Disable Remote unlock by FindMyMobile.
- Restrict biometric attempts to 10 for better security.
- Support Android CommonCriteria mode API implementation which secures BT and Wi-Fi keys.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366Configure Samsung Android to enable KPE CC Mode.
On the management tool, in the device restrictions section, set "CC mode" to "Enable".Review Samsung Android configuration settings to determine if KPE CC Mode is enabled.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
On the management tool, in the device restrictions section, verify that "CC mode" is set to "Enable".
On the Samsung Android device, put the device into "Download mode" and verify that the text "Blocked by CC Mode" is displayed on the screen.
If on the management tool "CC mode" is not set to "Enable", or on the Samsung Android device the text "Blocked by CC Mode" is not displayed in "Download mode", this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-11-020600Samsung Android must be configured to disallow configuration of Date Time.<VulnDiscussion>Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events.
Periodically synchronizing internal clocks with an authoritative time source is needed to correctly correlate the timing of events that occur across the enterprise. The three authoritative time sources for Samsung Android are an authoritative time server that is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network (NIPRNet or SIPRNet), the Global Positioning System (GPS), or the wireless carrier.
Time stamps generated by the audit system in Samsung Android must include both date and time. The time may be expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366Configure Samsung Android to disallow configuration of the date and time.
On the management tool, in the device Date Time section, set "Date Time Change" to "Disable".Review Samsung Android configuration settings to determine if the configuration of the date and time is disallowed.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
On the management tool, in the device Date Time section, verify that "Date Time Change" is set to "Disable".
On the Samsung Android device:
1. Open Settings >> General management >> Date and time.
2. Verify that "Automatic data and time" is on and the user cannot disable it.
If on the management tool "Date Time Change" is not set to "Disable", or on the Samsung Android device "Automatic date and time" is not set or the user can disable it, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-11-021000Samsung Android must be configured to enforce a USB host mode exception list.
NOTE: This configuration allows DeX mode (with input devices), which is DoD-approved for use.<VulnDiscussion>The USB host mode feature allows USB devices to connect to the device (e.g., USB flash drives, USB mouse, USB keyboard) using a micro USB to USB adapter cable. The USB host mode exception list allows selected USB devices to operate, while disallowing others, based on their USB device class.
With some USB device classes, a user can copy sensitive DoD information to external USB storage unencrypted, resulting in compromise of DoD data. However, some USB device classes do not allow data to be copied, such as Human Interface Devices (HID).
Disabling all USB devices except for HID mitigates the risk of compromising sensitive DoD data.
This allows for DeX mode to be used, with a USB keyboard and mouse, without compromising DoD data.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366Configure Samsung Android with a USB host mode exception list, or alternatively, disable the use of USB host mode.
On the management tool, in the device restrictions section, add the "HID" USB class to the "USB host mode exception list".Review Samsung Android device configuration settings to determine if USB host mode exception list is configured, or alternatively, if USB host mode is disabled.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
On the management tool, in the device restrictions section, verify that "HID" is the only USB class included in the "USB host mode exception list".
On the Samsung Android device:
1. Connect a micro USB-to-USB "On the Go" (OTG) adapter to the device.
2. Connect a USB thumb drive to the adapter.
3. Verify that the device cannot access the USB thumb drive.
If on the management tool the "USB host mode exception list" includes a USB class other than "HID", or on the Samsung Android device the USB thumb drive can be mounted, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-11-021400Samsung Android Work Environment must be configured to enforce that Share Via List is disabled.<VulnDiscussion>The "Share Via List" feature allows the transfer of data between nearby Samsung devices via Android Beam, Wi-Fi Direct, Link Sharing, and Share to Device. If sharing were enabled, sensitive DoD data could be compromised.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366Configure Samsung Android Work Environment to disallow Share Via List.
On the management tool, in the Work Environment restrictions section, set "Share Via List" to "Disallow".
NOTE: Disabling Share Via List will also disable functionality such as Gallery Sharing and Direct Sharing.Review Samsung Android Work Environment configuration settings to determine if Share Via List is disallowed.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
On the management tool, in the Work Environment restrictions section, verify that "Share Via List" is set to "Disallow".
On the Samsung Android device, attempt to share by long pressing a file in the Work Environment and tapping "Share".
If on the management tool "Share Via List" is not set to "Disallow", or on the Samsung Android device the user is able to share, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-11-021800Samsung Android must be configured to disallow outgoing beam.<VulnDiscussion>Outgoing beam allows transfer of data through NFC and Bluetooth by touching two unlocked devices together. If it were enabled, sensitive DoD data could be transmitted.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366Configure Samsung Android to disallow outgoing beam.
This requirement is inherently met for COPE as outgoing beam in a "Profile/Workspace" cannot be initiated.
This guidance is applicable to COBO only.
On the MDM console, in the Work Environment restrictions section, set "outgoing beam" to "disallow".Review Samsung Android Work Environment configuration settings to verify that outgoing beam is disallowed.
This requirement is inherently met for COPE as outgoing beam in a "Profile/Workspace" cannot be initiated.
This validation procedure is applicable to COBO only.
This procedure is performed on both the MDM Administration console and the Samsung Android device.
On the MDM console, in the Work Environment restrictions section, verify that "disallow outgoing beam" is selected.
On the Samsung Android device, open a picture, contact, or web page and put it back to back with an unlocked outgoing beam-enabled device. Verify that outgoing beam cannot be started.
If on the MDM console "outgoing beam" is not set to "disallow", or on the Samsung Android device the user is able to successfully start outgoing beam, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-11-022200Samsung Android Work Environment must be configured to enforce that Wi-Fi Sharing is disabled.<VulnDiscussion>Wi-Fi Sharing is an optional configuration of Wi-Fi Tethering/Mobile Hotspot, which allows the device to share its Wi-Fi connection with other wirelessly connected devices instead of its mobile (cellular) connection.
Wi-Fi Sharing grants the "other" device access to a corporate Wi-Fi network and may possibly bypass the network access control mechanisms. This risk can be partially mitigated by requiring the use of a pre-shared key for personal hotspots.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366Configure Samsung Android to disable Wi-Fi Sharing.
Mobile Hotspot must be enabled in order to enable Wi-Fi Sharing. If the AO has not approved Mobile Hotspot, and it has been disabled on the management tool, the following guidance is not applicable.
On the Samsung Android device:
1. Open Settings >> Connections >> Mobile Hotspot and Tethering >> Mobile hotspot.
2. Disable "Wi-Fi sharing" if it is enabled.Review Samsung Android device configuration settings to confirm that Wi-Fi Sharing is disabled.
Mobile Hotspot must be enabled in order to enable Wi-Fi Sharing. If the AO has not approved Mobile Hotspot, and it has been verified as disabled on the management tool, the following guidance is not applicable.
This setting cannot be managed by the management tool Administrator and is a User Based Enforcement (UBE) requirement.
On the Samsung Android device:
1. Open Settings >> Connections >> Mobile Hotspot and Tethering >> Mobile hotspot.
2. Verify that "Wi-Fi sharing" is disabled.
If on the Samsung Android device "Wi-Fi sharing" is enabled, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-11-022600Samsung Android Work Environment must be configured to enable Certificate Revocation checking.<VulnDiscussion>A Certificate Revocation List (CRL) allows a certificate issuer to revoke a certificate for any reason, including improperly issued certificates and compromise of the private keys. Checking the revocation status of the certificate mitigates the risk associated with using a compromised certificate.
Online Certificate Status Protocol (OCSP) is a protocol for obtaining the revocation status of a certificate. It addresses problems associated with using CRLs. When OCSP is enabled, it is used prior to CRL checking. If OCSP could not obtain a decisive response about a certificate, it will then try to use CRL checking. The OCSP response server must be listed in the certificate information under Authority Info Access.
This feature must be enabled for a Samsung Android device to be in the NIAP-certified CC Mode of operation.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366Configure Samsung Android Work Environment to enable Certificate Revocation checking by either of the following methods:
Method #1: CRL Checking
On the management tool, in the Work profile certificate section, set "Revocation check" to "enable for all apps".
****
Method #2: OCSP with CRL Fallback
On the management tool:
1. In the Work profile certificate section, set "Revocation check" to "enable for all apps".
2. In the Work profile restrictions section, set "OCSP check" to "enable for all apps".
****
Refer to the management tool documentation to determine how to configure Revocation and OCSP checking to "enable for all apps". Some may, for example, allow a wildcard string: "*".Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure.
This validation procedure is performed on the management tool Administration Console only.
****
Validation Procedure for Method #1: CRL Checking
On the management tool, in the Work profile certificate section, verify that "Revocation check" is set to "enable for all apps".
If on the management tool "Revocation check" is not set to "enable for all apps", this is a finding.
****
Validation Procedure for Method #2: OCSP with CRL Fallback
On the management tool:
1. In the Work profile certificate section, verify that "Revocation check" is set to "enable for all apps".
2. In the Work profile restrictions section, verify that "OCSP check" is set to "enable for all apps".
If on the management tool "Revocation check" is not set to "enable for all apps" or if "OCSP check" is not set to "enable for all apps", this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-11-023000Samsung Android Work Environment must have the DoD root and intermediate PKI certificates installed.<VulnDiscussion>DoD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the root and intermediate certificates are not available, an adversary could falsely sign a certificate in such a way that it could not be detected. Providing access to the DoD root and intermediate PKI certificates greatly diminishes the risk of this attack.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366Configure the Samsung Android Work Environment to install DoD root and intermediate PKI certificates.
The current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at https://cyber.mil/pki-pke (for NIPRNet).
On the management tool, in the Work Environment certificate section, install the DoD root and intermediate PKI certificates.Review Samsung Android Work Environment configuration settings to determine if the DoD root and intermediate PKI certificates are installed.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
The current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at https://cyber.mil/pki-pke (for NIPRNet).
On the management tool, in the Work Environment certificate section, verify that the DoD root and intermediate PKI certificates are installed.
On the Samsung Android device:
1. Open Settings >> Biometrics and security >> Other security settings >> View security certificates.
2. In the User tab, verify that the DoD root and intermediate PKI certificates are listed in the Work Environment.
If on the management tool the DoD root and intermediate PKI certificates are not listed in the Work Environment, or on the Samsung Android device the DoD root and intermediate PKI certificates are not listed in the Work Environment, this is a finding.PP-MDF-992000<GroupDescription></GroupDescription>KNOX-11-023200Samsung Android Work Environment must allow only the Administrator (management tool) to perform the following management function: install/remove DoD root and intermediate PKI certificates.<VulnDiscussion>DoD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the user is allowed to remove root and intermediate certificates, the user could allow an adversary to falsely sign a certificate in such a way that it could not be detected. Restricting the ability to remove DoD root and intermediate PKI certificates to the Administrator mitigates this risk.
SFR ID: FMT_MOF_EXT.1.2 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366CCI-000370Configure Samsung Android Work Environment to prevent a user from removing DoD root and intermediate PKI certificates.
On the management tool, in the Work Environment restrictions section, set "User Remove Certificates" to "Disallow".Review Samsung Android Work Environment configuration settings to determine if the user is unable to remove DoD root and intermediate PKI certificates.
This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.
On the management tool, in the Work Environment restrictions section, verify "User Remove Certificates" is set to "Disallow".
On the Samsung Android device:
1. Open Settings >> Biometrics and security >> Other security settings >> View security certificates.
2. In the System tab, verify that no listed certificate in the Work Environment can be untrusted.
3. In the User tab, verify that no listed certificate in the Work Environment can be removed.
If on the management tool the device "User Remove Certificates" is not set to "Disallow", or on the Samsung Android device a certificate can be untrusted or removed, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-11-023400The Samsung Android device must have the latest available Samsung Android operating system (OS) installed.<VulnDiscussion>Required security features are not available in earlier OS versions. In addition, earlier versions may have known vulnerabilities.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android 11 Knox 3.x LegacyDISADPMS TargetSamsung Android 11 Knox 3.x Legacy5248CCI-000366Install the latest released version of Samsung Android OS on all managed Samsung devices.
NOTE: In most cases, OS updates are released by the wireless carrier (for example, Sprint, T-Mobile, Verizon Wireless, and ATT).Review Samsung Android device configuration settings to confirm that the most recently released version of Samsung Android is installed.
This procedure is performed on both the management tool and the Samsung Android device.
In the management tool management console, review the version of Samsung Android installed on a sample of managed devices. This procedure will vary depending on the management tool product. See the notes below to determine the latest available OS version.
On the Samsung Android device, to see the installed OS version:
1. Open Settings.
2. Tap "About phone".
3. Tap "Software information".
If the installed version of Android OS on any reviewed Samsung devices is not the latest released by the wireless carrier, this is a finding.
NOTE: Some wireless carriers list the version of the latest Android OS release by mobile device model online:
ATT: https://www.att.com/devicehowto/dsm.html#!/popular/make/Samsung
T-Mobile: https://support.t-mobile.com/docs/DOC-34510
Verizon Wireless: https://www.verizonwireless.com/support/software-updates/
Google Android OS patch website: https://source.android.com/security/bulletin/
Samsung Android OS patch website: https://security.samsungmobile.com/securityUpdate.smsb