{
"stig": {
"date": "2016-02-24",
"description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil. \n",
"findings": {
"V-61153": {
"checkid": "C-62109r1_chk",
"checktext": "Note: This validation procedure is identical to the one for KNOX-39-015600. It only needs to be performed once.\n\nIf it is found compliant on the first check, it is also compliant here.\n\nIf it is determined to be a finding on first check, it is also a finding here.\n\nRedundant checks are necessary to maintain requirements traceability and provide complete risk management information to AOs.\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"CC Mode\" settings in the \"Android Restrictions\" rule.\n2. Verify the value is enabled.\n\nNote: If the MDM does not support CC Mode, ask the MDM Administrator if the Samsung APK has been installed and CC Mode enabled.\n\nOn the Samsung Knox for Android device:\n1. Open the device settings.\n2. Select \"About Device\".\n3. Verify the value of \"Security software version\" displays \"Enforced\".\n\nIf the CC mode setting is not enabled, or if the \"Security software version\" on the device does not display \"Enforced\", this is a finding.",
"description": "Unapproved cryptographic algorithms cannot be relied upon to provide confidentiality or integrity, and DoD data could be compromised as a result. The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS 140-2 validation provides assurance that the relevant cryptography has been implemented correctly. FIPS 140-2 validation is also a strict requirement for use of cryptography in the Federal Government for protecting unclassified data.\n\nSFR ID: FCS",
"fixid": "F-67013r1_fix",
"fixtext": "Configure the mobile operating system to use a FIPS 140-2 validated cryptographic module.\n\nConfigure the operating system to enable CC mode.\n\nOn the MDM Administration Console, enable the \"CC mode\" setting in the \"Android Restrictions\" rule.\n\nIf this setting is not available on the console, install the CC mode APK, and enable CC mode from this application.\nThis APK will be made available by Samsung.",
"iacontrols": null,
"id": "V-61153",
"ruleID": "SV-75633r1_rule",
"severity": "medium",
"title": "All mobile operating system cryptography supporting DoD functionality must be FIPS 140-2 validated.",
"version": "KNOX-30-000100"
},
"V-61157": {
"checkid": "C-62113r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console: \n1. Ask the MDM administrator to display the \"Storage Encryption\" check box in the \"Android Restrictions\" rule. (**)\n2. Verify the \"Storage Encryption\" check box is selected. \n\nOn the Samsung Knox for Android device:\n1. Open the device settings.\n2. Select \"Security\". \n3. Verify \"Encrypt device\" is grayed out and \"Encrypted\" is displayed.\n4. Select \"Encrypt external SD card\".\n5. Verify \"The encryption policy has been applied\" is displayed at the bottom of the screen.\n\nNote: If no SD card is inserted, Step 5 should display \"SD card is not inserted\" at the bottom of the screen.\n\nIf the specified encryption settings are not set to the appropriate values, this is a finding.\n(**) On some MDM vendor consoles, \"Storage Encryption\" enables both internal and external storage encryption.",
"description": "The MOS must ensure the data being written to the mobile device's built-in storage media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read storage media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running.\n\nSFR ID: FMT_SMF_EXT.1.1 #25",
"fixid": "F-67017r3_fix",
"fixtext": "Configure the MOS to enable data-at-rest protection for built-in storage media.\n\nConfigure the OS to encrypt all data at rest on the mobile device.\n\nOn the MDM Administration Console, check the \"Storage Encryption\" check box in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-61157",
"ruleID": "SV-75637r1_rule",
"severity": "high",
"title": "The Samsung Knox for Android platform must protect data at rest on built-in storage media.",
"version": "KNOX-30-004400"
},
"V-61159": {
"checkid": "C-62115r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console: \n1. Ask the MDM administrator to display the \"Storage Encryption\" and \"External Storage Encryption\" check box in the \"Android Restrictions\" rule. (**) \n2. Verify the \"Storage Encryption\" and \"External Storage Encryption\" check box are selected. \n\nOn the Samsung Knox for Android device:\n1. Open the device settings.\n2. Select \"Security\". \n3. Verify \"Encrypt device\" is grayed out and \"Encrypted\" is displayed.\n4. Select \"Encrypt external SD card\".\n5. Verify \"The encryption policy has been applied\" is displayed at the bottom of the screen.\n\nNote: If no SD card is inserted, Step 5 should display \"SD card is not inserted\" at the bottom of the screen.\n\nIf the specified encryption settings are not set to the appropriate values, this is a finding.\n(**) On some MDM vendor consoles, \"Storage Encryption\" enables both internal and external storage encryption.",
"description": "The MOS must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read removable media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running.\n\nSFR ID: FMT_SMF_EXT.1.1 #26",
"fixid": "F-67019r1_fix",
"fixtext": "Configure the MOS to enable data-at-rest protection for removable media.\n\nConfigure the OS to encrypt all data at rest on the mobile device.\n\nOn the MDM Administration Console, select the \"Storage Encryption\" and \"External Storage Encryption\" check box in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-61159",
"ruleID": "SV-75639r1_rule",
"severity": "high",
"title": "The Samsung Knox for Android platform must protect data at rest on removable storage media.",
"version": "KNOX-30-004410"
},
"V-61161": {
"checkid": "C-62117r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console: \n1. Ask the MDM administrator to display the \"Min Length\" setting in the \"Android Password Restrictions\" rule. \n2. Verify the value of the setting is the same or greater than the required length.\n\nOn the Samsung Knox for Android device:\n1. Open the device settings.\n2. Select \"Lock screen\".\n3. Select \"Screen lock\".\n4. Enter current password.\n5. Select Password.\n6. Attempt to enter a password with fewer characters than the required length.\n7. Verify the password is not accepted.\n\nIf the configured value of the \"Min Length\" setting is less than the required length or if device accepts a password of less than the required length, this is a finding.\n\n(**) When device encryption is enabled, Samsung Knox for Android automatically enforces a minimum length 6.",
"description": "Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise.\n\nSFR ID: FMT_SMF_EXT.1.1 #01a",
"fixid": "F-67021r1_fix",
"fixtext": "Configure the MOS to enforce a minimum password length of 6 characters.\n\nOn the MDM Administration Console, set the \"Min Length\" value to 6 or greater in the \"Android Password Restrictions\" rule.\n\n(**) When device encryption is enabled (always enabled by the DoD configuration), Samsung Knox for Android automatically enforces a minimum length 6.",
"iacontrols": null,
"id": "V-61161",
"ruleID": "SV-75641r1_rule",
"severity": "low",
"title": "The Samsung Knox for Android platform must enforce a minimum password length of 6 characters.",
"version": "KNOX-34-008700"
},
"V-61163": {
"checkid": "C-62119r1_chk",
"checktext": "This validation procedure is performed only on the MDM Administration Console.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console: \n1. Ask the MDM administrator to display the \"Maximum Failed Attempts\" field in the \"Android Password Restrictions\" rule for the device unlock password.\n2. Verify the value of the setting is 10 or less.\n\nThis configuration is not available on the Samsung Knox for Android device.\n\nIf the \"Maximum Failed Attempts\" field in the \"Android Password Restrictions\" rule for the device unlock password is not set to 10 or less, this is a finding.",
"description": "The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on the device. Setting a limit on the number of attempts mitigates this risk. Setting the limit at 10 gives authorized users the ability to make a few mistakes when entering the password but still provides adequate protection against dictionary or brute force attacks on the password.\n\nSFR ID: FMT_SMF_EXT.1.1 #02",
"fixid": "F-67023r1_fix",
"fixtext": "Configure the MOS to allow only 10 or less consecutive failed authentication attempts.\n\nOn the MDM Administration Console, set the \"Maximum Failed Attempts\" to 10 or less in the \"Android Password Restrictions\" rule for the device unlock password.",
"iacontrols": null,
"id": "V-61163",
"ruleID": "SV-75643r1_rule",
"severity": "low",
"title": "The Samsung Knox for Android platform must not allow more than 10 consecutive failed authentication attempts.",
"version": "KNOX-34-008900"
},
"V-61165": {
"checkid": "C-62121r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Max Time to Lock\" setting in the \"Android Password Restrictions\" rule. \n2. Verify the value of the setting is 15 minutes or less.\n\nOn the Samsung Knox for Android device:\n1. Unlock the device. \n2. Refrain from performing any activity on the device for 15 minutes. \n3. Verify the device requires the user to enter the device unlock password to access the device.\n\nNote: Max time to lock is the sum of the display screen timeout and the lock screen delay on the device. On MDM configuration, the device makes a choice for these settings so that the sum is 15 minutes or less.\n\nIf the user does not have to unlock the device after 15 minutes of inactivity, this is a finding.",
"description": "The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum timeout period of 15 minutes has been selected to balance functionality and security; shorter timeout periods may be appropriate depending on the risks posed to the mobile device.\n\nSFR ID: FMT_SMF_EXT.1.1 #01b",
"fixid": "F-67025r1_fix",
"fixtext": "Configure the MOS to lock the device display after 15 minutes (or less) of inactivity.\n\nOn the MDM Administration Console, configure the \"Max Time to Lock\" option to 15 minutes in the \"Android Password Restrictions\" rule.",
"iacontrols": null,
"id": "V-61165",
"ruleID": "SV-75645r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must lock the display after 15 minutes (or less) of inactivity.",
"version": "KNOX-34-012100"
},
"V-61167": {
"checkid": "C-62123r1_chk",
"checktext": "This check procedure is performed on both the MDM Administration Console and the Samsung Knox device.\n\nCheck that the appropriate setting is configured on the MDM Administration Console.\n1. Ask the MDM administrator to display the \"Max Time to Lock\" setting in the \"Android Knox Container -> Container Password Restrictions\" rule. \n2. Verify the value of the setting is the organization-defined value (15 min) or less.\n\nOn the Samsung Knox for Android device:\n1. Open the Knox Container.\n2. Refrain from using the Knox Container for 15 min.\n3. Verify the selected value is organization-defined value (15 min) or less.\n\nIf the selected value is larger than 15 min, or if the Knox Container does not lock after 15 min, this is a finding.",
"description": "The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum timeout period of 15 minutes has been selected to balance functionality and security; shorter timeout periods may be appropriate, depending on the risks posed to the mobile device.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67027r1_fix",
"fixtext": "Configure the OS to initiate a session lock after a time period of inactivity.\n\nConfigure the mobile operating system to lock the device after no more than 15 minutes of inactivity.\n\nOn the MDM Console, set the \"Max Time to Lock\" to organization-defined value (15 min) in the \"Android Knox Container -> Container Password Restrictions\" rule.",
"iacontrols": null,
"id": "V-61167",
"ruleID": "SV-75647r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android container must implement the management setting: Lock the container display after 15 minutes (or less) of inactivity.",
"version": "KNOX-34-012110"
},
"V-61169": {
"checkid": "C-62125r1_chk",
"checktext": "Configuring an application installation policy on Samsung Knox for Android by specifying an application repository involves two steps: (1) Disabling Google Play, (2) Disabling unknown application sources. This validation procedure covers the first of these steps. It is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nOn the MDM Administration Console: \n1. Ask the MDM administrator to display the \"Enable Google Play\" setting in the \"Android Restrictions\" rule. \n2. Verify it is disabled. \n\nOn the Samsung Knox for Android device:\n1. Attempt to locate the \"Google Play\" application.\n2. Verify it is not present on the device. \n\nIf the \"Enable Google Play\" is not disabled, or if a user can successfully launch Google Play on the device, this is a finding.",
"description": "Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DoD data accessible by these unauthorized/malicious applications.\n\nSFR ID: FMT_SMF_EXT.1.1 #10a",
"fixid": "F-67029r1_fix",
"fixtext": "Configure the MOS to disable unauthorized application repositories.\n\nConfigure the OS to disable Google Play.\nOn the MDM Administration Console, disable \"Enable Google Play\" in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-61169",
"ruleID": "SV-75649r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must enforce an application installation policy by specifying one or more authorized application repositories: Disable Google Play.",
"version": "KNOX-35-009000"
},
"V-61171": {
"checkid": "C-62127r1_chk",
"checktext": "Configuring an application installation policy on Samsung Knox for Android by specifying an application repository involves two steps: (1) Disabling Google Play, (2) Disabling unknown application sources. This validation procedure covers the second of these steps. It is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nOn the MDM Administration Console: \n1. Ask the MDM administrator to display the \"Allow Unknown Sources\" settings in the \"Android Restrictions\" rule. \n2. Verify it is disabled. \n\nOn the Samsung Knox for Android device:\n1. Open the device settings.\n2. Select \"Security\".\n3. Attempt to enable \"Unknown sources\".\n4. Verify it cannot be enabled.\n\nIf the \"Enable Google Play\" setting is not disabled, or if a user can successfully enable \"Unknown sources\" on the device, this is a finding.",
"description": " Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DoD data accessible by these unauthorized/malicious applications.\n\nSFR ID: FMT_SMF_EXT.1.1 #10a",
"fixid": "F-67031r1_fix",
"fixtext": "Configure the MOS to disable unauthorized application repositories.\n\nConfigure the mobile operating system to disable application installations from unknown sources. \n\nOn the MDM Administration Console, disable \"Allow Unknown Sources\" in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-61171",
"ruleID": "SV-75651r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must enforce an application installation policy by specifying one or more authorized application repositories: Disable unknown sources.",
"version": "KNOX-35-009010"
},
"V-61173": {
"checkid": "C-62129r1_chk",
"checktext": "This validation procedure is performed on the MDM Administration Console.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console: \n1. Ask the MDM administrator to display the list of white-listed applications in the \"Android Applications\" rule. \n2. Verify the list of white-listed applications has been approved by the Approving official (AO). \n\nNote: Refer to the Supplemental document for additional information. \n\nNote: This list can be empty if no applications have been approved.\n\nIf any of the applications on white-listed applications on the MDM Administration Console have not been approved by the AO, this is a finding.",
"description": "Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications.\n\nThe application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the operating system (OS) by the OS vendor) and pre-installed applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications.\n\nSFR ID: FMT_SMF_EXT.1.1 #10b",
"fixid": "F-67033r1_fix",
"fixtext": "Configure the MOS to use an application whitelist.\n\nOn the MDM Administration Console, configure the list of white-listed applications in the \"Android Applications\" rule and ensure only AO-approved applications are on the list. \n\nNote: This list can be empty if no applications have been approved. \n\nNote: Refer to the Supplemental document for additional information.",
"iacontrols": null,
"id": "V-61173",
"ruleID": "SV-75653r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must enforce an application installation policy by specifying an application whitelist.",
"version": "KNOX-35-009100"
},
"V-61175": {
"checkid": "C-62131r1_chk",
"checktext": "This check procedure is performed on both the MDM Administration Console and the Samsung Knox device.\n\nCheck that the appropriate setting is configured on the MDM Administration Console.\n1. Ask the MDM administrator to display the \"Disable Developer Mode\" settings in the \"Android Restrictions\" rule. \n2. Verify that the \"Disable Developer Mode\" setting is enabled.\n\nNote: Disabling Developer Mode will also disable USB Debugging and Mock locations.\n\nOn the Samsung Knox for Android Device:\n1. Open the device settings.\n2. Select \"Developer options\". (**)\n3. Attempt to enable \"Developer options\".\n\nIf the \"Disable Developer Mode\" setting in the MDM console is disabled, or if the user is able to enable \"Developer options\" on the device, this is a finding.\n\nNote: The \"Developer Modes\" configuration setting may not be available in older MDM consoles. Disabling USB Debugging and Mock Locations also disables developer modes on the mobile device.\n\n(**) \"Developer options\" is initially hidden to users. To unhide this menu item,\n1. Open the device settings.\n2. Select \"About phone\".\n3. Rapidly tap on \"Build number\" multiple times until device displays the developer options menu item.",
"description": "Developer modes expose features of the MOS that are not available during standard operation. An adversary may leverage vulnerability inherent in a developer mode to compromise the confidentiality, integrity, and availability of DoD-sensitive information. Disabling developer modes mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #24",
"fixid": "F-67035r1_fix",
"fixtext": "Configure the MOS to disable developer modes.\n\nConfigure the platform to disable Developer Mode.\n\nOn the MDM Administration Console, enable the \"Disable Developer Mode\" setting in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-61175",
"ruleID": "SV-75655r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must not allow use of developer modes.",
"version": "KNOX-35-020000"
},
"V-61177": {
"checkid": "C-62133r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nThe current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://iase.disa.mil/pki-pke (for NIPRNet) or \nhttp://iase.rel.disa.smil.mil/pki-pke/function_pages/tools.html (for SIPRNet).\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the list of server authentication certificates in the \"Android Certificate Configuration\" rule. \n2. Verify the DoD root and intermediate PKI certificates are present. \n\nOn the Samsung Knox for Android device:\n1. Open the device settings.\n2. Select \"Security\".\n3. Select \"Trusted Credentials\".\n4. Review Certificate Authorities listed under the \"System\" and \"User\" tabs.\n5. Verify the presence of the DoD root and intermediate certificates.\n\nIf the DoD root and intermediate certificates are not present in the MDM Console whitelist or on the device, this is a finding.",
"description": "DoD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the root and intermediate certificates are not available, an adversary could falsely sign a certificate in such a way that it could not be detected. Providing access to the DoD root and intermediate PKI certificates greatly diminishes the risk of this attack.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67037r1_fix",
"fixtext": "Install DoD root and intermediate certificates on the device.\n\nOn the MDM Console, add the PEM encoded representations of the DoD root and intermediate certificates to the certificate whitelist in the \"Android Certificate Configuration\" rule.\n\nThe current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at\nhttp://iase.disa.mil/pki-pke (for NIPRNet) or \nhttp://iase.rel.disa.smil.mil/pki-pke/function_pages/tools.html (for SIPRNet).",
"iacontrols": null,
"id": "V-61177",
"ruleID": "SV-75657r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must implement the management setting: Install DoD root and intermediate PKI certificates on the device.",
"version": "KNOX-35-020600"
},
"V-61179": {
"checkid": "C-62135r2_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Allow New Admin Install\" setting in the \"Android Restrictions\" rule. \n2. Verify the setting is disabled.\n\nNote: With some MDM consoles, this policy is automatically configured when the user enrolls with the MDM.\n\nNote: Android Device Manager must be deactivated if activated in order for this rule to be enforced on the device. This can only be done manually on the device by going to Settings >> Security >> Other security settings >> Phone adminstrators and checking that the setting is off for Android Device Manager.\n\nOn the Samsung Knox for Android device:\n1. Attempt to install an application that requires admin permissions.\n2. Verify that the application is blocked from being installed.\n\nIf the \"Allow New Admin Install\" setting in the MDM console is enabled, or if the user is able to install another application requiring admin permissions on the device, this is a finding.",
"description": "An application with administrator permissions (e.g., MDM agent) is allowed to configure policies on the device. If a user is allowed to install another MDM agent on the device, then this will allow another MDM administrator (assuming it has the proper Knox licenses) the ability to configure potentially conflicting policies on the device that may not meet DoD security requirements. Although an MDM cannot disable another MDM's policies or remove another MDM from the device, there is the potential of creating policies that could conflict with enterprise policies. Therefore, other applications requesting administrator permissions should be blocked from installation.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67039r1_fix",
"fixtext": "Configure the mobile operating system to disallow new admin installations.\n\nOn the MDM Administration Console, disable the \"Allow New Admin Install\" setting in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-61179",
"ruleID": "SV-75659r2_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must implement the management setting: Disable Allow New Admin Install.",
"version": "KNOX-35-021000"
},
"V-61181": {
"checkid": "C-62137r1_chk",
"checktext": "This validation procedure is performed on the MDM Administration Console.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Application install blacklist\" setting in the \"Android Applications\" rule. \n2. Verify the setting is configured to include all applications (specified by the wildcard string \".*\").\n\nIf the \"Application install blacklist\" setting in the MDM console does not include all applications, this is a finding.",
"description": "Blacklisting all applications is required so that only white-listed applications can be installed on the device. Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist and blacklist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67041r1_fix",
"fixtext": "Configure the mobile operating system to add all applications to the install blacklist.\n\nOn the MDM Administration Console, add all applications to the \"Application install blacklist\" setting in the \"Android Applications\" rule.",
"iacontrols": null,
"id": "V-61181",
"ruleID": "SV-75661r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must implement the management setting: Configure application install blacklist.",
"version": "KNOX-35-021100"
},
"V-61183": {
"checkid": "C-62139r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Application disable list\" setting in the \"Android Application\" rule. \n2. Verify the list contains all pre-installed (core) applications not approved for DoD use by the Approving Official (AO).\n\nNote: Refer to the Supplemental document for additional information.\n\nIf the \"Application disable list\" configuration is not properly configured, or if the user is able to launch the applications on the list, this is a finding.\n\nNote: Core applications are pre-installed on the device and include applications integrated into the Android OS by Google and applications added to the OS load by Samsung or by the carrier.",
"description": "Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications.\n\nSFR ID: FMT_SMF_EXT.1.1 #10b",
"fixid": "F-67043r1_fix",
"fixtext": "Configure the MOS application whitelist to exclude applications with the following characteristics:\n\n-all pre-installed (core) applications not approved for DoD use by the Approving Official (AO).\n\nConfigure the mobile operating system to disable pre-installed applications not approved for DoD use.\n\nOn the MDM Administration Console, add all pre-installed applications not approved for DoD to the \"Application disable list\" setting in the \"Android Applications\" rule. \n\nNote: Refer to the Supplemental document for additional information.",
"iacontrols": null,
"id": "V-61183",
"ruleID": "SV-75663r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform whitelist must not include applications with the following characteristics: All pre-installed (core) applications not approved for DoD use by the Approving Official (AO).",
"version": "KNOX-35-021200"
},
"V-61185": {
"checkid": "C-62141r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Application disable list\" setting in the \"Android Application\" rule. \n2. Verify the list contains all pre-installed applications which allow synchronization of data or applications between devices associated with user.\n\nNote: The following applications are known to be pre-installed applications which allow synchronization of data or applications between devices associated with user, but other applications can be found on other devices: Google Drive, Dropbox, Verizon Cloud, AT&T Locker, Microsoft OneDrive, and Microsoft OneNote. \n\nNote: Refer to the Supplemental document for additional information.\n\nIf the \"Application disable list\" configuration is not properly configured, or if the user is able to launch the applications on the list, this is a finding.",
"description": "Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications.\n\nSFR ID: FMT_SMF_EXT.1.1 #10b",
"fixid": "F-67045r1_fix",
"fixtext": "Configure the MOS application whitelist to exclude applications with the following characteristics:\n\n-allows synchronization of data or applications between devices associated with user\n\nConfigure the mobile operating system to disable all pre-installed applications which allow synchronization of data or applications between devices associated with user.\n\nOn the MDM Administration Console, add all pre-installed applications which allow synchronization of data or applications between devices associated with user to the \"Application disable list\" setting in the \"Android Applications\" rule. \n\nNote: Refer to the Supplemental document for additional information.",
"iacontrols": null,
"id": "V-61185",
"ruleID": "SV-75665r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform whitelist must not include applications with the following characteristics: Allows synchronization of data or applications between devices associated with user.",
"version": "KNOX-35-021225"
},
"V-61187": {
"checkid": "C-62143r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Application disable list\" setting in the \"Android Application\" rule. \n2. Verify the list contains all pre-installed payment processing applications.\n\nNote: The following applications are known to be pre-installed payment processing applications, but other applications can be found on other devices: Wallet, Isis Wallet, Softcard. \n\nNote: Refer to the Supplemental document for additional information.\n\nIf the \"Application disable list\" configuration is not properly configured, or if the user is able to launch the applications on the list, this is a finding.",
"description": "Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications.\n\nSFR ID: FMT_SMF_EXT.1.1 #10b",
"fixid": "F-67047r1_fix",
"fixtext": "Configure the MOS application whitelist to exclude applications with the following characteristics:\n\n-payment processing\n\nConfigure the mobile operating system to disable pre-installed payment processing applications.\n\nOn the MDM Administration Console, add all pre-installed payment processing applications to the \"Application disable list\" setting in the \"Android Applications\" rule. \n\nNote: Refer to the Supplemental document for additional information.",
"iacontrols": null,
"id": "V-61187",
"ruleID": "SV-75667r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform whitelist must not include applications with the following characteristics: Payment processing.",
"version": "KNOX-35-021250"
},
"V-61189": {
"checkid": "C-62145r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Application disable list\" setting in the \"Android Application\" rule. \n2. Verify the list contains all pre-installed applications which backup MD data to non-DoD cloud servers (including user and application access to cloud backup services).\n\nNote: The following applications are known to be pre-installed public cloud applications, but other applications can be found on other devices: Google Drive, Dropbox, Verizon Cloud, AT&T Locker, Microsoft OneDrive, and Microsoft OneNote. \n\nNote: The following applications allows a user to configure a Samsung Account on the device which allows the user to backup files (including S Health data) to Samsung servers, as well as download applications from Samsung Apps (Galaxy Apps) store: Samsung Account application. \n\nNote: Refer to the Supplemental document for additional information.\n\nIf the \"Application disable list\" configuration is not properly configured, or if the user is able to launch the applications on the list, this is a finding.",
"description": "Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications.\n\nSFR ID: FMT_SMF_EXT.1.1 #10b",
"fixid": "F-67049r2_fix",
"fixtext": "Configure the MOS application whitelist to exclude applications with the following characteristics:\n\n-backup MD data to non-DoD cloud servers (including user and application access to cloud backup services)\n\nConfigure the mobile operating system to disable pre-installed applications which backup MD data to non-DoD cloud servers (including user and application access to cloud backup services).\n\nOn the MDM Administration Console, add all pre-installed applications which backup MD data to non-DoD cloud servers (including user and application access to cloud backup services) to the \"Application disable list\" setting in the \"Android Applications\" rule. \n\nNote: Refer to the Supplemental document for additional information.",
"iacontrols": null,
"id": "V-61189",
"ruleID": "SV-75669r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform whitelist must not include applications with the following characteristics: Back up MD data to non-DoD cloud servers (including user and application access to cloud backup services).",
"version": "KNOX-35-021275"
},
"V-61191": {
"checkid": "C-62147r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console: \n1. Ask the MDM administrator to display the \"Allow Google Backup\" and \"Google Auto Sync\" settings in the \"Android Restrictions\" rule. \n2. Verify the settings are disabled.\n\nOn the Samsung Knox for Android device:\n1. Open the device settings.\n2. Select \"Backup and reset\".\n3. Verify \"Back up my data\" is disabled and cannot be enabled.\nand\n1. Open the device settings.\n2. Select Accounts.\n3. Configure a Google account.\n4. Select the configured Google account.\n5. Verify that all sync check boxes are unselected.\n\nIf the \"Allow Google Backup\" or \u201cGoogle Auto Sync\" setting is enabled, or if the user is able to enable the settings on the device, or if the \"Application disable list\" configuration in the MDM console does not contain all pre-installed public cloud backup applications, or if the user is able to successfully launch an application on this list, this is a finding.",
"description": "Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the MOS. Where the remote backup involves a cloud-based solution, the backup capability is often used to synchronize data across multiple devices. In this case, DoD devices may synchronize DoD-sensitive information to a user's personal device or other unauthorized computers that are vulnerable to breach. Disallowing remote backup mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #40",
"fixid": "F-67051r1_fix",
"fixtext": "Configure the MOS to disable backup to remote systems (including commercial clouds).\n\nConfigure the mobile device to disable backups to Google servers, disable Google Auto Sync, and disable all pre-installed public cloud backup applications.\n\nOn the MDM Administration Console, disable the \"Allow Google backup\" and \"Google Auto Sync\" settings in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-61191",
"ruleID": "SV-75671r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must not allow backup to remote systems.",
"version": "KNOX-35-021300"
},
"V-61193": {
"checkid": "C-62149r1_chk",
"checktext": "Disabling automatic transfer of diagnostic data to an external device on Samsung Knox for Android involves three steps: (1) Disable Google Crash report, (2) Configure a KNOX on premise license, and (3) Disable Report diagnostic info. This validation procedure covers the first of these steps. This validation procedure is performed on the MDM Administration Console.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Google Crash Report\" setting in the \"Android Restrictions\" rule. \n2. Verify the setting is disabled.\n\nIf the \"Google Crash Report\" configuration in the MDM console is enabled, this is a finding.",
"description": "Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real world field behavior and improve the product based on that information. Unfortunately, it can also reveal information about what DoD users are doing with the systems and what causes them to fail. An adversary embedded within the software development team or elsewhere could use the information acquired to breach mobile operating system security. Disabling automatic transfer of such information mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1#45",
"fixid": "F-67053r1_fix",
"fixtext": "Configure the MOS to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.\n\nConfigure the mobile operating system to disable Google Crash Report.\n\nOn the MDM Administration Console, disable the \"Google Crash Report\" setting in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-61193",
"ruleID": "SV-75673r1_rule",
"severity": "low",
"title": "The Samsung Knox for Android platform must disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Google Crash Report.",
"version": "KNOX-35-021400"
},
"V-61195": {
"checkid": "C-62151r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"USB host storage\" setting in the \"Android Restrictions\" rule. \n2. Verify the setting is disabled.\n\nOn the Samsung Knox for Android device:\n1. Connect a Micro USB to USB OTG adaptor to the device.\n2. Connect a USB thumb drive to the adaptor.\n3. Verify the device cannot access the USB thumb drive.\n\nIf the \"USB host storage\" configuration in the MDM console is enabled, or if the user is able to access the USB thumb drive from the device, this is a finding.",
"description": "The USB host storage feature allows the device to connect to select USB devices (e.g., USB flash drives, USB mouse, USB keyboard) using a micro USB to USB adapter cable. A user can copy sensitive DoD information to external USB storage unencrypted, resulting in compromise of DoD data. Disabling this feature mitigates the risk of compromising sensitive DoD data.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67055r1_fix",
"fixtext": "Configure the mobile operating system to disable USB host storage.\n\nOn the MDM Administration Console, disable the \"USB host storage\" setting in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-61195",
"ruleID": "SV-75675r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must implement the management setting: Disable USB host storage.",
"version": "KNOX-35-021600"
},
"V-61197": {
"checkid": "C-62153r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console: \n1. Ask the MDM administrator to display the \"Max Sequential Characters\" and \"Max Sequential Numbers\" settings in the \"Android Password Restrictions\" rule. \n2. Verify the value of the setting is the same or less than the required length.\n\nOn the Samsung Knox for Android device:\n1. Open the device settings.\n2. Select \"Lock screen\".\n3. Select \"Screen lock\".\n4. Enter current password.\n5. Select Password.\n6. Attempt to enter a password that contains sequential characters or sequential numbers of length greater than the required length.\n7. Verify the password is not accepted.\n\nIf the configured values of the \"Max Sequential Character\" and \"Max Sequential Number\" settings are greater than the required length, or if device accepts a password that contains sequential characters or sequential numbers of length greater than the required length, this is a finding.\n\nNote: On some MDM servers there may only be one configuration setting (\"Max Sequential Characters\") since this API actually disables both sequential and repeating characters.",
"description": "Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or sequential characters are significantly easier to guess than those that do not contain repeating or sequential characters. Therefore, disallowing repeating or sequential characters increases password strength and decreases risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #01b",
"fixid": "F-67057r1_fix",
"fixtext": "Configure the MOS to prevent passwords from containing more than two repeating or sequential characters.\n\nOn the MDM Administration Console, set the \"Max Sequential Characters\" and \"Max Sequential Numbers\" values to 2 in the \"Android Password Restrictions\" rule.",
"iacontrols": null,
"id": "V-61197",
"ruleID": "SV-75677r1_rule",
"severity": "low",
"title": "The Samsung Knox for Android platform must not allow passwords that include more than two repeating or sequential characters.",
"version": "KNOX-35-021900"
},
"V-61199": {
"checkid": "C-62155r2_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console: \n1. Ask the MDM administrator to display the \"Allow multi-user mode\" settings in the \"Android Restrictions\" rule. \n2. Verify the setting is disabled.\n\nOn the Samsung Knox for Android device:\n1. Open the device settings.\n2. Attempt to add a user in the \"User\" setting.\n3. Verify that the \"User\" setting is not available or verify that a new user cannot be added and set up.\n\nIf the \"Allow multi-user mode\" setting is enabled, or if the user is able to add a user and set up a new user, this is a finding.",
"description": "By default the enterprise administrator will install and enroll MDM on the device's owner user space. Since some policies configured by the MDM will only apply to the owner space, the user can bypass some of these policies by creating and switching to a guest user space. This can potentially result in compromise of the device and DoD data via installation of malicious applications. Disabling this feature will mitigate this risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67059r1_fix",
"fixtext": "Configure the mobile operating system to disable multi-user modes.\n\nOn the MDM Administration Console, disable the \"Allow multi-user mode\" setting in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-61199",
"ruleID": "SV-75679r2_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must be configured to disable multi-user modes.",
"version": "KNOX-35-022500"
},
"V-61201": {
"checkid": "C-62157r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Enable S Voice\" settings in the \"Android Restrictions\" rule. \n2. Verify the value is disabled.\n\nOn the Samsung Knox for Android device:\n1. Open the device settings.\n2. Select \"Applications\".\n3. Verify the S Voice application cannot be selected.\n\nIf the \"Enable S Voice\" setting is enabled, or if the S Voice application can be launched or configured, this is a finding.",
"description": "On MOS devices, users (may be able to) access the device's contact database or calendar to obtain phone numbers and other information using a human voice even when the mobile device is locked. Often this information is personally identifiable information (PII), which is considered sensitive. It could also be used by an adversary to profile the user or engage in social engineering to obtain further information from other unsuspecting users. Disabling access to the contact database and calendar in these situations mitigates the risk of this attack. The AO may waive this requirement with written notice if the operational environment requires this capability.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67061r1_fix",
"fixtext": "Configure the operating system to disable S Voice.\n\nOn the MDM Administration Console, disable the \"Enable S Voice\" setting in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-61201",
"ruleID": "SV-75681r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must implement the management setting: Disable S Voice.",
"version": "KNOX-35-022800"
},
"V-61203": {
"checkid": "C-62159r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Allow NFC\" setting in the \"Android Restrictions\" rule. \n2. Verify the setting is disabled.\n\nOn the Samsung Knox for Android device:\n1. Open device settings.\n2. Select \"NFC\".\n3. Verify the setting is disabled.\n\nIf the \"Allow NFC\" configuration in the MDM console is enabled, or if the setting is enabled on the device, this is a finding.",
"description": "NFC is a wireless technology that transmits small amounts of information from the device to the NFC reader. Any data transmitted can be potentially compromised. Disabling this feature mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67063r1_fix",
"fixtext": "Configure the mobile operating system to disable NFC.\n\nOn the MDM Administration Console, disable the \"Allow NFC\" setting in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-61203",
"ruleID": "SV-75683r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must implement the management setting: Disable NFC.",
"version": "KNOX-35-023100"
},
"V-61205": {
"checkid": "C-62161r1_chk",
"checktext": "This validation procedure is performed on the Samsung Knox for Android device.\n\nOn the Samsung Knox for Android device:\n1. Open the device settings.\n2. Select \"Nearby devices\".\n3. Verify this is disabled.\n\nIf setting is enabled and cannot be disabled, this is a finding. \n\nNote: This setting cannot be managed by the MDM administrator and is a User Based Enforcement (UBE) requirement.",
"description": "The Nearby devices feature allows the user to share files with other devices that are connected on the same Wi-Fi access point using the DLNA technology. Even though the user must allow requests from other devices, this feature can potentially result in unauthorized access to and compromise of sensitive DoD files. Disabling this feature will mitigate this risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67065r1_fix",
"fixtext": "Configure the mobile operating system to disable nearby devices.",
"iacontrols": null,
"id": "V-61205",
"ruleID": "SV-75685r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must implement the management setting: Disable Nearby devices.",
"version": "KNOX-35-023500"
},
"V-61207": {
"checkid": "C-62163r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the PC.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console: \n1. Ask the MDM administrator to display the \"Disable USB Media Player\" check box in the \"Android Restrictions\" rule.\n2. Verify the \"Disable USB Media Player\" check box is selected. \n\nNote: Disabling USB Media Player will also disable USB MTP, USB mass storage, USB vendor protocol (KIES).\n\nOn the Samsung Knox for Android device:\n1. Connect the device to a PC USB connection.\n\nNote: Do not use a DoD network-managed PC for this test!\n\nOn the PC:\n1. Verify the device is not shown in the PC finder.\n\nIf the specified setting is not set to the appropriate value, or if the device is shown in the PC finder, this is a finding.",
"description": "USB mass storage mode enables the transfer of data and software from one device to another. This software can include malware. When USB mass storage is enabled on a mobile device, it becomes a potential vector for malware and unauthorized data exfiltration. Prohibiting USB mass storage mode mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #39",
"fixid": "F-67067r1_fix",
"fixtext": "Configure the MOS to disable USB mass storage mode.\n\nOn the MDM Administration Console, select the \"Disable USB Media Player\" check box in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-61207",
"ruleID": "SV-75687r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must not allow a USB mass storage mode.",
"version": "KNOX-35-023600"
},
"V-61209": {
"checkid": "C-62165r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Allow FOTA\" setting in the \"Android Restrictions\" rule. \n2. Verify the setting is disabled.\n\nOn the Samsung Knox for Android device:\n1. Open device settings.\n2. Select \"About device\".\n3. Attempt to select \"Software update\".\n\nNote: Location of this menu can vary between models.\n\nIf the \"Allow FOTA\" configuration in the MDM console is enabled, or if the user is able to successfully select software update, this is a finding.\n\nNote: After reviewing the update and adjusting any necessary policies (i.e. disabling applications determined to pose risk), the administrator can re-enable FOTA.",
"description": "FOTA allows the user to download and install firmware updates over-the-air. These updates can include OS upgrades, security patches, bug fixes, new features and applications. Since the updates are controlled by the carriers, DoD will not have an opportunity to review and update policies prior to update availability to end users. Disabling FOTA will mitigate the risk of allowing users access to applications that could compromise DoD sensitive data. After reviewing the update and adjusting any necessary policies (i.e., disabling applications determined to pose risk), the administrator can re-enable FOTA.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67069r1_fix",
"fixtext": "Configure the mobile operating system to disable automatic updates of system software.\n\nConfigure the mobile operating system to disable FOTA.\n\nOn the MDM Administration Console, disable the \"Allow FOTA\" setting in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-61209",
"ruleID": "SV-75689r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must be configured to disable automatic updates of system software.",
"version": "KNOX-35-023700"
},
"V-61211": {
"checkid": "C-62167r1_chk",
"checktext": "This check procedure is performed on both the MDM Administration Console and the Samsung Knox device.\n\nCheck that the appropriate setting is configured on the MDM Administration Console.\n1. Ask the MDM administrator to display the \"Notifications on lock screen\" settings in the \"Android Restrictions\" rule. \n2. Verify that the \"Hide content\" or \"Do not show notification\" setting is enabled and \"Show content\" setting is disabled.\n\nOn the Samsung Knox for Android Device:\n1. Open the device settings.\n2. Select \"Notifications\".\n3. Select \"Notifications on lock screen\".\n4. Attempt to enable \"Show content\".\n\nIf the \"Show content\" setting in the MDM console is enabled, or if the user is able to enable \"Show content\" on the device, this is a finding.",
"description": "Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifications can contain sensitive information. When they are available on the lock screen, an adversary can see them merely by being in close physical proximity to the device. Configuring the MOS to not send notifications to the lock screen mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #21",
"fixid": "F-67071r1_fix",
"fixtext": "Configure the MOS to not display notifications when the device is locked.\n\nConfigure the platform to disable notifications on the lock screen or hide notification details on the lock screen.\n\nOn the MDM Administration Console, enable the \"Hide content\" or \"Do not show notification\" and disable \"Show content\" in the \"Notifications on lock screen\" setting in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-61211",
"ruleID": "SV-75691r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must not display notifications when the device is locked.",
"version": "KNOX-35-024000"
},
"V-61213": {
"checkid": "C-62169r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the PC.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console: \n1. Ask the MDM administrator to display the \"Disable USB Media Player\" check box in the \"Android Restrictions\" rule. \n2. Verify the \"Disable USB Media Player\" check box is selected.\n\nNote: Disabling USB Media Player will also disable USB MTP, USB mass storage, USB vendor protocol (KIES).\n\nOn the Samsung Knox for Android device:\n1. Connect the device to a PC USB connection.\n\nNote: Do not use a DoD network-managed PC for this test!\n\nOn the PC:\n1. Install and launch Samsung KIES on the PC.\n2. Verify the device does not connect with the Samsung KIES program.\n\nIf the specified setting is not set to the appropriate value, or if the device is connects with the Samsung KIES program, this is a finding.",
"description": "Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed up to an external system (either locally connected or cloud-based), many if not all of these mechanisms are no longer present. This leaves the backed up data vulnerable to attack. Disabling backup to external systems mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #40",
"fixid": "F-67073r1_fix",
"fixtext": "Configure the MOS to disable backup to locally connected systems.\n\nConfigure the mobile operating system to disable USB KIES.\n\nOn the MDM Administration Console, select the \"Disable USB Media Player\" check box in the \"Android Restrictions\" rule. \n\nNote: Disabling USB Media Player will also disable USB MTP, USB mass storage, USB vendor protocol (KIES).",
"iacontrols": null,
"id": "V-61213",
"ruleID": "SV-75693r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must not allow backup to locally connected systems.",
"version": "KNOX-35-024200"
},
"V-61215": {
"checkid": "C-62171r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console: \n1. Ask the MDM administrator to display the list of configured VPN profiles in the \"VPN profiles\" rule. \n2. Verify the list includes the organization VPN profile.\n\nOn the Samsung Knox for Android device:\n1. Open the device settings.\n2. Select \"More connection settings\".\n3. Select \"VPN\".\n4. Verify the list includes the organization VPN profile.\n\nIf the organization VPN profile is not included in either list, this is a finding.",
"description": "A key characteristic of a mobile device is that they typically will communicate wirelessly and are often expected to reside in locations outside the physical security perimeter of a DoD facility. In these circumstances, the threat of eavesdropping is substantial. Virtual private networks (VPNs) provide confidentiality and integrity protection for data transmitted over untrusted media (e.g., air) and networks (e.g., the Internet). They also provide authentication services to ensure that only authorized users are able to use them. Consequently, enabling VPN protection counters threats to communications to and from mobile devices. \n\nSFR ID: FMT_SMF_EXT.1.1 #03",
"fixid": "F-67075r1_fix",
"fixtext": "Configure the MOS to enable VPN protection.\n\nConfigure the mobile operating system with the organization VPN profile.\n\nOn the MDM Administration Console, configure the organization VPN profile in the \"VPN profiles\" rule.",
"iacontrols": null,
"id": "V-61215",
"ruleID": "SV-75695r1_rule",
"severity": "low",
"title": "The Samsung Knox for Android platform must enable VPN protection.",
"version": "KNOX-35-024500"
},
"V-61217": {
"checkid": "C-62173r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console: \n1. Ask the MDM administrator to display the \"Minimum Password Complexity\" setting in the \"Android Restrictions\" rule. \n2. Verify the settings are Alphanumeric.\n3. Ask the MDM administrator to display the \"Enable Fingerprint for Lock screen authentication\" setting in the \"Android Restrictions\" rule. \n4. Verify the setting is disabled.\n\nOn the Samsung Knox for Android device:\n1. Open the device settings.\n2. Select \"Lock screen and security\".\n3. Select \"Lock screen type\".\n4. Verify \"Swipe\", \"Pattern\", \"PIN\", \"Fingerprints\", \"None\" are disabled (grayed out) and cannot be enabled.\n\nIf Fingerprint for Lock screen authentications enabled, or if Minimum Password Complexity is not configured to Alphanumeric, or if the user is able to enable the settings on the device, this is a finding.",
"description": "The fingerprint reader can be used to authenticate the user in order to unlock the mobile device. At this time, no biometric reader has been approved for DoD use on mobile devices. This technology would allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of non-password authentication mechanisms, users are forced to use passcodes that meet DoD passcode requirements.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67077r1_fix",
"fixtext": "Configure the MOS to not allow authentication mechanisms other than a Password Authentication Factor where the authentication provides user access to protected data\n\nConfigure the mobile operating system to configure Minimum Password Complexity and disable finger print for the lock screen password.\n\nOn the MDM Administration Console, configure \"Minimum Password Complexity\" to Alphanumeric and disable \"Enable Fingerprint for Lock screen authentication\" setting in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-61217",
"ruleID": "SV-75697r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor (e.g., using a fingerprint), unless mechanism is DoD approved.",
"version": "KNOX-35-024600"
},
"V-61219": {
"checkid": "C-62175r1_chk",
"checktext": "Note: This validation procedure is identical to the one for KNOX-39-015600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to AOs.\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"CC Mode\" settings in the \"Android Restrictions\" rule. \n2. Verify the value is enabled.\n\nNote: If the MDM does not support CC Mode, ask the MDM Administrator if the Samsung APK has been installed and CC Mode enabled.\n\nOn the Samsung Knox for Android device:\n1. Open the device settings.\n2. Select \"About Device\".\n3. Verify the value of \"Security software version\" displays \"Enforced\".\n\nIf the CC mode setting is not enabled, or if the \"Security software version\" on the device does not display \"Enforced\", this is a finding.",
"description": "Spilt-tunneling allows multiple simultaneous remote connections to the mobile device. Without VPN split-tunneling disabled, malicious applications can covertly off-load device data to a third-party server or set up a trusted tunnel between a non-DoD third-party server and a DoD network, providing a vector to attack the network.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67079r1_fix",
"fixtext": "Configure the mobile operating system to disable VPN split-tunneling (if the MD provides a configurable control). \n\nConfigure the operating system to enable CC mode.\n\nOn the MDM Administration Console, enable the \"CC mode\" setting in the \"Android Restrictions\" rule.\n\nIf this setting is not available on the console, install the CC mode APK, and enable CC mode from this application.\nThis APK will be made available by Samsung.",
"iacontrols": null,
"id": "V-61219",
"ruleID": "SV-75699r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must be configured to disable VPN split-tunneling (if the MD provides a configurable control for FDP_IFC_EXT.1.1).",
"version": "KNOX-35-024700"
},
"V-61221": {
"checkid": "C-62177r1_chk",
"checktext": "Note: This validation procedure is identical to the one for KNOX-39-015400. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to AOs.\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Android Knox Container\" rule. \n2. Verify the existence of this rule.\n3. Pushing this rule to the device that does not have a container installed will result in creation of the container.\n\nOn the Samsung Knox for Android device:\n1. From the device home screen, pull down the notification bar.\n2. Verify the existence of the KNOX icon.\n3. If available on the MDM agent, verify the container rule in the list of rules received by the MDM agent.\n\nIf the MDM Administrator cannot configure the \"Android Knox Container\" rule, or if the KNOX icon is not present in the notification bar, or if the container rule is not found in the MDM agent rule list (MDM vendor-specific check), this is a finding.",
"description": "The access control policy restricts processes and applications in one processing environment (container) from accessing data in another. Exceptions should only be allowed under the administrator control to protect sensitive DoD data from exposure.\n\nSFR ID: FMT_SMF_EXT.1.1 #45, FDP_ACF_EXT.1.2",
"fixid": "F-67081r1_fix",
"fixtext": "On the MDM Administration Console, create the \"Android Knox Container\" rule and push this rule to the device.",
"iacontrols": null,
"id": "V-61221",
"ruleID": "SV-75701r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must be configured to enable the access control policy that prevents [groups of application processes] from accessing [all] data stored by other [groups of application processes].",
"version": "KNOX-35-024800"
},
"V-61223": {
"checkid": "C-62179r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Allow Admin Remove\" settings in the \"Android Restrictions\" rule. \n2. Verify the value is disabled.\n\nOn the Samsung Knox for Android device:\n1. Open the device settings.\n2. Select \"Lock screen and security\".\n3. Select \"Other security settings\".\n4. Select \"Device administrators\".\n5. Verify the enterprise MDM agent is on and cannot be turned off.\n\nIf the \"Allow Admin Remove\" setting is enabled, or if the MDM agent on the device can be turned off, this is a finding.",
"description": "Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately. For these reasons, a user must not be allowed to remove the MDM from the device.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67083r1_fix",
"fixtext": "Configure the operating system to disable admin removal by the user.\n\nOn the MDM Administration Console, disable the \"Allow Admin Remove\" setting in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-61223",
"ruleID": "SV-75703r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must implement the management setting: Disable Admin Remove.",
"version": "KNOX-35-028400"
},
"V-61225": {
"checkid": "C-62181r1_chk",
"checktext": "This validation procedure is performed on the MDM Administration Console.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Enable Certificate Revocation Status (CRL) Check\" settings in the \"Android Restrictions\" rule. \n2. Verify the value is enabled and configured for all applications.\n\nIf the setting is disabled, this is a finding.",
"description": "A CRL allows a certificate issuer to revoke a certificate for any reason, including improperly issued certificates and compromise of the private keys. Checking the revocation status of the certificate mitigates the risk associated with using a compromised certificate.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67085r1_fix",
"fixtext": "Configure the operating system to configure certification revocation status checking (CRL).\n\nOn the MDM Administration Console, \"Enable Certificate Revocation Status (CRL) Check\" settings for all applications in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-61225",
"ruleID": "SV-75705r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must implement the management setting: Enable Certificate Revocation Status Check.",
"version": "KNOX-35-028500"
},
"V-61227": {
"checkid": "C-62183r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console: \n1. Ask the MDM administrator to display the \"Minimum Password Complexity\" setting in the \"Android Restrictions\" rule. \n2. Verify the settings are Alphanumeric.\n3. Ask the MDM administrator to display the \"Enable Smart Lock\" setting in the \"Android Restrictions\" rule. \n4. Verify the setting is disabled.\n\nOn the Samsung Knox for Android device:\n1. Open the device settings.\n2. Select \"Lock screen and security\".\n3. Select \"Secure lock settings\".\n4. Verify \"Smart Lock\" is disabled (grayed out) and cannot be enabled.\n\nIf \"Smart Lock\" is enabled or if the user is able to enable the settings on the device, this is a finding.",
"description": "The fingerprint reader can be used to authenticate the user in order to unlock the mobile device. At this time, no biometric reader has been approved for DoD use on mobile devices. This technology would allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of non-password authentication mechanisms, users are forced to use passcodes that meet DoD passcode requirements.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67087r1_fix",
"fixtext": "Configure the MOS to not allow authentication mechanisms other than a Password Authentication Factor where the authentication provides user access to protected data\n\nConfigure the mobile operating system to disable Smart Lock.\n\nOn the MDM Administration Console, disable \"Enable Smart Lock\" setting in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-61227",
"ruleID": "SV-75707r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Disable Enable Smart Lock.",
"version": "KNOX-35-030000"
},
"V-61229": {
"checkid": "C-62185r1_chk",
"checktext": "Disabling automatic transfer of diagnostic data to an external device on Samsung Knox for Android involves three steps: (1) Disable Google Crash report, (2) Configure a KNOX on premise license, and (3) Disable Report diagnostic info. This validation procedure covers the second of these steps. This validation procedure is performed on the MDM Administration Console.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Knox License\" settings in the \"Knox Management\" rule. \n2. Verify the correct DoD-issued Knox license is configured.\n\nIf the correct DoD-issued Knox license is not configured in the \"Knox License\" setting this is a finding.",
"description": "Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real world field behavior and improve the product based on that information. Unfortunately, it can also reveal information about what DoD users are doing with the systems and what causes them to fail. An adversary embedded within the software development team or elsewhere could use the information acquired to breach mobile operating system security. Disabling automatic transfer of such information mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1#45",
"fixid": "F-67089r1_fix",
"fixtext": "Configure the MOS to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.\n\nConfigure the DoD-issued Knox license.\n\nOn the MDM Administration Console configure the DoD-issued Knox license in the \"Knox Management\" rule.",
"iacontrols": null,
"id": "V-61229",
"ruleID": "SV-75709r1_rule",
"severity": "low",
"title": "The Samsung Knox for Android platform must disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Configure a KNOX on-premise license.",
"version": "KNOX-35-030100"
},
"V-61231": {
"checkid": "C-62187r1_chk",
"checktext": "Disabling automatic transfer of diagnostic data to an external device on Samsung Knox for Android involves three steps: (1) Disable Google Crash report, (2) Configure a KNOX on premise license, and (3) Disable Report diagnostic info. This validation procedure covers the third of these steps. This validation procedure is performed on the Samsung Knox for Android device.\n\nOn the Samsung Knox for Android device:\n1. Open the device settings.\n2. Select \"Privacy and safety\" or \"About device\".\n3. Verify Report diagnostic info setting is not checked.\n\nIf the setting is checked (enabled), this is a finding.\n(Note: This setting cannot be managed by the MDM administrator and is a User Based Enforcement (UBE) requirement.)",
"description": "Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real world field behavior and improve the product based on that information. Unfortunately, it can also reveal information about what DoD users are doing with the systems and what causes them to fail. An adversary embedded within the software development team or elsewhere could use the information acquired to breach mobile operating system security. Disabling automatic transfer of such information mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1#45",
"fixid": "F-67091r1_fix",
"fixtext": "Configure the MOS to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.\n\nConfigure the mobile operating system to disable Report diagnostic info.\n\nOn the Samsung Knox for Android device uncheck the Report diagnostic info setting.",
"iacontrols": null,
"id": "V-61231",
"ruleID": "SV-75711r1_rule",
"severity": "low",
"title": "The Samsung Knox for Android platform must disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Report diagnostic info.",
"version": "KNOX-35-030200"
},
"V-61233": {
"checkid": "C-62189r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console: \n1. Ask the MDM administrator to display the \"Enable DoD Banner\" check box and \"Banner Text\" field in the \"Android Restrictions\" rule. \n2. Verify the \"Enable DoD Banner\" check box is selected. \n3. Verify the correct DoD-specified warning text is displayed in the Banner Text field or the field is blank.\nNote: The default device banner matches the required DoD banner. If the DoD banner is enabled without entering any text, the device will display a default text.\n\nOn the Samsung Knox for Android device:\n1. Reboot the device.\n2. Verify the device displays the DoD banner.\n3. Verify the DoD banner is set to one of the authorized messages.\n\nIf the specified setting is not set to the appropriate value, or the device does not display the DoD banner on reboot, this is a finding.",
"description": "The mobile operating system is required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Required banners help ensure that DoD can audit and monitor the activities of mobile device users without legal restriction. \n\nSystem use notification messages can be displayed when individuals first access or unlock the mobile device. The banner shall be implemented as a \"click-through\" banner at device unlock (to the extent permitted by the operating system). A \"click through\" banner prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating \u201cOK.\u201d\n\nThe approved DoD text must be used exactly as required in the KS referenced in DoDI 8500.01. For devices accommodating banners of 1300 characters, the banner text is: \n\nYou are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. \nBy using this IS (which includes any device attached to this IS), you consent to the following conditions: \n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. \n-At any time, the USG may inspect and seize data stored on this IS. \n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. \n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. \n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\n\nFor devices with severe character limitations, the banner text is: \n\nI've read & consent to terms in IS user agreem't.\n\nThe administrator must configure the banner text exactly as written without any changes.\n\nSFR ID: FMT_SMF_EXT.1.1 #36",
"fixid": "F-67093r1_fix",
"fixtext": "Configure the MOS to display the DoD-mandated warning banner text.\n\nOn the MDM Administration Console, select the \"Enable DoD Banner\" check box, and enter the correct text in the \"Banner Text\" field in the \"Android Restrictions\" rule.\n\n(**) On some MDM vendor consoles, the logon banner automatically is displayed upon reboot while the device is MDM enrolled. On these consoles, this control is not configurable through the MDM server or on the device.",
"iacontrols": null,
"id": "V-61233",
"ruleID": "SV-75713r1_rule",
"severity": "low",
"title": "The Samsung Knox for Android platform must display the DoD advisory warning message at start-up or each time the user unlocks the device.",
"version": "KNOX-36-009700"
},
"V-61235": {
"checkid": "C-62191r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console: \n1. Ask the MDM administrator to display the \"Disable Manual Date Time Changes\" check box in the \"Android Restrictions\" rule. \n2. Verify the check box is selected. \n\nOn the Samsung Knox for Android device:\n1. Open the device settings.\n2. Select \"Date and time\".\n3. Verify the \"Automatic date and time\" check box is checked.\n4. Verify a user cannot deselect the \"Automatic date and time\" check box.\n\nIf either the \"Disable Manual Date Time Changes\" check box is not checked on the MDM administration console; or the \"Automatic date and time\" check box is not selected on the device; or if it is possible to deselect this option on the device, this is a finding.",
"description": "Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. \n\nPeriodically synchronizing internal clocks with an authoritative time source is needed in order to correctly correlate the timing of events that occur across the enterprise. The three authoritative time sources for mobile operating systems are an authoritative time server that is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network (NIPRNet or SIPRNet), or the Global Positioning System (GPS), or the wireless carrier.\n\nTime stamps generated by the audit system in mobile operating systems shall include both date and time. The time may be expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67095r1_fix",
"fixtext": "Configure the mobile operating system to synchronize the internal clock at least once every 24 hours with an authoritative time server or the Global Positioning System.\n\nOn the MDM Console, select the \"Disable Manual Date Time Changes\" check box in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-61235",
"ruleID": "SV-75715r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must implement the management setting: Disable Manual Date Time Changes.",
"version": "KNOX-38-012600"
},
"V-61237": {
"checkid": "C-62193r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Min Length\" setting in the \"Android Knox Container -> Container Password Restrictions\" rule. \n2. Verify the value of the setting is the same or greater than the required length.\n\nOn the Samsung Knox for Android device:\n1. Open the Knox Container.\n2. Select \"Knox Settings\".\n3. Select \"Change password\".\n4. Enter current password.\n5. Attempt to enter a password with fewer characters than the required length.\n6. Verify the password is not accepted.\n\nIf the configured value of the \"Min Length\" setting is less than the required length, or if Samsung Knox for Android accepts a container password with fewer characters than the required length, this is a finding.\n\nNote: This configuration setting will allow users to implement fingerprint unlock for the container, which is approved for use. However, this approval does not extend to fingerprint unlock for the Samsung device or any other DoD mobile device. The use of a password to move between container and personal areas is only required if the password is needed to provide data separation between the two processing environments. For the Samsung devices, the password is required to enable the container and implement data separation.",
"description": "Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67097r1_fix",
"fixtext": "Configure the mobile device to enforce a minimum password length of 4 characters.\n\nOn the MDM Console, set the \"Min Length\" value to 4 or greater in the \"Android Knox Container -> Container Password Restrictions\" rule.",
"iacontrols": null,
"id": "V-61237",
"ruleID": "SV-75717r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android container must implement the management setting: Configure to enforce a minimum password length of 4 characters.",
"version": "KNOX-39-014900"
},
"V-61239": {
"checkid": "C-62195r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Allow Export Calendar to Personal Mode\" setting in the \"Android Knox Container -> Container Restrictions\" rule. \n2. Verify the setting is disabled.\n\nOn the Samsung Knox for Android device:\n1. Open the Knox container.\n2. Select \"Knox Settings\".\n3. Select \"Share data\".\n4. Verify \"Export to Personal Mode - Calendar\" is disabled and attempt to enable this setting.\n\nIf the \"Allow Export Calendar to Personal Mode\" configuration in the MDM console is enabled, or if the user is able to successfully enable this setting, this is a finding.",
"description": "Calendar events can include potentially DoD-sensitive data such as names, contacts, dates and times, and locations. If made available outside the container this information will be accessible to personal applications, resulting in potential compromise of DoD data.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67099r1_fix",
"fixtext": "Configure the mobile operating system to disable sharing of calendar information outside the container.\n\nOn the MDM Administration Console, disable the \"Allow Export Calendar to Personal Mode\" setting in the \"Android Knox Container -> Container Restrictions\" rule.",
"iacontrols": null,
"id": "V-61239",
"ruleID": "SV-75719r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android container must implement the management setting: Disable sharing of calendar information outside the container.",
"version": "KNOX-39-015100"
},
"V-61241": {
"checkid": "C-62197r1_chk",
"checktext": "This validation procedure is performed on the MDM Administration Console only.\n\nCheck whether the device lock screen setting is configured on the MDM server. \n1. Ask the MDM administrator to display the \"Maximum Failed Attempts\" field in the \"Android Knox Container -> Container Password Restrictions\" rule.\n2. Verify the value of the setting is 10 or less.\n\nIf there is no value configured for the \"Maximum Failed Attempts\" field, or if it is greater than 10, this is a finding.",
"description": "Users must not be able to override the system policy on the maximum number of consecutive failed authentication attempts because this could allow them to raise the maximum, thus giving adversaries more chances to guess/brute force passwords, which increases the risk of the mobile device being compromised. Therefore, only administrators should have the authority to set consecutive failed authentication attempt policies.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67101r1_fix",
"fixtext": "Configure the mobile operating system to allow only 10 or less consecutive failed authentication attempts.\n\nOn the MDM Administration Console, set the \"Maximum Failed Attempts\" to the organization-defined value in the \"Android Knox Container -> Container Password Restrictions\" rule.",
"iacontrols": null,
"id": "V-61241",
"ruleID": "SV-75721r1_rule",
"severity": "low",
"title": "The Samsung Knox for Android container must implement the management setting: Configure to prohibit more than 10 consecutive failed authentication attempts.",
"version": "KNOX-39-015200"
},
"V-61243": {
"checkid": "C-62199r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Allow Export Contact to Personal Mode\" setting in the \"Android Knox Container -> Container Restrictions\" rule. \n2. Verify the setting is disabled.\n\nOn the Samsung Knox for Android device:\n1. Open the Knox container.\n2. Select \"Knox Settings\".\n3. Select \"Share data\".\n4. Verify \"Export to Personal Mode - Contact\" is disabled and attempt to enable this setting.\n\nIf the \"Allow Export Contact to Personal Mode\" configuration in the MDM console is enabled, or if the user is able to successfully enable this setting, this is a finding.",
"description": "Contacts can include DoD-sensitive data and PII of DoD employees including names, numbers, addresses, and email addresses. If made available outside the container this information will be accessible to personal applications, resulting in potential compromise of DoD data.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67103r1_fix",
"fixtext": "Configure the mobile operating system to disable sharing of contact information outside the container.\n\nOn the MDM Administration Console, disable the \"Allow Export Contact to Personal Mode\" setting in the \"Android Knox Container -> Container Restrictions\" rule.",
"iacontrols": null,
"id": "V-61243",
"ruleID": "SV-75723r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android container must implement the management setting: Disable sharing of contact information outside the container.",
"version": "KNOX-39-015250"
},
"V-61245": {
"checkid": "C-62201r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Allow Show detailed notifications\" setting in the \"Android Knox Container -> Container Restrictions\" rule. \n2. Verify the setting is disabled.\n\nOn the Samsung Knox for Android device:\n1. Open the Knox container.\n2. Select \"Knox Settings\".\n3. Verify \"Show detailed notifications\" is disabled and attempt to enable this setting.\n\nIf the \"Allow Show detailed notifications\" configuration in the MDM console is enabled, or if the user is able to successfully enable this setting, this is a finding.",
"description": "Application notifications can include DoD-sensitive data. If made available outside the container this information will be accessible to personal applications, resulting in potential compromise of DoD data.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67105r1_fix",
"fixtext": "Configure the mobile operating system to disable sharing of notification details outside the container.\n\nOn the MDM Administration Console, disable the \"Allow Show detailed notifications\" setting in the \"Android Knox Container -> Container Restrictions\" rule.",
"iacontrols": null,
"id": "V-61245",
"ruleID": "SV-75725r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android container must implement the management setting: Disable sharing of notification details outside the container.",
"version": "KNOX-39-015300"
},
"V-61247": {
"checkid": "C-62203r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Android Knox Container\" rule. \n2. Verify the existence of this rule.\n3. Pushing this rule to the device that does not have a container installed will result in creation of the container.\n\nOn the Samsung Knox for Android device:\n1. From the device home screen, pull down the notification bar.\n2. Verify the existence of the KNOX icon.\n3. If available on the MDM agent, verify the container rule in the list of rules received by the MDM agent.\n\nIf the MDM Administrator cannot configure the \"Android Knox Container\" rule, or if the KNOX icon is not present in the notification bar, or if the container rule is not found in the MDM agent rule list (MDM vendor-specific check), this is a finding.",
"description": "The container must be enabled by the administrator/MDM or the container's protections will not apply to the mobile device. This will cause the mobile device's apps and data to be at significantly higher risk of compromise because they are not protected by encryption, isolation, etc.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67107r1_fix",
"fixtext": "On the MDM Administration Console, create the \"Android Knox Container\" rule and push this rule to the device.",
"iacontrols": null,
"id": "V-61247",
"ruleID": "SV-75727r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android container must be configured to implement the management setting: Enable container.",
"version": "KNOX-39-015400"
},
"V-61249": {
"checkid": "C-62205r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"CC Mode\" settings in the \"Android Restrictions\" rule. \n2. Verify the value is enabled.\n\nNote: If the MDM does not support CC Mode, ask the MDM Administrator if the Samsung APK has been installed and CC Mode enabled.\n\nOn the Samsung Knox for Android device:\n1. Open the device settings.\n2. Select \"About Device\".\n3. Verify the value of \"Security software version\" displays \"Enforced\".\n\nIf the CC mode setting is not enabled, or if the \"Security software version\" on the device does not display \"Enforced\", this is a finding.",
"description": "CC mode implements several security controls required by the Mobile Device Functional Protection Profile (MDFPP). If CC mode is not implemented, DoD data is more at risk of being compromised, and the MD is more at risk of being compromised if lost or stolen.\n\nCC mode implements the following controls:\n- enables the OpenSSL FIPS crypto library\n- sets the password failure settings to wipe the device to 5 (5 failed consecutive attempts will wipe the device)\n- disables ODIN mode (download mode)\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67109r1_fix",
"fixtext": "Configure the operating system to enable CC mode.\n\nOn the MDM Administration Console, enable the \"CC mode\" setting in the \"Android Restrictions\" rule.\n\nIf this setting is not available on the console, install the CC mode APK, and enable CC mode from this application.\nThis APK will be made available by Samsung.",
"iacontrols": null,
"id": "V-61249",
"ruleID": "SV-75729r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must implement the management setting: Enable CC mode.",
"version": "KNOX-39-015600"
},
"V-61251": {
"checkid": "C-62207r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Bluetooth Profiles\" settings in the \"Android Restrictions\" rule. \n2. Verify the only profiles allowed are HSP, HFP, and SPP.\n\nOn the Samsung Knox for Android device:\n1. Attempt to pair a Bluetooth peripheral that uses profiles other than HSP, HFP, and SPP (e.g., a Bluetooth keyboard).\n2. Verify the Bluetooth peripheral does not pair with the Samsung Knox for Android device.\n\nIf the Bluetooth profiles other than HSP, HFP, and SPP are configured to be allowed, or if the device is able to pair with a Bluetooth keyboard, this is a finding.",
"description": "Some Bluetooth profiles provide the capability for remote transfer of sensitive DoD data without encryption or otherwise do not meet DoD IT security policies and therefore should be disabled.\n\nSFR ID: FMT_SMF_EXT.1.1 #20",
"fixid": "F-67111r1_fix",
"fixtext": "Configure the MOS to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-free Profile), and SPP (Serial Port Profile).\n\nOn the MDM Administration Console, configure the \"Bluetooth Profiles\" setting to only allow HSP, HFP, and SPP in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-61251",
"ruleID": "SV-75731r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android platform must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-free Profile), and SPP (Serial Port Profile).",
"version": "KNOX-39-015700"
},
"V-61253": {
"checkid": "C-62209r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console: \n1. Ask the MDM administrator to display the list of white-listed applications in the \"Android Knox Container -> Container Applications\" rule. \n2. Verify the list of white-listed applications have been approved by the Approving official (AO).\n\nNote: Refer to the Supplemental document for additional information.\n\nNote: This list can be empty if no applications have been approved.\n\nOn the Samsung Knox for Android device:\n1. Open the Knox Container.\n2. Attempt to install an application that is not in the application whitelist.\n\nIf any of the applications on white-listed applications on the MDM Administration Console have not been approved by the AO, or the device allows the user to successfully install the application, this is a finding.",
"description": "Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications.\n\nThe application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the operating system (OS) by the OS vendor) and pre-installed applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications.\n\nSFR ID: FMT_SMF_EXT.1.1 #10b",
"fixid": "F-67113r1_fix",
"fixtext": "Configure the mobile device to use an application whitelist.\n\nOn the MDM Administration Console, configure the list of white-listed applications in the \"Android Knox Container -> Container Applications\" rule and ensure only AO-approved applications are on the list.\n\nNote: This list can be empty if no applications have been approved.\n\nNote: Refer to the Supplemental document for additional information.",
"iacontrols": null,
"id": "V-61253",
"ruleID": "SV-75733r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android container must enforce an application installation policy by specifying an application whitelist.",
"version": "KNOX-39-020100"
},
"V-61255": {
"checkid": "C-62211r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Application install blacklist\" setting in the \"Android Knox Container -> Container Application\" rule. \n2. Verify the setting is configured to all applications (specified by the wildcard string \".*\").\n\nOn the Samsung Knox for Android device:\n1. Attempt to install any application that is not configured in the application install whitelist.\n2. Verify that the application is blocked from being installed.\n\nIf the \"Application install blacklist\" configuration in the MDM console has the wrong value, or if the user is able to install the application, this is a finding.",
"description": "Blacklisting all applications is required so that only white-listed applications can be installed on the device. Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist and blacklist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67115r1_fix",
"fixtext": "Configure the mobile operating system to add all applications to the install blacklist.\n\nOn the MDM Administration Console, add all applications to the \"Application install blacklist\" setting in the \"Android Knox Container -> Container Application\" rule.",
"iacontrols": null,
"id": "V-61255",
"ruleID": "SV-75735r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android container must implement the management setting: Configure application install blacklist.",
"version": "KNOX-39-020300"
},
"V-61257": {
"checkid": "C-62213r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Move Applications to Container\" setting in the \"Android Knox Container -> Container Restrictions\" rule. \n2. Verify the setting is disabled.\n\nOn the Samsung Knox for Android device:\n1. Open the Knox Container.\n2. Select \"Knox Settings\".\n3. Verify \"Select apps to install\" cannot be selected.\n\nIf the \"Move Applications to Container\" configuration in the MDM console is enabled, or if the user is able to select \"Select apps to install\", this is a finding.",
"description": "Applications determined to be acceptable for personal use outside the container might not be acceptable for use within the container. The Move Applications to Container feature allows users to install personal side applications into the container, resulting in potential compromise of DoD data. Disabling this feature mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67117r1_fix",
"fixtext": "Configure the mobile operating system to disable Move Applications to Container.\n\nOn the MDM Administration Console, disable the \"Move Applications to Container\" setting in the \"Android Knox Container -> Container Application\" rule.",
"iacontrols": null,
"id": "V-61257",
"ruleID": "SV-75737r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android container must implement the management setting: Disable Move Applications to Container.",
"version": "KNOX-39-020400"
},
"V-61259": {
"checkid": "C-62215r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Move Files from Container to Personal\" setting in the \"Android Knox Container -> Container Restrictions\" rule. \n2. Verify the setting is disabled.\n\nOn the Samsung Knox for Android device:\n1. Open the Knox Container.\n2. Select \"My Files\" application.\n3. Select a file by long pressing a selection.\n4. Select settings.\n5. Select \"Move to Personal mode\".\n6. Verify that this operation is blocked.\n\nIf the \"Move Files from Container to Personal\" configuration in the MDM console is enabled, or if the user is able to successfully move the selected file to the personal space, this is a finding.",
"description": "Allowing movement of files between the container and personal side will result in both personal data and sensitive DoD data being placed in the same space. This can potentially result in DoD data being transmitted to non-authorized recipients via personal email accounts or social applications, or transmission of malicious files to DoD accounts. Disabling this feature mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67119r1_fix",
"fixtext": "Configure the mobile operating system to disable Move Files from Container to Personal.\n\nOn the MDM Administration Console, disable the \"Move Files from Container to Personal\" setting in the \"Android Knox Container -> Container Restrictions\" rule.",
"iacontrols": null,
"id": "V-61259",
"ruleID": "SV-75739r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android container must implement the management setting: Disable Move Files from Container to Personal.",
"version": "KNOX-39-020500"
},
"V-61261": {
"checkid": "C-62217r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Application disable list\" setting in the \"Android Knox Container -> Container Application\" rule. \n2. Verify the list contains all core and pre-installed applications not approved for DoD use by the Approving Official (AO).\n\nNote: Refer to the Supplemental document for additional information.\n\nOn the Samsung Knox for Android device:\n1. Open the Knox container.\n2. Attempt to launch an application that is included on the disable list. \n\nNote: This application should not be visible.\n\nIf the \"Application disable list\" configuration in the MDM console does not contain all core and pre-installed applications not approved by DoD, or if the user is able to successfully launch an application on this list, this is a finding.\n\nNote: Core applications are apps installed in the operating system by the OS developer. In addition, third-party pre-installed apps are included in the OS build by the device vendor or wireless carrier.",
"description": "Applications from various sources (including the vendor, the carrier, and Google) are installed on the device at the time of manufacture. Core apps are apps preinstalled by Google. Third-party preinstalled apps included apps from the vendor and carrier. Some of the applications can compromise DoD data or upload user's information to non-DoD approved servers. A user must be blocked from using such applications that exhibit behavior that can result in compromise of DoD data or DoD user information. The site administrator must analyze all pre-installed applications on the device and block all applications not approved for DoD use by configuring the application disable list.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67121r1_fix",
"fixtext": "Configure the mobile operating system to disable all pre-installed container applications that are not DoD-approved.\n\nOn the MDM Administration Console, add all pre-installed container applications that are not DoD-approved to the \"Application disable list\" setting in the \"Android Knox Container -> Container Application\" rule. \n\nNote: Refer to the Supplemental document for additional information.",
"iacontrols": null,
"id": "V-61261",
"ruleID": "SV-75741r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android container must implement the management setting: Configure application disable list.",
"version": "KNOX-39-020700"
},
"V-61263": {
"checkid": "C-62219r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Allow browser auto-fill\" setting in the \"Android Knox Container -> Container Restrictions\" rule. \n2. Verify the setting is disabled.\n\nOn the Samsung Knox for Android device:\n1. Open the Knox container.\n2. Launch the browser application.\n3. Select the application's setting menu.\n4. Select \"Auto fill forms\".\n5. Verify \"Auto fill forms\" is disabled and attempt to enable this setting.\n\nIf the \"Allow browser auto-fill\" configuration in the MDM console is enabled, or if the user is able to successfully enable this setting, this is a finding.",
"description": "The auto-fill functionality in the web browser allows the user to complete a form that contains sensitive information, such as PII, without previous knowledge of the information. By allowing the use of an auto-fill functionality, an adversary who learns a user's MOS device password, or who otherwise is able to unlock the device, may be able to further breach other systems by relying on the auto-fill feature to provide information unknown to the adversary. By disabling the auto-fill functionality, the risk of an adversary gaining further information about the device's user or comprising other systems is significantly mitigated. \n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67123r1_fix",
"fixtext": "Configure the mobile operating system to disable browser auto-fill for the container browser application.\n\nOn the MDM Administration Console, disable the \"Allow browser auto-fill\" setting in the \"Android Knox Container -> Container Restrictions\" rule.",
"iacontrols": null,
"id": "V-61263",
"ruleID": "SV-75743r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android container must implement the management setting: Disable automatic completion of browser text input.",
"version": "KNOX-39-021000"
},
"V-61265": {
"checkid": "C-62221r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console: \n1. Ask the MDM administrator to display the \"Max Sequential Characters\" and \"Max Sequential Numbers\" settings in the \"Android Knox Container -> Container Password Restrictions\" rule. \n2. Verify the value of the setting is the same or less than the required length.\n\nOn the Samsung Knox for Android device:\n1. Open the Knox Container.\n2. Select \"Knox Settings\".\n3. Select \"Unlock method\".\n4. Enter current password.\n5. Select Password.\n6. Attempt to enter a password that contains sequential characters or sequential numbers of length greater than the required length.\n7. Verify the password is not accepted.\n\nIf the configured values of the \"Max Sequential Character\" and \"Max Sequential Number\" settings are greater than the required length, or if device accepts a password that contains sequential characters or sequential numbers of length greater than the required length, this is a finding.",
"description": "Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or sequential characters are significantly easier to guess than those that do not contain repeating or sequential characters. Therefore, disallowing repeating or sequential characters increases password strength and decreases risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #01b",
"fixid": "F-67125r1_fix",
"fixtext": "Configure the mobile device to enforce a password that does not contain more than two sequential or repeating characters or numbers.\n\nOn the MDM Administration Console, set the \"Max Sequential Characters\" and \"Max Sequential Numbers\" values to 2 in the \"Android Knox Container -> Container Password Restrictions\" rule.",
"iacontrols": null,
"id": "V-61265",
"ruleID": "SV-75745r1_rule",
"severity": "low",
"title": "The Samsung Knox for Android container must not allow passwords that include more than two repeating or sequential characters.",
"version": "KNOX-39-021100"
},
"V-61267": {
"checkid": "C-62223r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Account whitelist\" setting in the \"Container Accounts\" rule. \n2. Verify the whitelist only contains DoD-approved email domains (for example, mail.mil).\nNote: Proper configuration of Account blacklist is required for this configuration to function correctly.\n\nOn the Samsung Knox for Android device:\n1. Open the Knox Container.\n2. Open Settings.\n3. Select Accounts.\n4. Select Add account.\n5. Select Email (and repeat for Microsoft Exchange ActiveSync) and attempt to add an email account with a DoD-approved domain.\n6. Verify that the email account can be added.\n7. Attempt to add an email account with a domain not approved by DoD.\n8. Verify that the email account cannot be added.\n\nIf the \"Account whitelist\" is not properly configured, or if the user is able to successfully configure the email account with a domain not approved by DoD, or if the user is not able to install the DoD-approved email account, this is a finding.",
"description": "Whitelisting of authorized email accounts (POP3, IMAP, EAS) prevents a user from configuring a personal email account that could be used to forward sensitive DoD data to unauthorized recipients.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67127r1_fix",
"fixtext": "Configure the mobile operating system to add DoD-approved email domains to the account whitelist.\n\nOn the MDM Administration Console, add all DoD-approved email domains to the \"Account whitelist\" setting in the \"Container Accounts\" rule. \nNote: Recommended to add \".*@mail.mil\"",
"iacontrols": null,
"id": "V-61267",
"ruleID": "SV-75747r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android container must implement the management setting: Account whitelist.",
"version": "KNOX-39-021200"
},
"V-61269": {
"checkid": "C-62225r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Account blacklist\" setting in the \"Container Accounts\" rule. \n2. Verify the setting is configured to all email domains not approved by DoD.\n\nNote: All email domains is specified by the wildcard string \".*\"\n\nOn the Samsung Knox for Android device:\n1. Open the Knox Container.\n2. Open Settings.\n3. Select Accounts.\n4. Select Add account.\n5. Select Email (and repeat for Microsoft Exchange ActiveSync) and attempt to add an email account with a non-approved domain.\n6. Verify that the email account cannot be added.\n\nIf the \"Account blacklist\" is not properly configured, or if the user is able to successfully configure the non-DoD approved email account, this is a finding.",
"description": "Blacklisting all email accounts is required so that only white-listed accounts can be configured.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67129r1_fix",
"fixtext": "Configure the mobile operating system to add email domains not approved by DoD to the account blacklist.\n\nOn the MDM Administration Console, add all email domains not approved by DoD to the \"Account blacklist\" setting in the \"Container Accounts\" rule.",
"iacontrols": null,
"id": "V-61269",
"ruleID": "SV-75749r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android container must implement the management setting: Account blacklist.",
"version": "KNOX-39-021300"
},
"V-61271": {
"checkid": "C-62227r1_chk",
"checktext": "This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.\n\nCheck whether the appropriate setting is configured on the MDM Administration Console:\n1. Ask the MDM administrator to display the \"Minimum Complexity\" setting in the \"Android Knox Container -> Container Password Restrictions\" rule. \n2. Verify the value of the setting is Alphanumeric.\n\nOn the Samsung Knox for Android device:\n1. Open the Knox Container.\n2. Select \"Knox Settings\".\n3. Select \"Unlock method\".\n4. Enter current password.\n5. Verify PIN and Pattern are grayed out and cannot be selected.\n\nIf the configured value of the \"Min Complexity\" setting is not Alphanumeric, or if the user is able to select PIN or Pattern, this is a finding.\n\nNote: This configuration setting will allow users to implement fingerprint unlock for the container, which is approved for use. However, this approval does not extend to fingerprint unlock for the Samsung device or any other DoD mobile device.",
"description": "Authentication mechanisms other than a Password Authentication Factor often provide convenience to users, but many of these mechanisms have known vulnerabilities. Configuring a minimum password complexity mitigates the risk associated with a weak authentication factor.\n\nSFR ID: FMT_SMF_EXT.1.1 #45",
"fixid": "F-67131r1_fix",
"fixtext": "Configure the mobile device to enforce a minimum password complexity of alphanumeric.\n\nOn the MDM Console, set the \"Min Complexity\" value to Alphanumeric in the \"Android Knox Container -> Container Password Restrictions\" rule.",
"iacontrols": null,
"id": "V-61271",
"ruleID": "SV-75751r1_rule",
"severity": "medium",
"title": "The Samsung Knox for Android container must implement the management setting: Configure minimum password complexity.",
"version": "KNOX-39-022000"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-61153": "true",
"V-61157": "true",
"V-61159": "true",
"V-61161": "true",
"V-61163": "true",
"V-61165": "true",
"V-61167": "true",
"V-61169": "true",
"V-61171": "true",
"V-61173": "true",
"V-61175": "true",
"V-61177": "true",
"V-61179": "true",
"V-61181": "true",
"V-61183": "true",
"V-61185": "true",
"V-61187": "true",
"V-61189": "true",
"V-61191": "true",
"V-61193": "true",
"V-61195": "true",
"V-61197": "true",
"V-61199": "true",
"V-61201": "true",
"V-61203": "true",
"V-61205": "true",
"V-61207": "true",
"V-61209": "true",
"V-61211": "true",
"V-61213": "true",
"V-61215": "true",
"V-61217": "true",
"V-61219": "true",
"V-61221": "true",
"V-61223": "true",
"V-61225": "true",
"V-61227": "true",
"V-61229": "true",
"V-61231": "true",
"V-61233": "true",
"V-61235": "true",
"V-61237": "true",
"V-61239": "true",
"V-61241": "true",
"V-61243": "true",
"V-61245": "true",
"V-61247": "true",
"V-61249": "true",
"V-61251": "true",
"V-61253": "true",
"V-61255": "true",
"V-61257": "true",
"V-61259": "true",
"V-61261": "true",
"V-61263": "true",
"V-61265": "true",
"V-61267": "true",
"V-61269": "true",
"V-61271": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-61153": "true",
"V-61157": "true",
"V-61159": "true",
"V-61161": "true",
"V-61163": "true",
"V-61165": "true",
"V-61167": "true",
"V-61169": "true",
"V-61171": "true",
"V-61173": "true",
"V-61175": "true",
"V-61177": "true",
"V-61179": "true",
"V-61181": "true",
"V-61183": "true",
"V-61185": "true",
"V-61187": "true",
"V-61189": "true",
"V-61191": "true",
"V-61193": "true",
"V-61195": "true",
"V-61197": "true",
"V-61199": "true",
"V-61201": "true",
"V-61203": "true",
"V-61205": "true",
"V-61207": "true",
"V-61209": "true",
"V-61211": "true",
"V-61213": "true",
"V-61215": "true",
"V-61217": "true",
"V-61219": "true",
"V-61221": "true",
"V-61223": "true",
"V-61225": "true",
"V-61227": "true",
"V-61229": "true",
"V-61231": "true",
"V-61233": "true",
"V-61235": "true",
"V-61237": "true",
"V-61239": "true",
"V-61241": "true",
"V-61243": "true",
"V-61245": "true",
"V-61247": "true",
"V-61249": "true",
"V-61251": "true",
"V-61253": "true",
"V-61255": "true",
"V-61257": "true",
"V-61259": "true",
"V-61261": "true",
"V-61263": "true",
"V-61265": "true",
"V-61267": "true",
"V-61269": "true",
"V-61271": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-61153": "true",
"V-61157": "true",
"V-61159": "true",
"V-61161": "true",
"V-61163": "true",
"V-61165": "true",
"V-61167": "true",
"V-61169": "true",
"V-61171": "true",
"V-61173": "true",
"V-61175": "true",
"V-61177": "true",
"V-61179": "true",
"V-61181": "true",
"V-61183": "true",
"V-61185": "true",
"V-61187": "true",
"V-61189": "true",
"V-61191": "true",
"V-61193": "true",
"V-61195": "true",
"V-61197": "true",
"V-61199": "true",
"V-61201": "true",
"V-61203": "true",
"V-61205": "true",
"V-61207": "true",
"V-61209": "true",
"V-61211": "true",
"V-61213": "true",
"V-61215": "true",
"V-61217": "true",
"V-61219": "true",
"V-61221": "true",
"V-61223": "true",
"V-61225": "true",
"V-61227": "true",
"V-61229": "true",
"V-61231": "true",
"V-61233": "true",
"V-61235": "true",
"V-61237": "true",
"V-61239": "true",
"V-61241": "true",
"V-61243": "true",
"V-61245": "true",
"V-61247": "true",
"V-61249": "true",
"V-61251": "true",
"V-61253": "true",
"V-61255": "true",
"V-61257": "true",
"V-61259": "true",
"V-61261": "true",
"V-61263": "true",
"V-61265": "true",
"V-61267": "true",
"V-61269": "true",
"V-61271": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-61153": "true",
"V-61157": "true",
"V-61159": "true",
"V-61161": "true",
"V-61163": "true",
"V-61165": "true",
"V-61167": "true",
"V-61169": "true",
"V-61171": "true",
"V-61173": "true",
"V-61175": "true",
"V-61177": "true",
"V-61179": "true",
"V-61181": "true",
"V-61183": "true",
"V-61185": "true",
"V-61187": "true",
"V-61189": "true",
"V-61191": "true",
"V-61193": "true",
"V-61195": "true",
"V-61197": "true",
"V-61199": "true",
"V-61201": "true",
"V-61203": "true",
"V-61205": "true",
"V-61207": "true",
"V-61209": "true",
"V-61211": "true",
"V-61213": "true",
"V-61215": "true",
"V-61217": "true",
"V-61219": "true",
"V-61221": "true",
"V-61223": "true",
"V-61225": "true",
"V-61227": "true",
"V-61229": "true",
"V-61231": "true",
"V-61233": "true",
"V-61235": "true",
"V-61237": "true",
"V-61239": "true",
"V-61241": "true",
"V-61243": "true",
"V-61245": "true",
"V-61247": "true",
"V-61249": "true",
"V-61251": "true",
"V-61253": "true",
"V-61255": "true",
"V-61257": "true",
"V-61259": "true",
"V-61261": "true",
"V-61263": "true",
"V-61265": "true",
"V-61267": "true",
"V-61269": "true",
"V-61271": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-61153": "true",
"V-61157": "true",
"V-61159": "true",
"V-61161": "true",
"V-61163": "true",
"V-61165": "true",
"V-61167": "true",
"V-61169": "true",
"V-61171": "true",
"V-61173": "true",
"V-61175": "true",
"V-61177": "true",
"V-61179": "true",
"V-61181": "true",
"V-61183": "true",
"V-61185": "true",
"V-61187": "true",
"V-61189": "true",
"V-61191": "true",
"V-61193": "true",
"V-61195": "true",
"V-61197": "true",
"V-61199": "true",
"V-61201": "true",
"V-61203": "true",
"V-61205": "true",
"V-61207": "true",
"V-61209": "true",
"V-61211": "true",
"V-61213": "true",
"V-61215": "true",
"V-61217": "true",
"V-61219": "true",
"V-61221": "true",
"V-61223": "true",
"V-61225": "true",
"V-61227": "true",
"V-61229": "true",
"V-61231": "true",
"V-61233": "true",
"V-61235": "true",
"V-61237": "true",
"V-61239": "true",
"V-61241": "true",
"V-61243": "true",
"V-61245": "true",
"V-61247": "true",
"V-61249": "true",
"V-61251": "true",
"V-61253": "true",
"V-61255": "true",
"V-61257": "true",
"V-61259": "true",
"V-61261": "true",
"V-61263": "true",
"V-61265": "true",
"V-61267": "true",
"V-61269": "true",
"V-61271": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-61153": "true",
"V-61157": "true",
"V-61159": "true",
"V-61161": "true",
"V-61163": "true",
"V-61165": "true",
"V-61167": "true",
"V-61169": "true",
"V-61171": "true",
"V-61173": "true",
"V-61175": "true",
"V-61177": "true",
"V-61179": "true",
"V-61181": "true",
"V-61183": "true",
"V-61185": "true",
"V-61187": "true",
"V-61189": "true",
"V-61191": "true",
"V-61193": "true",
"V-61195": "true",
"V-61197": "true",
"V-61199": "true",
"V-61201": "true",
"V-61203": "true",
"V-61205": "true",
"V-61207": "true",
"V-61209": "true",
"V-61211": "true",
"V-61213": "true",
"V-61215": "true",
"V-61217": "true",
"V-61219": "true",
"V-61221": "true",
"V-61223": "true",
"V-61225": "true",
"V-61227": "true",
"V-61229": "true",
"V-61231": "true",
"V-61233": "true",
"V-61235": "true",
"V-61237": "true",
"V-61239": "true",
"V-61241": "true",
"V-61243": "true",
"V-61245": "true",
"V-61247": "true",
"V-61249": "true",
"V-61251": "true",
"V-61253": "true",
"V-61255": "true",
"V-61257": "true",
"V-61259": "true",
"V-61261": "true",
"V-61263": "true",
"V-61265": "true",
"V-61267": "true",
"V-61269": "true",
"V-61271": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-61153": "true",
"V-61157": "true",
"V-61159": "true",
"V-61161": "true",
"V-61163": "true",
"V-61165": "true",
"V-61167": "true",
"V-61169": "true",
"V-61171": "true",
"V-61173": "true",
"V-61175": "true",
"V-61177": "true",
"V-61179": "true",
"V-61181": "true",
"V-61183": "true",
"V-61185": "true",
"V-61187": "true",
"V-61189": "true",
"V-61191": "true",
"V-61193": "true",
"V-61195": "true",
"V-61197": "true",
"V-61199": "true",
"V-61201": "true",
"V-61203": "true",
"V-61205": "true",
"V-61207": "true",
"V-61209": "true",
"V-61211": "true",
"V-61213": "true",
"V-61215": "true",
"V-61217": "true",
"V-61219": "true",
"V-61221": "true",
"V-61223": "true",
"V-61225": "true",
"V-61227": "true",
"V-61229": "true",
"V-61231": "true",
"V-61233": "true",
"V-61235": "true",
"V-61237": "true",
"V-61239": "true",
"V-61241": "true",
"V-61243": "true",
"V-61245": "true",
"V-61247": "true",
"V-61249": "true",
"V-61251": "true",
"V-61253": "true",
"V-61255": "true",
"V-61257": "true",
"V-61259": "true",
"V-61261": "true",
"V-61263": "true",
"V-61265": "true",
"V-61267": "true",
"V-61269": "true",
"V-61271": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-61153": "true",
"V-61157": "true",
"V-61159": "true",
"V-61161": "true",
"V-61163": "true",
"V-61165": "true",
"V-61167": "true",
"V-61169": "true",
"V-61171": "true",
"V-61173": "true",
"V-61175": "true",
"V-61177": "true",
"V-61179": "true",
"V-61181": "true",
"V-61183": "true",
"V-61185": "true",
"V-61187": "true",
"V-61189": "true",
"V-61191": "true",
"V-61193": "true",
"V-61195": "true",
"V-61197": "true",
"V-61199": "true",
"V-61201": "true",
"V-61203": "true",
"V-61205": "true",
"V-61207": "true",
"V-61209": "true",
"V-61211": "true",
"V-61213": "true",
"V-61215": "true",
"V-61217": "true",
"V-61219": "true",
"V-61221": "true",
"V-61223": "true",
"V-61225": "true",
"V-61227": "true",
"V-61229": "true",
"V-61231": "true",
"V-61233": "true",
"V-61235": "true",
"V-61237": "true",
"V-61239": "true",
"V-61241": "true",
"V-61243": "true",
"V-61245": "true",
"V-61247": "true",
"V-61249": "true",
"V-61251": "true",
"V-61253": "true",
"V-61255": "true",
"V-61257": "true",
"V-61259": "true",
"V-61261": "true",
"V-61263": "true",
"V-61265": "true",
"V-61267": "true",
"V-61269": "true",
"V-61271": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-61153": "true",
"V-61157": "true",
"V-61159": "true",
"V-61161": "true",
"V-61163": "true",
"V-61165": "true",
"V-61167": "true",
"V-61169": "true",
"V-61171": "true",
"V-61173": "true",
"V-61175": "true",
"V-61177": "true",
"V-61179": "true",
"V-61181": "true",
"V-61183": "true",
"V-61185": "true",
"V-61187": "true",
"V-61189": "true",
"V-61191": "true",
"V-61193": "true",
"V-61195": "true",
"V-61197": "true",
"V-61199": "true",
"V-61201": "true",
"V-61203": "true",
"V-61205": "true",
"V-61207": "true",
"V-61209": "true",
"V-61211": "true",
"V-61213": "true",
"V-61215": "true",
"V-61217": "true",
"V-61219": "true",
"V-61221": "true",
"V-61223": "true",
"V-61225": "true",
"V-61227": "true",
"V-61229": "true",
"V-61231": "true",
"V-61233": "true",
"V-61235": "true",
"V-61237": "true",
"V-61239": "true",
"V-61241": "true",
"V-61243": "true",
"V-61245": "true",
"V-61247": "true",
"V-61249": "true",
"V-61251": "true",
"V-61253": "true",
"V-61255": "true",
"V-61257": "true",
"V-61259": "true",
"V-61261": "true",
"V-61263": "true",
"V-61265": "true",
"V-61267": "true",
"V-61269": "true",
"V-61271": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "samsung_android_os_5_with_knox_2.0",
"title": "Samsung Android OS 5 with Knox 2.0 Security Technical Implementation Guide",
"version": "1"
}
}