Samsung Android must be configured to disable multi-user modes (tablets only).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-99959	KNOX-10-005000	SV-109063r1_rule		Medium

Description
Note: This requirement is only applicable to Samsung tablets. Multi-user mode allows multiple users to share a mobile device by providing a degree of separation between user data. To date, no mobile device with multi-user mode features meets DoD requirements for access control, data separation, and non-repudiation for user accounts. In addition, the MDFPP does not include design requirements for multi-user account services. Disabling multi-user mode mitigates the risk of not meeting DoD multi-user account security policies. SFR ID: FMT_SMF_EXT.1.1 #47b

Description

Note: This requirement is only applicable to Samsung tablets. Multi-user mode allows multiple users to share a mobile device by providing a degree of separation between user data. To date, no mobile device with multi-user mode features meets DoD requirements for access control, data separation, and non-repudiation for user accounts. In addition, the MDFPP does not include design requirements for multi-user account services. Disabling multi-user mode mitigates the risk of not meeting DoD multi-user account security policies. SFR ID: FMT_SMF_EXT.1.1 #47b

STIG	Date
Samsung Android OS 10 with Knox 3.x Security Technical Implementation Guide	2020-03-24

Details

Check Text ( C-98809r1_chk )
Review Samsung Android configuration settings to determine if multi-user mode is disabled. KPE(Legacy) deployments only: For KPE(AE) deployments this requirement is inherently met. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool, in the device KPE Multiuser section, verify that "Multi-user mode" is set to "Disallow". On the Samsung Android device, open Settings and verify that the "User" setting is not listed. If on the management tool "Multi-user mode" is not set to "Disallow", or on the Samsung Android device the "User" setting is available, this is a finding.

Check Text ( C-98809r1_chk )

Review Samsung Android configuration settings to determine if multi-user mode is disabled.

KPE(Legacy) deployments only: For KPE(AE) deployments this requirement is inherently met.

This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.

On the management tool, in the device KPE Multiuser section, verify that "Multi-user mode" is set to "Disallow".

On the Samsung Android device, open Settings and verify that the "User" setting is not listed.

If on the management tool "Multi-user mode" is not set to "Disallow", or on the Samsung Android device the "User" setting is available, this is a finding.

Fix Text (F-105643r1_fix)
Configure Samsung Android to disable multi-user modes. KPE(Legacy) deployments only: For KPE(AE) deployments this requirement is inherently met. On the management tool, in the device KPE Multiuser section, set "Multi-user mode" to "Disallow".