acceptedSamsung Android OS 7 with Knox 2.x Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 6 Benchmark Date: 25 Oct 20191I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>PP-MDF-301010<GroupDescription></GroupDescription>KNOX-07-000100The Samsung Android 7 with Knox must be configured to enforce a minimum password length of six characters.<VulnDiscussion>Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise.
SFR ID: FMT_SMF_EXT.1.1 #1a</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000205Configure the Samsung Android 7 with Knox to enforce a minimum password length of six characters.
On the MDM console, set the "Minimum Length" value to "6" or greater in the "Android Password Restrictions" rule.
Note: When device encryption is enabled (always enabled by the DoD configuration), Samsung Android 7 with Knox automatically enforces a minimum length of "6".Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is enforcing a minimum password length of six characters.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Minimum Length" setting in the "Android Password Restrictions" rule.
2. Verify the value of the setting is set to six or more characters.
On the Samsung Android 7 with Knox device, do the following:
1. Open the device settings.
2. Select "Lock screen and security".
3. Select "Screen lock type".
4. Enter current password.
5. Select "Password".
6. Attempt to enter a password with fewer characters than six characters.
7. Verify the password is not accepted.
If the MDM console "Minimum Length" setting is not set to six characters or more or on the Samsung Android 7 with Knox device, a password of less than six characters is accepted, this is a finding.PP-MDF-301020<GroupDescription></GroupDescription>KNOX-07-000200The Samsung Android 7 with Knox must be configured to not allow passwords that include more than two repeating or sequential characters.<VulnDiscussion>Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or sequential characters are significantly easier to guess than those that do not contain repeating or sequential characters. Therefore, disallowing repeating or sequential characters increases password strength and decreases risk.
SFR ID: FMT_SMF_EXT.1.1 #1b</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to prevent passwords from containing more than two repeating or sequential characters.
On the MDM console, do the following:
1. Set the "Maximum Sequential Characters" value to "2" in the "Android Password Restrictions" rule.
2. Set the "Maximum Sequential Numbers" value to "2" in the "Android Password Restrictions" rule.Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is prohibiting passwords with more than two repeating or sequential characters. If feasible, use a spare device to try to create a password with more than two repeating or sequential characters (e.g., bbb, 888, hij, 654).
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Maximum Sequential Characters" setting in the "Android Password Restrictions" rule.
2. Verify the value of the setting is set to two or less sequential characters.
3. Ask the MDM administrator to display the "Maximum Sequential Numbers" setting in the "Android Password Restrictions" rule.
4. Verify the value of the setting is set to two or less sequential numbers.
On the Samsung Android 7 with Knox device, do the following:
1. Open the device settings.
2. Select "Lock screen and security".
3. Select "Screen lock type".
4. Enter current password.
5. Select "Password".
6. Attempt to enter a password that contains more than two sequential characters or sequential numbers.
7. Verify the password is not accepted.
If the MDM console "Maximum Sequential Character" and "Maximum Sequential Number" are set to more than two repeating or sequential characters or on the Samsung Android 7 with Knox device, a password with more than two repeating or sequential characters is accepted, this is a finding.PP-MDF-301030<GroupDescription></GroupDescription>KNOX-07-000500The Samsung Android 7 with Knox must be configured to lock the display after 15 minutes (or less) of inactivity.<VulnDiscussion>The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum timeout period of 15 minutes has been selected to balance functionality and security; shorter timeout periods may be appropriate depending on the risks posed to the mobile device.
SFR ID: FMT_SMF_EXT.1.1 #2a, 2b</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000057Configure the Samsung Android 7 with Knox to lock the device display after "15" minutes (or less) of inactivity.
On the MDM console, configure the "Maximum Time to Lock" option to "15" minutes in the "Android Password Restrictions" rule.Review Samsung Android 7 with Knox configuration settings to determine if the mobile device has the screen lock timeout set to 15 minutes or less.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Maximum Time to Lock" setting in the "Android Password Restrictions" rule.
2. Verify the value of the setting is "15" minutes or less.
On the Samsung Android 7 with Knox device, do the following:
1. Unlock the device.
2. Refrain from performing any activity on the device for "15" minutes.
3. Verify the device requires the user to enter the device unlock password to access the device.
If the MDM console "Maximum Time to Lock" is not set to "15" minutes or less for the screen lock timeout or on the Samsung Android 7 with Knox device, if after "15" minutes of inactivity the user does not have to enter password to unlock the device, this is a finding.PP-MDF-301050<GroupDescription></GroupDescription>KNOX-07-000600The Samsung Android 7 with Knox must be configured to not allow more than 10 consecutive failed authentication attempts.<VulnDiscussion>The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on the device. Setting a limit on the number of attempts mitigates this risk. Setting the limit at "10" or less gives authorized users the ability to make a few mistakes when entering the password but still provides adequate protection against dictionary or brute force attacks on the password.
SFR ID: FMT_SMF_EXT.1.1 #2c, FIA_AFL_EXT.1.5</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000044Configure the Samsung Android 7 with Knox to allow "10" or less consecutive failed authentication attempts.
On the MDM console, set the "Maximum Failed Attempts for wipe" to "10" or less in the "Android Password Restrictions" rule for the device unlock password.Review Samsung Android 7 with Knox configuration settings to determine if the mobile device has the maximum number of consecutive failed authentication attempts at "10" or less.
This validation procedure is performed on the MDM Administration Console only.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Maximum Failed Attempts for wipe" field in the "Android Password Restrictions" rule for the device unlock password.
2. Verify the value of the setting is "10" or less.
If the MDM console "Maximum Failed Attempts for wipe" is not set to "10" or less, this is a finding.PP-MDF-301080<GroupDescription></GroupDescription>KNOX-07-001100The Samsung Android 7 with Knox must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, MDM server, mobile application store]. Disable Google Play.<VulnDiscussion>Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DoD data accessible by these unauthorized/malicious applications.
SFR ID: FMT_SMF_EXT.1.1 #8a</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366CCI-001806Configure the Samsung Android 7 with Knox to disable unauthorized application repositories.
On the MDM console, enable "Disable Android Market" in the "Android Applications" rule.
Note: Some MDM consoles may refer to "Google Play" instead of "Android Market".Note, this requirement is Not Applicable if the AO has approved an unmanaged personal container (COPE use case). The site must have an AO signed document showing the AO has assumed the risk for using an unmanaged personal container.
Configuring an application installation policy on Samsung Android 7 with Knox by specifying an application repository involves two steps: (1) Disabling Google Play, (2) Disabling unknown application sources. This validation procedure covers the first of these steps.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device has only approved application repositories (DoD-approved commercial app repository, MDM server, and/or mobile application store).
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Disable Android Market" setting in the "Android Applications" rule.
2. Verify it is "Enabled".
On the Samsung Android 7 with Knox device, do the following:
1. Attempt to locate the "Google Play" application.
2. Verify it is not present on the device.
If the MDM console "Disable Android Market" is not "Enabled" or on the Samsung Android 7 with Knox device, the user can successfully launch Google Play, this is a finding.PP-MDF-301080<GroupDescription></GroupDescription>KNOX-07-001200The Samsung Android 7 with Knox must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, MDM server, mobile application store]. Disable unknown sources.<VulnDiscussion>Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DoD data accessible by these unauthorized/malicious applications.
SFR ID: FMT_SMF_EXT.1.1 #8a</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366CCI-001806Configure the Samsung Android 7 with Knox to disable unauthorized application repositories.
On the MDM console, deselect the "Allow Install Non Market App" checkbox in the "Android Restrictions" rule.
Note: Some MDM consoles may refer to "Unknown Sources" instead of "Non Market App".Configuring an application installation policy on Samsung Android 7 with Knox by specifying an application repository involves two steps: (1) Disabling Google Play, (2) Disabling unknown application sources. This validation procedure covers the second of these steps.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device has only approved application repositories (DoD-approved commercial app repository, MDM server, and/or mobile application store).
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Allow Install Non Market App" checkbox in the "Android Restrictions" rule.
2. Verify the checkbox is not selected.
On the Samsung Android 7 with Knox device, do the following:
1. Open the device settings.
2. Select "Lock screen and security".
3. Attempt to enable "Unknown sources".
4. Verify it cannot be enabled.
If the MDM console "Allow Install Non Market App" checkbox is selected or on the Samsung Android 7 with Knox device, the user can successfully enable "Unknown sources", this is a finding.PP-MDF-301090<GroupDescription></GroupDescription>KNOX-07-001400The Samsung Android 7 with Knox must be configured to enforce an application installation policy by specifying an application whitelist that restricts applications by either of the following characteristics: list of digital signatures, list of package names.<VulnDiscussion>The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. Core application - any application integrated into the operating system (OS) by the OS or mobile device (MD) vendors. Pre-installed application - additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.
Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications.
The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the operating system (OS) by the OS vendor) and pre-installed applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications.
SFR ID: FMT_SMF_EXT.1.1 #8b</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366CCI-001806Configure the Samsung Android 7 with Knox device to whitelist application installations based on the one of the following characteristics:
- Digital signature
- Package Name
Both whitelists apply to user installable applications only, and do not control user access/execution of core and preinstalled applications. To restrict user access/execution to core and pre-installed applications, the MDM administrator must configure the "application disable list”.
It is important to note that if the MDM administrator has not blacklisted an application characteristic (package name, digital signature) then it is implicitly whitelisted, as whitelists are exceptions to blacklists. If an application characteristic appears in both the blacklist and whitelist, the white list (as the exception to the blacklist) takes priority, and the User will be able to install the application. Therefore, the MDM administrator must configure the blacklists to include all package names and digital signatures for whitelisting to behave as intended. Note that some MDM vendors have implemented the blacklist function described above behind the scenes and there may not be a blacklist function to configure by the system administrator.
On the MDM console, do one of the following:
1. Add each AO-approved package name to the "Package Name Whitelist" in the "Android Applications" rule.
2. Add each AO-approved digital signature to the "Signature Whitelist" in the "Android Applications" rule.
Note: Either list may be empty if the Authorizing Official (AO) has not approved any apps.
Note: Refer to the Supplemental document for additional information.Note, this requirement is Not Applicable if the AO has approved an unmanaged personal container (COPE use case). The site must have an AO signed document showing the AO has assumed the risk for using an unmanaged personal container.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device has been configured to whitelist application installations based on one of the following characteristics:
- Digital signature
- Package Name
Verify all applications listed on the whitelist have been approved by the Approving Official (AO).
This validation procedure is performed only on the MDM Administration Console.
On the MDM console, do the following (do 1 & 2 or 3 & 4):
1. Ask the MDM administrator to display the "Package Name Whitelist" in the "Android Applications" rule.
2. Verify the whitelist includes only package names that the Authorizing Official (AO) has approved.
OR
3. Ask the MDM administrator to display the "Signature Whitelist" in the "Android Applications" rule.
4. Verify the whitelist includes only digital signatures the Authorizing Official (AO) has approved.
Note: Either list may be empty if the Authorizing Official (AO) has not approved any apps.
Note: Refer to the Supplemental document for additional information.
If the MDM console "Package Name Whitelist" or "Signature Whitelist" contains non-AO approved entries, this is a finding.PP-MDF-301100<GroupDescription></GroupDescription>KNOX-07-001600The Samsung Android 7 with Knox whitelist must be configured to not include applications with the following characteristics: - Back up MD data to non-DoD cloud servers (including user and application access to cloud backup services).<VulnDiscussion>Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. Applications with the listed characteristics have features that can cause the compromise of sensitive DoD data or have features with no known application in the DoD environment.
Application note: The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. Core application – any application integrated into the operating system (OS) by the OS or mobile device (MD) vendors. Pre-installed application – additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.
SFR ID: FMT_SMF_EXT.1.1 #8b</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366CCI-001806Configure the Samsung Android 7 with Knox application disable list to include applications with the following characteristics:
- Back up MD data to non-DoD cloud servers (including user and application access to cloud backup services).
On the MDM console, add all applications which backup MD data to non-DoD cloud servers (including user and application access to cloud backup services) to the "Application disable list" setting in the "Android Applications" rule.
Note: Refer to the Supplemental document for additional information.
Note: Include Samsung Accounts on the list.Note, this requirement is Not Applicable if the AO has approved unmanaged personal space/container (COPE use case). The site must have an AO signed document showing the AO has assumed the risk for using an unmanaged personal container.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device has an application disable list configured to include applications with the following characteristics:
-Back up MD data to non-DoD cloud servers (including user and application access to cloud backup services).
This validation procedure is performed only on the MDM Administration Console.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule.
2. Verify the list contains all applications which backup MD data to non-DoD cloud servers (including user and application access to cloud backup services).
If the MDM console "Application disable list" is not properly configured or on the Samsung Android 7 with Knox device, the user is able to launch the applications on the list, this is a finding.
Note: The following applications are known to be pre-installed public cloud applications, but other applications can be found on other devices: Google Drive, Dropbox, Verizon Cloud, AT&T Locker, Microsoft OneDrive, and Microsoft OneNote.
Note: The following applications allows a user to configure a Samsung Account on the device which allows the user to backup files (including S Health data) to Samsung servers, as well as download applications from Samsung Apps (Galaxy Apps) store: Samsung Account application.
Note: Refer to the Supplemental document for additional information.PP-MDF-301100<GroupDescription></GroupDescription>KNOX-07-001700The Samsung Android 7 with Knox whitelist must be configured to not include applications with the following characteristics: - Transmit MD diagnostic data to non-DoD servers.<VulnDiscussion>Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. Applications with the listed characteristics have features that can cause the compromise of sensitive DoD data or have features with no known application in the DoD environment.
Application note: The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. Core application – any application integrated into the operating system (OS) by the OS or mobile device (MD) vendors. Pre-installed application – additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.
SFR ID: FMT_SMF_EXT.1.1 #8b</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366CCI-001806Configure the Samsung Android 7 with Knox application disable list to include applications with the following characteristics:
- Transmit MD diagnostic data to non-DoD servers.
On the MDM console, add all applications which - transmit MD diagnostic data to non-DoD servers to the "Application disable list" setting in the "Android Applications" rule.
Note: Refer to the Supplemental document, Table 6-1, for additional information.Review Samsung Android 7 with Knox configuration settings to determine if the mobile device has an application disable list configured to include applications with the following characteristics:
- Transmit MD diagnostic data to non-DoD servers.
This validation procedure is performed only on the MDM Administration Console.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule.
2. Verify the list contains all applications which allow transmission of MD diagnostic data to non-DoD servers.
If the MDM console "Application disable list" is not properly configured or on the Samsung Android 7 with Knox device, the user is able to launch the applications on the list, this is a finding.PP-MDF-301100<GroupDescription></GroupDescription>KNOX-07-001800The Samsung Android 7 with Knox whitelist must be configured to not include applications with the following characteristics: - Voice assistant application if available when MD is locked.<VulnDiscussion>Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. Applications with the listed characteristics have features that can cause the compromise of sensitive DoD data or have features with no known application in the DoD environment.
Application note: The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. Core application – any application integrated into the operating system (OS) by the OS or mobile device (MD) vendors. Pre-installed application – additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.
SFR ID: FMT_SMF_EXT.1.1 #8b</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366CCI-001806Configure the Samsung Android 7 with Knox application disable list to include applications with the following characteristics:
- Voice assistant application if available when MD is locked.
On the MDM console, add all applications which provide voice assistant when MD is locked to the "Application disable list" setting in the "Android Applications" rule.
Note: Refer to the Supplemental document for additional information.This requirement is Not Applicable if the AO has approved unmanaged personal space/container (COPE use case). The site must have an AO signed document showing the AO has assumed the risk for using an unmanaged personal container.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device has an application disable list configured to include applications with the following characteristics:
- Voice assistant application if available when MD is locked.
This validation procedure is performed only on the MDM Administration Console.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule.
2. Verify the list contains all applications which allow voice assistant when MD is locked.
If the MDM console "Application disable list" is not properly configured or on the Samsung Android 7 with Knox device, the user is able to launch the applications on the list, this is a finding.PP-MDF-301100<GroupDescription></GroupDescription>KNOX-07-001900The Samsung Android 7 with Knox whitelist must be configured to not include applications with the following characteristics: - Voice dialing application if available when MD is locked.<VulnDiscussion>Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. Applications with the listed characteristics have features that can cause the compromise of sensitive DoD data or have features with no known application in the DoD environment.
Application note: The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. Core application – any application integrated into the operating system (OS) by the OS or mobile device (MD) vendors. Pre-installed application – additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.
SFR ID: FMT_SMF_EXT.1.1 #8b</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366CCI-001806Configure the Samsung Android 7 with Knox application disable list to include applications with the following characteristics:
- Voice dialing application if available when MD is locked.
On the MDM console, add all applications which provide voice dialing when MD is locked to the "Application disable list" setting in the "Android Applications" rule.
Note: Refer to the Supplemental document for additional information.This requirement is Not Applicable if the AO has approved unmanaged personal space/container (COPE use case). The site must have an AO signed document showing the AO has assumed the risk for using an unmanaged personal container.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device has an application disable list configured to include applications with the following characteristics:
- Voice dialing application if available when MD is locked.
This validation procedure is performed only on the MDM Administration Console.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule.
2. Verify the list contains all applications which allow voice dialing when MD is locked.
If the MDM console "Application disable list" is not properly configured or on the Samsung Android 7 with Knox device, the user is able to launch the applications on the list, this is a finding.PP-MDF-301100<GroupDescription></GroupDescription>KNOX-07-002000The Samsung Android 7 with Knox whitelist must be configured to not include applications with the following characteristics: - Allows synchronization of data or applications between devices associated with user.<VulnDiscussion>Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. Applications with the listed characteristics have features that can cause the compromise of sensitive DoD data or have features with no known application in the DoD environment.
Application note: The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. Core application – any application integrated into the operating system (OS) by the OS or mobile device (MD) vendors. Pre-installed application – additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.
SFR ID: FMT_SMF_EXT.1.1 #8b</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366CCI-001806Configure the Samsung Android 7 with Knox application disable list to include applications with the following characteristics:
- Allows synchronization of data or applications between devices associated with user.
On the MDM console, add all applications which allow synchronization of data or applications between devices associated with user to the "Application disable list" setting in the "Android Applications" rule.
Note: Refer to the Supplemental document for additional information.This requirement is Not Applicable if the AO has approved unmanaged personal space/container (COPE use case). The site must have an AO signed document showing the AO has assumed the risk for using an unmanaged personal container.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device has an application disable list configured to include applications with the following characteristics:
- Allows synchronization of data or applications between devices associated with user.
This validation procedure is performed only on the MDM Administration Console.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule.
2. Verify the list contains all applications which allow synchronization of data or applications between devices associated with user.
If the MDM console "Application disable list" is not properly configured or on the Samsung Android 7 with Knox device, the user is able to launch the applications on the list, this is a finding.
Note: The following applications are known to be pre-installed applications which allow synchronization of data or applications between devices associated with user, but other applications can be found on other devices: Google Drive, Dropbox, Verizon Cloud, AT&T Locker, Microsoft OneDrive, and Microsoft OneNote.
Note: Refer to the Supplemental document for additional information.PP-MDF-301100<GroupDescription></GroupDescription>KNOX-07-002200The Samsung Android 7 with Knox whitelist must be configured to not include applications with the following characteristics: - Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.<VulnDiscussion>Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. Applications with the listed characteristics have features that can cause the compromise of sensitive DoD data or have features with no known application in the DoD environment.
Application note: The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. Core application – any application integrated into the operating system (OS) by the OS or mobile device (MD) vendors. Pre-installed application – additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.
SFR ID: FMT_SMF_EXT.1.1 #8b</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366CCI-001806Configure the Samsung Android 7 with Knox application disable list to include applications with the following characteristics:
- Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
On the MDM console, add all applications which allow unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers to the "Application disable list" setting in the "Android Applications" rule.
Note: Refer to the Supplemental document for additional information.This requirement is Not Applicable if the AO has approved unmanaged personal space/container (COPE use case). The site must have an AO signed document showing the AO has assumed the risk for using an unmanaged personal container.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device has an application disable list configured to include applications with the following characteristics:
- Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
This validation procedure is performed only on the MDM Administration Console.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule.
2. Verify the list contains all applications which allow unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
If the MDM console "Application disable list" is not properly configured or on the Samsung Android 7 with Knox device, the user is able to launch the applications on the list, this is a finding.
Note: Refer to the Supplemental document for additional information.PP-MDF-301110<GroupDescription></GroupDescription>KNOX-07-002400The Samsung Android 7 with Knox must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (HandsFree Profile), and SPP (Serial Port Profile).<VulnDiscussion>Some Bluetooth profiles provide the capability for remote transfer of sensitive DoD data without encryption or otherwise do not meet DoD IT security policies and therefore should be disabled.
SFR ID: FMT_SMF_EXT.1.1 #18h</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366CCI-001761Configure the Samsung Android 7 with Knox to disable all Bluetooth profiles except for HSP, HFP, and SPP.
On the MDM console, make sure that all options are deselected except HFP, HSP, and SPP in the "Allowed Bluetooth Profiles" setting in the "Android Bluetooth" rule.Review documentation on the Samsung Android 7 with Knox and inspect the configuration on the Samsung Android 7 with Knox to disable all Bluetooth profiles except for HSP, HFP, and SPP.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Allowed Bluetooth Profiles" settings in the "Android Bluetooth" rule.
2. Verify the only profiles selected are HSP, HFP, and SPP.
On the Samsung Android 7 with Knox device, do the following:
1. Attempt to pair a Bluetooth peripheral that uses profiles other than HSP, HFP, and SPP (e.g., a Bluetooth keyboard).
2. Verify the Bluetooth peripheral does not pair with the Samsung Android 7 with Knox device.
If the MDM console "Allowed Bluetooth Profiles" is set to profiles other than HSP, HFP, and SPP or on the Samsung Android 7 with Knox device, is able to pair with a non HSP, HFP, and SPP profile (e.g., a Bluetooth keyboard), this is a finding.
Note: Disabling the Bluetooth radio will satisfy this requirement.PP-MDF-301120<GroupDescription></GroupDescription>KNOX-07-002600The Samsung Android 7 with Knox must be configured to not display the following notifications when the device is locked: All notifications.<VulnDiscussion>Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifications can contain sensitive information. When they are available on the lock screen, an adversary can see them merely by being in close physical proximity to the device. Configuring the Samsung Android 7 with Knox to not send notifications to the lock screen mitigates this risk.
SFR ID: FMT_SMF_EXT.1.1 #19</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-001199Configure the Samsung Android 7 with Knox to not display notifications when the device is locked.
On the MDM console, enable "Hide content" or "Do not show notification" in the "Notifications on lock screen" setting in the "Android Restrictions" rule.Not Applicable if the AO has approved unmanaged personal space/container (COPE use case). The site must have an AO signed document showing the AO has assumed the risk for using an unmanaged personal container.
Review Samsung Android 7 with Knox settings to determine if the Samsung Android 7 with Knox displays notifications on the lock screen. Notifications of incoming phone calls are acceptable even when the device is locked.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Notifications on lock screen" settings in the "Android Restrictions" rule.
2. Verify that the "Hide content" or "Do not show notification" setting is enabled and "Show content" setting is disabled.
On the Samsung Android 7 with Knox device, do the following:
1. Lock the device while there are notifications shown in the notification bar.
2. Turn the display on and verify that notification contents are hidden ("Hide content") or that no notifications are shown ("Do not show notification") on the lock screen.
If on the MDM console "Show content" is enabled and the Samsung Android 7 with Knox device allows notifications on the lock screen, this is a finding.PP-MDF-301140<GroupDescription></GroupDescription>KNOX-07-003000The Samsung Android 7 with Knox must be configured to enable encryption for information at rest on removable storage media or alternately, the use of removable storage media must be disabled.<VulnDiscussion>The Samsung Android 7 with Knox must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read removable media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running.
SFR ID: FMT_SMF_EXT.1.1 #21, #47f</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-001199Configure the Samsung Android 7 with Knox to enable information at rest protection for removable media.
On the MDM console, do the following:
Enable the "External Storage Encryption" setting in the "Android Security" rule.If the mobile device does not support removable media, this requirement is not applicable.
Review Samsung Android 7 with Knox configuration settings to determine if data in the mobile device's removable storage media is encrypted.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Storage Encryption" setting in the "Android Security" rule.
2. Verify the "SD Card Encryption" setting is enabled.
On the Samsung Android 7 with Knox device, do the following:
1. Open the device settings.
2. Select "Lock screen and security".
3. Insert a MicroSD card into the device.
4. If the MicroSD card is not already encrypted, select "Encrypt SD card". Verify "The security policy restricts use of SD cards that are not encrypted" is displayed.
5. If the MicroSD card is encrypted, verify "Decrypt SD card" is displayed and cannot be selected.
If the specified encryption settings are not set to the appropriate values, this is a finding.PP-MDF-301150<GroupDescription></GroupDescription>KNOX-07-003300The Samsung Android 7 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor and fingerprint authentication. Disable Trust Agents.<VulnDiscussion>Trust Agents allows a user to unlock a mobile device without entering a passcode when the mobile device is, for example, connected to a user selected Bluetooth device or in a user selected location. This technology would allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of non-password authentication mechanisms, users are forced to use passcodes that meet DoD passcode requirements.
SFR ID: FMT_SMF_EXT.1.1 #23, FIA_UAU.5.1</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366CCI-000370CCI-000381Configure the Samsung Android 7 with Knox to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor.
Configure the Samsung Android 7 with Knox to disable Trust Agents.
On the MDM console, select the "Disable Keyguard Trust Agents" setting in the "Android Password Restrictions" rule.
Note: Disabling Trust Agents will disable Smart Lock.Review documentation on the Samsung Android 7 with Knox and inspect the configuration on the Samsung Android 7 with Knox to disable Trust Agents.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Minimum Password Complexity" setting in the "Android Password Restrictions" rule.
2. Verify the settings are "Alphanumeric".
3. Ask the MDM administrator to display the "Disable Keyguard Trust Agents" checkbox in the "Android Password Restrictions" rule.
4. Verify the checkbox is selected.
On the Samsung Android 7 with Knox device, do the following:
1. Open the device settings.
2. Select "Lock screen and security".
3. Select "Other security settings".
4. Select "Trust agents"
5. Verify all Trust Agents are disabled (grayed out) and cannot be enabled.
If the MDM console "Disable Keyguard Trust Agents" checkbox is not selected, or if "Minimum Password Complexity" is not configured to "Alphanumeric", or on the Samsung Android 7 with Knox device, the user can enable the settings, this is a finding.PP-MDF-301170<GroupDescription></GroupDescription>KNOX-07-003700The Samsung Android 7 with Knox must be configured to disable developer modes.<VulnDiscussion>Developer modes expose features of the Samsung Android 7 with Knox that are not available during standard operation. An adversary may leverage a vulnerability inherent in a developer mode to compromise the confidentiality, integrity, and availability of DoD-sensitive information. Disabling developer modes mitigates this risk.
SFR ID: FMT_SMF_EXT.1.1 #26</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000381Configure the Samsung Android 7 with Knox to disable developer modes.
On the MDM console, deselect the "Allow Developer Mode" checkbox in the "Android Restrictions" rule.Review Samsung Android 7 with Knox configuration settings to determine whether a developer mode is enabled.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Allow Developer Mode" checkbox in the "Android Restrictions" rule.
2. Verify that the checkbox is not selected.
On the Samsung Android 7 with Knox device, do the following:
1. Open the device settings.
2. Select "Developer options". (**)
3. Attempt to enable "Developer options".
If the MDM console "Allow Developer Mode" checkbox is selected or on the Samsung Android 7 with Knox device, "Developer options" can be enabled by the user, this is a finding.
Note: The "Developer Modes" configuration setting may not be available in older MDM consoles. Disabling USB Debugging and Mock Locations also disables Developer modes on the mobile device.
(**) "Developer options" is initially hidden to users. To unhide this menu item:
1. Open the device settings.
2. Select "About device".
3. Select "Software info". (Note: On some devices, this step is not needed.)
4. Rapidly tap on "Build number" multiple times until the device displays the Developer Options menu item.PP-MDF-301200<GroupDescription></GroupDescription>KNOX-07-004300The Samsung Android 7 with Knox must be configured to display the DoD advisory warning message at start-up or each time the user unlocks the device.<VulnDiscussion>The Samsung Android 7 with Knox is required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Required banners help ensure that DoD can audit and monitor the activities of mobile device users without legal restriction.
System use notification messages can be displayed when individuals first access or unlock the mobile device. The banner shall be implemented as a "click-through" banner at device unlock (to the extent permitted by the operating system). A "click through" banner prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating “OK.”
The approved DoD text must be used exactly as required in the KS referenced in DoDI 8500.01. For devices accommodating banners of 1300 characters, the banner text is:
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
For devices with severe character limitations, the banner text is:
I've read & consent to terms in IS user agreem't.
The administrator must configure the banner text exactly as written without any changes.
SFR ID: FMT_SMF_EXT.1.1 #36</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000048Configure the Samsung Android 7 with Knox to display the DoD-mandated warning banner text.
On the MDM console, do the following:
1. Enter the correct text in the "Banner Text" field in the "DoD Banner" settings in the "Android Security" rule.
2. Select the enable checkbox in the "DoD Banner" settings in the "Android Security" rule.
Note: If enabled without configuring the "Banner Text", the device will display a default text which matches the required DoD banner.
Note: On some MDM vendor consoles, the logon banner automatically is displayed upon reboot while the device is MDM enrolled. On these consoles, this control is not configurable through the MDM server or on the device.Review Samsung Android 7 with Knox documentation and configuration settings to determine if the warning banner is using the appropriate designated wording.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Banner Text" field in the "DoD Banner" settings in the "Android Security" rule.
2. Verify the correct DoD-specified warning text is displayed in the Banner Text field or the field is blank.
3. Ask the MDM administrator to display the enable checkbox in the "DoD Banner" settings in the "Android Security" rule.
4. Verify the checkbox is selected.
On the Samsung Android 7 with Knox device, do the following:
1. Reboot the device.
2. Verify the device displays the DoD banner.
3. Verify the DoD banner is set to one of the authorized messages.
If the MDM console "DoD Banner" enable checkbox is not selected, or the "Banner Text" is not set to the appropriate designated wording or the Samsung Android 7 with Knox device does not display a warning banner with the appropriate designated wording when rebooted, this is a finding.
Note: If enabled without configuring the "Banner Text", the device will display a default text which matches the required DoD banner.PP-MDF-301210<GroupDescription></GroupDescription>KNOX-07-004500The Samsung Android 7 with Knox must be configured to disable USB mass storage mode.<VulnDiscussion>USB mass storage mode enables the transfer of data and software from one device to another. This software can include malware. When USB mass storage is enabled on a mobile device, it becomes a potential vector for malware and unauthorized data exfiltration. Prohibiting USB mass storage mode mitigates this risk.
SFR ID: FMT_SMF_EXT.1.1 #39a</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000381Configure the Samsung Android 7 with Knox to disable USB mass storage mode.
On the MDM console, select the "Disable USB Media Player" checkbox in the "Android Restrictions" rule.Review Samsung Android 7 with Knox configuration settings to determine if the mobile device has a USB mass storage mode and whether it has been disabled.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Disable USB Media Player" checkbox in the "Android Restrictions" rule.
2. Verify the "Disable USB Media Player" checkbox is selected.
Note: Disabling USB Media Player will also disable USB MTP, USB mass storage, USB vendor protocol (Smart Switch, KIES).
On the Samsung Android 7 with Knox device, connect the device to a PC USB connection.
Note: Do not use a DoD network-managed PC for this test!
On the PC:
Verify the device is not shown in the PC finder.
If the MDM console "Disable USB Media Player" is not set to disable USB mass storage mode or with the Samsung Android 7 with Knox device, it is shown as a USB mass storage device on the PC, this is a finding.PP-MDF-301220<GroupDescription></GroupDescription>KNOX-07-004700The Samsung Android 7 with Knox must be configured to not allow backup of [all applications, configuration data] to locally connected systems.<VulnDiscussion>Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed up to an external system (either locally connected or cloud-based), many if not all of these mechanisms are no longer present. This leaves the backed up data vulnerable to attack. Disabling backup to external systems mitigates this risk.
SFR ID: FMT_SMF_EXT.1.1 #40</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000097Configure the Samsung Android 7 with Knox to disable backup to locally connected systems.
On the MDM console, select the "Disable USB Media Player" checkbox in the "Android Restrictions" rule.
Note: Disabling USB Media Player will also disable USB MTP, USB mass storage, and USB vendor protocol (Smart Switch, KIES).Review Samsung Android 7 with Knox configuration settings to determine if the capability to back up to a locally connected system has been disabled.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Disable USB Media Player" checkbox in the "Android Restrictions" rule.
2. Verify the "Disable USB Media Player" checkbox is selected.
Note: Disabling USB Media Player will also disable USB MTP, USB mass storage, and USB vendor protocol (Smart Switch, KIES).
On the Samsung Android 7 with Knox device, connect the device to a PC USB connection.
Note: Do not use a DoD network-managed PC for this test!
On the PC:
1. Install and launch Samsung Smart Switch (Note: Samsung KIES for older devices) on the PC.
2. Verify the device does not connect with the Samsung Smart Switch program.
If the MDM console "Disable USB Media Player" is not set to disabled or on the Samsung Android 7 with Knox device, it connects with the Samsung Smart Switch or KIES program, this is a finding.PP-MDF-301230<GroupDescription></GroupDescription>KNOX-07-004900The Samsung Android 7 with Knox must be configured to not allow backup of [all applications, configuration data] to remote systems: Deselect Allow Google Backup.<VulnDiscussion>Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the Samsung Android 7 with Knox. Where the remote backup involves a cloud-based solution, the backup capability is often used to synchronize data across multiple devices. In this case, DoD devices may synchronize DoD-sensitive information to a user's personal device or other unauthorized computers that are vulnerable to breach. Disallowing remote backup mitigates this risk. Google Backup is a device wide control and, if enabled, will backup both personal and Knox data to personal Google cloud storage accounts.
SFR ID: FMT_SMF_EXT.1.1 #40</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-002338Configure the Samsung Android 7 with Knox to disable backup to remote systems (including commercial clouds).
On the MDM console, do the following: Deselect the "Allow Google Backup" checkbox in the "Android Restrictions" rule.Review Samsung Android 7 with Knox configuration settings to determine if the capability to back up to a remote system has been disabled.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Allow Google Backup" checkbox in the "Android Restrictions" rule.
2. Verify the checkbox is not selected.
On the Samsung Android 7 with Knox device, do the following:
1. Open the device settings.
2. Select "Backup and reset" under the Google account section.
3. Verify "Back up my data" is disabled and cannot be enabled.
If the MDM console "Allow Google Backup" checkbox is selected, or on the Samsung Android 7 with Knox device, the user can enable "Back up my data", this is a finding.PP-MDF-301230<GroupDescription></GroupDescription>KNOX-07-004950The Samsung Android 7 with Knox must be configured to not allow backup of [all applications, configuration data] to remote systems: Disable Allow Google Accounts Auto Sync.<VulnDiscussion>Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the Samsung Android 7 with Knox. Where the remote backup involves a cloud-based solution, the backup capability is often used to synchronize data across multiple devices. In this case, DoD devices may synchronize DoD-sensitive information to a user's personal device or other unauthorized computers that are vulnerable to breach. Disallowing remote backup mitigates this risk.
SFR ID: FMT_SMF_EXT.1.1 #40</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-002338Configure the Samsung Android 7 with Knox to disable backup to remote systems (including commercial clouds).
On the MDM console, do the following:
- Deselect the "Allow Google Accounts Auto Sync" checkbox in the "Android Restrictions" rule.
- List all pre-installed public cloud backup applications, in the application disable listThis requirement is Not Applicable if the AO has approved unmanaged personal space/container (COPE use case). The site must have an AO signed document showing the AO has assumed the risk for using an unmanaged personal container.
Review Samsung Android 7 with Knox configuration settings to determine if the capability to back up to a remote system has been disabled.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Allow Google Accounts Auto Sync" checkbox in the "Android Restrictions" rule.
2. Verify the checkbox is not selected.
3. View the "application disable list".
4. Verify the list contains all preinstalled cloud backup applications.
On the Samsung Android 7 with Knox device, do the following:
1. Attempt to launch a cloud backup application located on the device.
2. Verify the application will not launch.
If the MDM console "Allow Google Accounts Auto Sync" checkbox is selected, or on the Samsung Android 7 with Knox device, the user can enable "Back up my data", this is a finding.
If the "Application disable list" configuration in the MDM console does not contain all pre-installed public cloud backup applications, or if the user is able to successfully launch an application on this list, this is a finding.PP-MDF-301240<GroupDescription></GroupDescription>KNOX-07-005100The Samsung Android 7 with Knox must be configured to enable authentication of personal hotspot connections to the device using a preshared key.<VulnDiscussion>If there is no authentication required to establish personal hotspot connections, an adversary may be able to use that device to perform attacks on other devices or networks without detection. A sophisticated adversary may also be able to exploit unknown system vulnerabilities to access information and computing resources on the device. Requiring authentication to establish personal hotspot connections mitigates this risk.
Application note: If hotspot functionality is permitted, it must be authenticated via a preshared key. There is no requirement to enable hotspot functionality.
SFR ID: FMT_SMF_EXT.1.1 #41a</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-002314Configure the Samsung Android 7 with Knox to enable authentication of personal hotspot connections to the device using a preshared key.
On the MDM console, deselect the "Allow Unsecured Hotspot" checkbox in the "WiFi Policy" rule.Review Samsung Android 7 with Knox configuration settings to determine if the mobile device has enabled authentication of personal hotspot connections to the device using a preshared key.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Allow Unsecured Hotspot" checkbox in the "WiFi Policy" rule.
2. Verify the checkbox is not selected.
On the Samsung Android 7 with Knox device, do the following:
1. Open the device settings.
2. Select "Mobile hotspot and tethering".
3. Select "Mobile hotspot".
4. Select "Configure Mobile hotspot" more options.
5. Verify that user cannot save configuration with security set to "Open".
If the MDM console "Allow Unsecured Hotspot" checkbox is selected or on the Samsung Android 7 with Knox device, can be configured as a Mobile Hotspot with Open Security, this is a finding.PP-MDF-301260<GroupDescription></GroupDescription>KNOX-07-005500The Samsung Android 7 with Knox must be configured to disable exceptions to the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes.<VulnDiscussion>App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain access to DoD-sensitive information. To mitigate this risk, there are data sharing restrictions. If a user is allowed to make exceptions to the data sharing restriction policy, the user could enable unauthorized sharing of data, leaving it vulnerable to breach. Limiting the granting of exceptions to either the administrator or common application developer mitigates this risk.
Copy/paste of data between applications in different application processes or groups of application processes is considered an exception to the access control policy and therefore, the Administrator must be able to enable/disable the feature. Other exceptions include allowing any data or application sharing between process groups.
SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366CCI-002191Configure the Samsung Android 7 with Knox to enable the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes.
On the MDM console, create the "Android Knox Container" rule and push this rule to the device.Not Applicable for the COBO use case.
Review documentation on the Samsung Android 7 with Knox and inspect the configuration on the Samsung Android 7 with Knox to verify the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes is enabled.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Android Knox Container" rule.
2. Verify the existence of this rule.
3. Pushing this rule to the device that does not have a container installed will result in creation of the container.
On the Samsung Android 7 with Knox device, do the following:
1. Verify the existence of the Knox icon on the device home screen or application menu or the notification bar pull-down menu.
2. If available on the MDM agent, verify the container rule in the list of rules received by the MDM agent.
If the MDM console "Android Knox Container" rule cannot be configured, or if the Knox icon is not present, or if the container rule is not found in the MDM agent rule list (MDM vendor-specific check), this is a finding.
Note: This validation procedure is identical to the one for Knox-07-012800 (Knox container must be enabled). It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to Authorizing Officials (AOs).PP-MDF-301270<GroupDescription></GroupDescription>KNOX-07-005700The Samsung Android 7 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. Disable Google Crash Report.<VulnDiscussion>Many software systems automatically send diagnostic data to the manufacturer or a third-party. This data enables the developers to understand real-world field behavior and improve the product based on that information. Unfortunately, it can also reveal information about what DoD users are doing with the systems and what causes them to fail. An adversary embedded within the software development team or elsewhere could use the information acquired to breach Samsung Android 7 with Knox security. Disabling automatic transfer of such information mitigates this risk.
SFR ID: FMT_SMF_EXT.1.1#47a</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000381Configure the Samsung Android 7 with Knox to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.
Configure the mobile operating system to disable Google Crash Report.
On the MDM console, deselect the "Allow Google Crash Report" checkbox in the "Android Restrictions" rule.Review Samsung Android 7 with Knox configuration settings to determine if the device disables automatic transfer diagnostic data to an external server other than an MDM service with which the device has enrolled.
Disabling automatic transfer of diagnostic data to an external device on Samsung Android 7 with Knox involves two steps:
1. Disable Google Crash report.
2. Disable Report diagnostic info.
This validation procedure covers the first of these steps. This validation procedure is performed on the MDM Administration Console only.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Allow Google Crash Report" checkbox in the "Android Restrictions" rule.
2. Verify the setting is not selected.
If the MDM console "Allow Google Crash Report" checkbox is selected, this is a finding.PP-MDF-301270<GroupDescription></GroupDescription>KNOX-07-005900The Samsung Android 7 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. Disable Report Diagnostic Info.<VulnDiscussion>Many software systems automatically send diagnostic data to the manufacturer or a third-party. This data enables the developers to understand real-world field behavior and improve the product based on that information. Unfortunately, it can also reveal information about what DoD users are doing with the systems and what causes them to fail. An adversary embedded within the software development team or elsewhere could use the information acquired to breach Samsung Android 7 with Knox security. Disabling automatic transfer of such information mitigates this risk.
SFR ID: FMT_SMF_EXT.1.1#47a</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000381Configure the Samsung Android 7 with Knox to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.
Configure the mobile operating system to disable Report diagnostic info.
1. Open the device settings.
2. Select "Privacy and emergency".
3. Uncheck the "Report diagnostic info" setting.Review Samsung Android 7 with Knox configuration settings to determine if the device disables automatic transfer diagnostic data to an external server other than an MDM service with which the device has enrolled.
Disabling automatic transfer of diagnostic data to an external device on Samsung Android 7 with Knox involves two steps:
1. Disable Google Crash report.
2. Disable Report diagnostic info.
This validation procedure covers the second of these steps. This validation procedure is performed on the Samsung Android 7 with Knox only.
On the Samsung Android 7 with Knox device, do the following:
1. Open the device settings.
2. Select "Privacy and emergency".
3. Verify "Report diagnostic information" setting is off.
If the Samsung Android 7 with Knox device "Report diagnostic information" is enabled, this is a finding.
Note: This setting cannot be managed by the MDM administrator and is a User Based Enforcement (UBE) requirement.PP-MDF-301280<GroupDescription></GroupDescription>KNOX-07-006100The Samsung Android 7 with Knox must be configured to disable multi-user modes.<VulnDiscussion>Multi-user mode allows multiple users to share a mobile device by providing a degree of separation between user data. To date, no mobile device with multi-user mode features meets DoD requirements for access control, data separation, and non-repudiation for user accounts. In addition, the MDFPP does not include design requirements for multi-user account services. Disabling multi-user mode mitigates the risk of not meeting DoD multi-user account security policies.
SFR ID: FMT_SMF_EXT.1.1 #47b</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366CCI-002110Configure the Samsung Android 7 with Knox to disable multi-user modes.
On the MDM console, deselect the "Allow multi-user mode" setting in the "Android MultiUser" rule.
Note: This requirement is only applicable for tablet devices.Review documentation on the Samsung Android 7 with Knox and inspect the configuration on the Samsung Android 7 with Knox to disable multi-user modes.
Note: This requirement is only applicable for tablet devices.
This validation procedure is performed on both the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Allow multi-user mode" checkbox in the "Android Restrictions" rule.
2. Verify the checkbox is not selected.
On the Samsung Android 7 with Knox device, do the following:
1. Open the device settings.
2. Attempt to add a user in the "User" setting.
3. Verify that the "User" setting is not available.
If the MDM console "Allow multi-user mode" checkbox is selected or on the Samsung Android 7 with Knox device, the user is able to add a user, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-012100The Samsung Android 7 with Knox must implement the management setting: Enable CC mode.<VulnDiscussion>CC mode implements several security controls required by the Mobile Device Functional Protection Profile (MDFPP). If CC mode is not implemented, DoD data is more at risk of being compromised, and the mobile device is more at risk of being compromised if lost or stolen. If CC Mode is not implemented, the device will not be operating in the NIAP-certified compliant CC mode of operation.
CC mode implements the following controls:
- enables the OpenSSL FIPS crypto library
- sets the password failure settings to wipe the device to 5 (5 failed consecutive attempts will wipe the device)
- disables ODIN mode (download mode)
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to enforce CC mode.
On the MDM console, enable the "Enable CC mode" setting in the "Android Advanced Restrictions" rule.
If this setting is not available on the console, install the CC mode APK and enable CC mode from this application.
This APK will be made available by Samsung.
Note: Before applying CC policy, the CC mode state will be "Ready". Once policy is applied, the state will change to "Enforced" until device meets all the prerequisites.
If device meets all prerequisites, CC mode will be enabled after rebooting and state will change to "Enabled".
If the device is tampered or FIPS self-test is failed, the state will change to "Disabled".
Note: To fully enable CC mode, below prerequisites should be satisfied:
1. Enable Device Encryption
2. Enable SD Card Encryption
3. Set maximum Password Attempts before Wipe
4. Enable Certificate Revocation
5. Disable Password HistoryReview Samsung Android 7 with Knox configuration settings to determine if the mobile device is enforcing CC mode.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "CC Mode State" settings in the "Android Advanced Restrictions" rule.
2. Verify the value is enabled.
Note: If the MDM does not support CC mode, ask the MDM administrator if the Samsung APK has been installed and CC mode enabled.
On the Samsung Android 7 with Knox device, do the following:
1. Open the device settings.
2. Select "About Device".
3. Select "Software info". (Note: On some devices, this step is not needed.)
4. Verify the value of "Security software version" displays "Enabled".
If the MDM console "CC Mode State" is not set to "Enabled" or on the Samsung Android 7 with Knox device, "Security software version" does not display "Enabled", this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-012300The Samsung Android 7 with Knox must implement the management setting: Install DoD root and intermediate PKI certificates on the device.<VulnDiscussion>DoD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the root and intermediate certificates are not available, an adversary could falsely sign a certificate in such a way that it could not be detected. Providing access to the DoD root and intermediate PKI certificates greatly diminishes the risk of this attack.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to install DoD root and intermediate certificates.
On the MDM console, add the PEM encoded representations of the DoD root and intermediate certificates to the certificate whitelist in the "Android Certificate" rule.
The current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://iase.disa.mil/pki-pke (for NIPRNet) or
http://iase.rel.disa.smil.mil/pki-pke/function_pages/tools.html (for SIPRNet).Review Samsung Android 7 with Knox configuration settings to determine if the mobile device has the DoD root and intermediate PKI certificates installed.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
The current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://iase.disa.mil/pki-pke (for NIPRNet) or
http://iase.rel.disa.smil.mil/pki-pke/function_pages/tools.html (for SIPRNet).
On the MDM console, do the following:
1. Ask the MDM administrator to display the list of server authentication certificates in the "Android Certificate" rule.
2. Verify the DoD root and intermediate PKI certificates are present.
On the Samsung Android 7 with Knox device, do the following:
1. Open the device settings.
2. Select "Lock screen and security".
3. Select "Other security settings".
4. Select "View security certificates".
5. Review Certificate Authorities listed under the "System" and "User" tabs.
6. Verify the presence of the DoD root and intermediate certificates.
If the MDM console "Android Certificate" does not have the DoD root and intermediate PKI certificates present or on the Samsung Android 7 with Knox device, "View security certificates" does not have the DoD root and intermediate PKI certificates present, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-012400The Samsung Android 7 with Knox must implement the management setting: Disable Allow New Admin Install.<VulnDiscussion>An application with administrator permissions (e.g., MDM agent) is allowed to configure policies on the device. If a user is allowed to install another MDM agent on the device, then this will allow another MDM administrator (assuming it has the proper Knox licenses) the ability to configure potentially conflicting policies on the device that may not meet DoD security requirements. Although an MDM cannot disable another MDM's policies or remove another MDM from the device, there is the potential of creating policies that could conflict with enterprise policies. Therefore, other applications requesting administrator permissions should be blocked from installation.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to disallow new admin installations.
On the MDM console, select the "Prevent New Admin Install" checkbox in the "Android Advanced Restrictions" rule.Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is configured to disallow new admin installations.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Prevent New Admin Install" checkbox in the "Android Advanced Restrictions" rule.
2. Verify the checkbox is selected.
Note: With some MDM consoles, this policy is automatically configured when the user enrolls with the MDM.
Note: Android Device Manager must first be disabled on the device in order to successfully apply this policy. This can only be done manually on the device by selecting "Lock screen and security", then "Other security settings", then "Device administrators", and then disable Android Device Manager.
On the Samsung Android 7 with Knox device, do the following:
1. Attempt to install an application that requires admin permissions.
2. Verify the application is blocked from being installed.
If the MDM console "Prevent New Admin Install" checkbox is not selected or on the Samsung Android 7 with Knox device, the user is able to install another application requiring admin permissions on the device, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-012500The Samsung Android 7 with Knox must implement the management setting: Configure application install blacklist.<VulnDiscussion>Blacklisting all applications is required so that only whitelisted applications can be installed on the device. Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist and blacklist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to Blacklist Application Install.
On the MDM console, do one of the following:
1. Add all package names by wildcard ('.*') to the "Package Name Blacklist" setting in the "Android Applications" rule.
2. Add all digital signatures by wildcard ('.*') to the "Signature Blacklist" setting in the "Android Applications" rule.Note, this requirement is Not Applicable if the AO has approved unmanaged personal space/container (COPE use case). The site must have an AO signed document showing the AO has assumed the risk for using an unmanaged personal container.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is Blacklisting Application Install.
This validation procedure is performed on the MDM Administration Console only.
On the MDM console, do 1 & 2 or 3 & 4:
1. Ask the MDM administrator to display the "Package Name Blacklist" setting in the "Android Applications" rule.
2. Verify the setting is configured to include all package names (specified by the wildcard string ".*").
OR
3. Ask the MDM administrator to display the "Signature Blacklist" setting in the "Android Applications" rule.
4. Verify the setting is configured to include all digital signatures (specified by the wildcard string ".*").
If the MDM console "Package Name Blacklist" or "Signature Blacklist" settings are not set to include all entries, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-012600The Samsung Android 7 with Knox must implement the management setting: Disable USB host storage.<VulnDiscussion>The USB host storage feature allows the device to connect to select USB devices (e.g., USB flash drives, USB mouse, USB keyboard) using a micro USB to USB adapter cable. A user can copy sensitive DoD information to external USB storage unencrypted, resulting in compromise of DoD data. Disabling this feature mitigates the risk of compromising sensitive DoD data. USB host storage is automatically disabled in the Knox container.
Note: USB host storage must be enabled in the personal space/container in order to use the DeX Station.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to disable USB host storage.
On the MDM console, deselect the "Allow USB host storage" checkbox in the "Android Restrictions" rule.Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is configured to disable USB host storage.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Allow USB host storage" checkbox in the "Android Restrictions" rule.
2. Verify the checkbox is not selected.
On the Samsung Android 7 with Knox device, do the following:
1. Connect a Micro USB to USB OTG adaptor to the device.
2. Connect a USB thumb drive to the adaptor.
3. Verify the device cannot access the USB thumb drive.
If the MDM console "Allow USB host storage" checkbox is selected or on the Samsung Android 7 with Knox device the user is able to access the USB thumb drive from the device, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-012700The Samsung Android 7 with Knox must implement the management setting: Disable S Voice.<VulnDiscussion>On Samsung Android 7 with Knox devices, users may be able to access the device's contact database or calendar to obtain phone numbers and other information using a human voice even when the mobile device is locked. Often this information is personally identifiable information (PII), which is considered sensitive. It could also be used by an adversary to profile the user or engage in social engineering to obtain further information from other unsuspecting users. Disabling access to the contact database and calendar in these situations mitigates the risk of this attack. The Authorizing Official (AO) may waive this requirement with written notice if the operational environment requires this capability.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to disable S Voice.
On the MDM console, deselect the "Allow S Voice" checkbox in the "Android Restrictions" rule.Note, this requirement is Not Applicable if the AO has approved unmanaged personal space/container (COPE use case). The site must have an AO signed document showing the AO has assumed the risk for using an unmanaged personal container.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is configured to disable S Voice.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Allow S Voice" checkbox in the "Android Restrictions" rule.
2. Verify the checkbox is not selected.
On the Samsung Android 7 with Knox device, do the following:
1. Open the device settings.
2. Select "Applications".
3. Verify the S Voice application cannot be selected.
If the MDM console "Allow S Voice" checkbox is selected or on the Samsung Android 7 with Knox device, the S Voice application can be launched, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-012800The Samsung Android 7 with Knox must be configured to implement the management setting: Enable Container.<VulnDiscussion>The container must be enabled by the administrator/MDM or the container's protections will not apply to the mobile device. This will cause the mobile device's apps and data to be at significantly higher risk of compromise because they are not protected by encryption, isolation, etc.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to enable the container.
On the MDM console, create the "Android Knox Container" rule and push this rule to the device.Not Applicable for the COBO use case.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device has the container enabled.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Android Knox Container" rule.
2. Verify the existence of this rule.
3. Pushing this rule to the device that does not have a container installed will result in creation of the container.
On the Samsung Android 7 with Knox device, do the following:
1. Verify the existence of the Knox icon on the device home screen or application menu or the notification bar pull-down menu.
2. If available on the MDM agent, verify the container rule in the list of rules received by the MDM agent.
If the MDM console "Android Knox Container" cannot be configured or if the container rule is not found in the MDM agent rule list (MDM vendor-specific check), or on the Samsung Android 7 with Knox device, the Knox icon is not present, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-012900The Samsung Android 7 with Knox must implement the management setting: Disable Admin Remove.<VulnDiscussion>DoD policy requires DoD mobile devices to be managed via a mobile device management service. If Admin Remove is not disabled the mobile device user can remove the administrator (MDM) from the device.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to Disable Admin Remove.
On the MDM console, deselect the "Allow Admin Remove" checkbox in the "Android Restrictions" rule.Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is configured to Disable Admin Remove.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Allow Admin Remove" checkbox in the "Android Restrictions" rule.
2. Verify the checkbox is not selected.
On the Samsung Android 7 with Knox device, do the following:
1. Open the device settings.
2. Select "Lock screen and security".
3. Select "Other security settings".
4. Select "Device (or Phone) administrators".
5. Verify the enterprise MDM agent is on and cannot be turned off.
If the MDM console "Allow Admin Remove" checkbox is selected or on the Samsung Android 7 with Knox device, "Device administrators" can be turned off, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-013000The Samsung Android 7 with Knox must implement the management setting: Enable Certificate Revocation Status (CRL) Check.<VulnDiscussion>A CRL allows a certificate issuer to revoke a certificate for any reason, including improperly issued certificates and compromise of the private keys. Checking the revocation status of the certificate mitigates the risk associated with using a compromised certificate.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to enable a Certificate Revocation Status (CRL) Check.
On the MDM console, do the following:
1. Enter the string '*' (asterisk) in the package list in the "Certificate Revocation Check (CRL)" settings in the "Android Certificate" rule.
2. Select the enable checkbox in the "Certificate Revocation Check (CRL)" settings in the "Android Certificate" rule.Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is configured to enable a Certificate Revocation Status (CRL) Check.
This validation procedure is performed on the MDM Administration Console only.
On the MDM console, do the following:
1. Ask the MDM administrator to display the package list in the "Certificate Revocation Check (CRL)" settings in the "Android Certificate" rule.
2. Verify the string is '*' (asterisk).
3. Ask the MDM administrator to display the enable checkbox in the "Certificate Revocation Check (CRL)" settings in the "Android Certificate" rule.
4. Verify the checkbox is selected.
If the MDM console "Certificate Revocation Check (CRL)" settings are not enabled for all packages, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-013100The Samsung Android 7 with Knox must implement the management setting: Disable Manual Date Time Changes.<VulnDiscussion>Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events.
Periodically synchronizing internal clocks with an authoritative time source is needed in order to correctly correlate the timing of events that occur across the enterprise. The three authoritative time sources for Samsung Android 7 with Knox are an authoritative time server that is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network (NIPRNet or SIPRNet), or the Global Positioning System (GPS), or the wireless carrier.
Time stamps generated by the audit system in Samsung Android 7 with Knox must include both date and time. The time may be expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to disable manual date and time changes.
On the MDM console, deselect the "Date Time Changes Enabled" checkbox in the "Android Date Time" rule.Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is configured to implement to disable manual date and time changes.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Date Time Changes Enabled" checkbox in the "Android Date Time" rule.
2. Verify the checkbox is not selected.
On the Samsung Android 7 with Knox device, do the following:
1. Open the device settings.
2. Select "Date and time".
3. Verify the "Automatic date and time" is on.
4. Verify a user cannot turn off the "Automatic date and time".
If the MDM console "Date Time Changes Enabled" is set or on the Samsung Android 7 with Knox device, "Automatic date and time" is not set, or the user is able to turn off this option, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-013900The Samsung Android 7 with Knox must implement the management setting: Disable Move Files from Container to Personal.<VulnDiscussion>Allowing movement of files between the container and personal side will result in both personal data and sensitive DoD data being placed in the same space. This can potentially result in DoD data being transmitted to unauthorized recipients via personal email accounts or social applications, or transmission of malicious files to DoD accounts. Disabling this feature mitigates this risk.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to enforce not allowing move of files from Container to personal.
On the MDM console, disable the "Move Files from Container to Personal" setting in the "Android Knox Container >> Container Application" rule.Not Applicable for the COBO use case.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is enforcing not allowing moving of files from Container to personal.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Move Files from Container to Personal" setting in the "Android Knox Container >> Container Restrictions" rule.
2. Verify the setting is disabled.
On the Samsung Android 7 with Knox device, do the following:
1. Open the Knox Container.
2. Select "My Files" application.
3. Select a file by long pressing a selection.
4. Select "Settings".
5. Select "Move to Personal mode".
6. Verify this operation is blocked.
If the MDM console "Move Files from Container to Personal" is not set to disabled or on the Samsung Android 7 with Knox device, the user is able to successfully move the selected file to the personal space, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-014300The Samsung Android 7 with Knox must implement the management setting: Container Account whitelist.<VulnDiscussion>Whitelisting of authorized email accounts (POP3, IMAP, EAS) prevents a user from configuring a personal email account that could be used to forward sensitive DoD data to unauthorized recipients.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to enforce Container Account Whitelisting.
On the MDM console, add all DoD-approved email domains to the "Account whitelist" setting in the "Container Accounts" rule.
Note: Recommended to add .*@mail.mil.Not Applicable for the COBO use case.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is enforcing Container Account Whitelisting.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Account whitelist" setting in the "Container Accounts" rule.
2. Verify the whitelist only contains DoD-approved email domains (for example, mail.mil).
Note: Proper configuration of Account blacklist is required for this configuration to function correctly.
On the Samsung Android 7 with Knox device, do the following:
1. Open the Knox Container.
2. Open "Settings".
3. Select "Accounts".
4. Select "Add account".
5. Select "Email" (and repeat for Microsoft Exchange ActiveSync) and attempt to add an email account with a DoD-approved domain.
6. Verify the email account can be added.
7. Attempt to add an email account with a domain not approved by DoD.
8. Verify that the email account cannot be added.
If the MDM console "Account whitelist" is not set to contain DoD-approved email domains or on the Samsung Android 7 with Knox device, the user is able to successfully configure the email account with a domain not approved by DoD, or if the user is not able to install the DoD-approved email account, this is a finding.PP-MDF-992000<GroupDescription></GroupDescription>KNOX-07-017000The Samsung DeX Station multimedia dock must not be connected directly to a DoD network.<VulnDiscussion>If the Samsung DeX Station multimedia dock is connected to a DoD network, the Samsung smartphone connected to the DeX Station will be connected to the DoD network as well. The Samsung smartphone most likely has a number of personal apps installed that may include malware or have high risk behaviors (for example, off load data from the phone to third-party servers outside the United States). In addition, Smartphones do not generally meet security requirements for computer devices to connect directly to DD networks.
Note: The Samsung DeX Station will not work unless "USB host storage" is enabled (see requirement KNOX-07-012600 for more information).
SFR ID: FMT_MOF_EXT.1.2 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366CCI-000370When using the DeX Station multimedia dock with a DoD Samsung smartphone, do not connect the DeX Station to a DoD network via a wired or wireless connection.
Note: This setting cannot be managed by the MDM administrator and is a User Based Enforcement (UBE) requirement.Review Samsung DeX Station installations at the site and verify the stations are not connected to DoD networks via wired or wireless connections.
If Samsung DeX Station installations at the site are connected to DoD networks via wired or wireless connections, this is a finding.
Note: Connections to a site's guest wired or wireless network that provides Internet-only access can be used.
Note: This setting cannot be managed by the MDM administrator and is a User Based Enforcement (UBE) requirement.PP-MDF-301060<GroupDescription></GroupDescription>KNOX-07-017100The Samsung Android 7 with Knox VPN client must be configured in one of the following configurations: 1. Disabled 2. Configured for container use only. 3. Configured for per app use for the personal side.<VulnDiscussion>The device VPN must be configured to disable access from the personal space/container since it is considered an untrusted environment. Therefore, apps located in the personal container on the device should not have the ability to access a DoD network. In addition, Smartphones do not generally meet security requirements for computer devices to connect directly to DoD networks.
SFR ID: FMT_SMF_EXT.1.1 #3</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000068Configure the Samsung Android 7 with Knox native VPN client in one of the following configurations so that the device VPN is not available in the personal space:
1. Disabled
2. Configured for container use only.
3. Configured for per app use for the personal side.
This implementation guidance covers the first of these options.
On the MDM console, deselect the "Allow VPN" checkbox in the "Android Restrictions" rule.Not Applicable for the COBO use case.
The native VPN client on Samsung Android 7 with Knox must be configured in one of the following configurations:
1. Disabled
2. Configured for container use only
3. Configured for per app use for the personal side
This validation procedure covers the first of these options. This procedure is Not Applicable if option 2 or 3 was implemented at the site.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device native VPN client is disabled.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Allow VPN" checkbox in the "Android Restrictions" rule.
2. Verify the checkbox is not selected.
On the Samsung Android 7 with Knox device, do the following:
1. Open device settings.
2. Select "Connections".
3. Select "More".
4. Verify the "VPN" is disabled (grayed out) and cannot be selected.
If the MDM console "Allow VPN" checkbox is selected or on the Samsung Android 7 with Knox device, the user can select "VPN", this is a finding.PP-MDF-301060<GroupDescription></GroupDescription>KNOX-07-017110The Samsung Android 7 with Knox VPN client must be configured in one of the following configurations: 1. Disabled 2. Configured for container use only 3. Configured for per app use for the personal side<VulnDiscussion>The device VPN must be configured to disable access from the personal space/container since it is considered an untrusted environment. Therefore, apps located in the personal container on the device should not have the ability to access a DoD network. In addition, Smartphones do not generally meet security requirements for computer devices to connect directly to DoD networks.
SFR ID: FMT_SMF_EXT.1.1 #3</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000068Configure the Samsung Android 7 with Knox VPN client in one of the following configurations so that the device VPN is not available in the personal space:
1. Disabled
2. Configured for container use only
3. Configured for per app use for the personal side
This implementation guidance covers the second of these options.
On the MDM Administration Console, do the following:
1. Configure the organization VPN profile in the "Enterprise VPN profiles" rule.
2. Enable "Add All Container Packages To Vpn" in the "Generic VPN" rule.Not Applicable for the COBO use case.
The VPN client on Samsung Android 7 with Knox must be configured in one of the following configurations:
1. Disabled
2. Configured for container use only
3. Configured for per app use for the personal side
This validation procedure covers the second of these options. This procedure is Not Applicable if option 1 or 3 was implemented at the site.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device has VPN protection for the Knox container only enabled.
This validation procedure is performed on the MDM Administration Console only.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Get All Container Packages In Vpn Profile" setting in the "Generic VPN" rule.
2. Verify the value of the setting is the list of all the Container Packages.
3. Ask the MDM administrator to display the list of configured VPN profiles in the "VPN profiles" rule.
4. Verify the list includes the organization VPN profile.
If the MDM console "Get All Container Packages In Vpn Profile" does not list all the Container Packages or "VPN profiles" does not list the organization VPN profile, this is a finding.PP-MDF-301060<GroupDescription></GroupDescription>KNOX-07-017120The Samsung Android 7 with Knox VPN client must be configured in one of the following configurations: 1. Disabled 2. Configured for container use only. 3. Configured for per app use for the personal side.<VulnDiscussion>The device VPN must be configured to disable access from the personal space/container since it is considered an untrusted environment. Therefore, apps located in the personal container on the device should not have the ability to access a DoD network. In addition, Smartphones do not generally meet security requirements for computer devices to connect directly to DoD networks.
SFR ID: FMT_SMF_EXT.1.1 #3</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000068Configure the Samsung Android 7 with Knox VPN client in one of the following configurations so that the device VPN is not available in the personal space:
1. Disabled
2. Configured for container use only.
3. Configured for per app use for the personal side.
This implementation guidance covers the third of these options.
On the MDM Administration Console, do the following:
1. Configure the organization VPN profile in the "Enterprise VPN profiles" rule.
2. Add each AO-approved Package to "Add Packages To Vpn" in the "Generic VPN" rule.Not Applicable for the COBO use case.
The VPN client on Samsung Android 7 with Knox must be configured in one of the following configurations:
1. Disabled
2. Configured for container use only.
3. Configured for per app use for the personal side.
This validation procedure covers the third of these options. This procedure is Not Applicable if option 1 or 2 was implemented at the site.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device has VPN protection for per app use for the personal side.
This validation procedure is performed on the MDM Administration Console only.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Get All Packages In Vpn Profile" setting in the "Generic VPN" rule.
2. Verify the value of the setting is the list of all the AO-approved Packages.
3. Ask the MDM administrator to display the list of configured VPN profiles in the "VPN profiles" rule.
4. Verify the list includes the organization VPN profile.
If the MDM console "Get All Packages In Vpn Profile" contains packages not AO-approved or "VPN profiles" does not list the organization VPN profile, this is a finding.PP-MDF-301060<GroupDescription></GroupDescription>KNOX-07-017130If a third-party VPN client is installed in the personal space/container, it must not be configured with a DoD network (work) VPN profile.<VulnDiscussion>The device VPN must be configured to disable access from the personal space/container since it is considered an untrusted environment. Therefore, apps located in the personal container on the device should not have the ability to access a DoD network. In addition, Smartphones do not generally meet security requirements for computer devices to connect directly to DoD networks.
SFR ID: FMT_SMF_EXT.1.1 #3</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000068If a third-party VPN client is installed in the personal space/container on a Samsung Android 7 with Knox device, do not configure the VPN client with a DoD network VPN profile.Not Applicable for the COBO use case.
Review Samsung Android 7 with Knox configuration settings to determine if any third-party VPN client installed in the personal space/container on the device has been configured with a DoD network (work) VPN profile.
This validation procedure is performed on the Samsung Android 7 with Knox device only.
On the Samsung Android 7 with Knox device, do the following:
1. Open the device settings.
2. Select "Apps".
3. Review the list of apps and if there are any VPN client apps installed open each one in turn. Review the list of VPN profiles configured on the VPN client.
4. Verify there are no DoD network VPN profiles configured on the VPN client.
If any third-party VPN client installed in the personal space/container has a DoD network VPN profile configured on the client, this is a finding.
Note: This setting cannot be managed by the MDM administrator and is a User Based Enforcement (UBE) requirement (unless an application white list/black list is configured for the personal space/container).PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-017200The Samsung Android 7 with Knox must be configured to disable Phone Visibility.<VulnDiscussion>Phone Visibility feature allows other devices to find your phone (Galaxy S8) and transfer files. Your phone will appear in the list of available devices when files are transferred via Transfer files to devices.
This feature can potentially result in unauthorized access to and compromise of sensitive DoD files. Disabling this feature will mitigate this risk.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366If the feature is not present as described on a specific device model, this requirement is Not Applicable (NA).
Configure the Samsung Android 7 with Knox to disable Phone Visibility.
On the Samsung Android 7 with Knox device, do the following:
1. Open the device settings.
2. Select "More" under Wireless and networks.
3. Disable "Phone visibility".If the feature is not present as described on a specific device model, this requirement is Not Applicable (NA).
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is configured to disable Phone Visibility.
This validation procedure is performed on the Samsung Android 7 with Knox device only.
On the Samsung Android 7 with Knox device, do the following:
1. Open the device settings.
2. Select "Connections".
3. Select "Phone visibility".
4. Verify this is disabled.
If the Samsung Android 7 with Knox device, "Phone Visibility" is not set to disabled, this is a finding.
Note: This setting cannot be managed by the MDM administrator and is a User Based Enforcement (UBE) requirement.PP-MDF-301150<GroupDescription></GroupDescription>KNOX-07-017400The Samsung Android 7 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor. Disable Face Recognition.<VulnDiscussion>The Face Recognition feature allows users face to be registered and used to unlock the device. This technology would allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of non-password authentication mechanisms, users are forced to use passcodes that meet DoD passcode requirements.
SFR ID: FMT_SMF_EXT.1.1 #23, FIA_UAU.5.1</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366CCI-000370CCI-000381Configure the Samsung Android 7 with Knox to disable Face Recognition.
On the MDM console, add all packages associated with the Face Recognition feature to the "Application disable list" setting in the "Android Applications" rule.
Note: Refer to the Supplemental document for additional information.Review documentation on the Samsung Android 7 with Knox and inspect the configuration on the Samsung Android 7 with Knox to disable Face Recognition.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule.
2. Verify the list contains all Face Recognition related packages.
On the Samsung Android 7 with Knox device, do the following:
1. Open the device settings.
2. Select "Lock screen and security".
3. Verify "Face Recognition" status is "Register your face".
4. When an attempt is made to register your face, the function does not work.
If the Samsung Android 7 with Knox device, "Face Recognition" function works, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-017800The Samsung Android 7 with Knox must be configured to Disable Bixby.<VulnDiscussion>On MOS devices, unauthorized users (may be able to) access the device's contact database or calendar to obtain phone numbers and other information using a human voice even when the mobile device is locked. Often this information is personally identifiable information (PII), which is considered sensitive. It could also be used by an adversary to profile the user or engage in social engineering to obtain further information from other unsuspecting users.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to disable Bixby.
On the MDM console, add all packages associated with the Bixby feature to the "Application disable list" setting in the "Android Applications" rule.
Note: Refer to the Supplemental document for additional information.Not Applicable if the AO has approved unmanaged personal space/container (COPE use case). The site must have an AO signed document showing the AO has assumed the risk for using an unmanaged personal container.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is configured to disable Bixby.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule.
2. Verify the list contains all Bixby related packages.
On the Samsung Android 7 with Knox device, do the following:
1. Press the Bixby hardware button.
2. Verify Bixby does not start.
If the Samsung Android 7 with Knox device starts Bixby when pressing the hardware Bixby button, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-018000The Samsung Android 7 with Knox must be configured to Disable Smart Call.<VulnDiscussion>Smart Call feature provides Caller ID and spam protection. It lets the user know who is calling even when the number is not on the user's contact list by using an online service to do the lookup. Users can also upload their name and number into the online service.
This could allow potentially DoD-sensitive data such as names and telephone number to be compromised.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to disable Smart Call.
On the Samsung Android 7 with Knox device Smart Call is disabled by default.Review documentation on the Samsung Android 7 with Knox and inspect the configuration on the Samsung Android 7 with Knox to disable the Smart Call.
This validation procedure is performed on Samsung Android 7 with Knox device only.
On the Samsung Android 7 with Knox device, do the following:
1. Open the Phone app.
2. Open the Settings via the "3 dot menu".
3. Verify that "Caller ID and spam protection" is "Off".
If the Samsung Android 7 with Knox device, "Caller ID and spam protection" is not set to "Off", this is a finding.
Note: This setting cannot be managed by the MDM administrator and is a User Based Enforcement (UBE) requirement.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-018200The Samsung Android 7 with Knox must be configured to Add the MDM Client application to the Battery optimizations modes Whitelist.<VulnDiscussion>Doze and App Standby are power-saving features that extend battery life by deferring background CPU and network activity.
If the MDM Client is put into Doze or App Standby mode, the MDM Administrator may not be able to administer the MDM.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to add the MDM Client application to the Battery optimizations modes Whitelist.
On the MDM console, add the MDM Client Package name to the "Battery optimizations modes Whitelist" in the "Android Applications" rule.
Note: Some MDM consoles may require (or take as an optional input) the MDM Client Signature.Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is configured to add the MDM Client application to the Battery optimizations modes Whitelist.
This validation procedure is performed on both the MDM Administration Console only.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Battery optimizations modes Whitelist" setting in the "Android Application" rule.
2. Verify the list contains the MDM Client.
If the MDM console "Battery optimizations modes Whitelist" does not contain the MDM Client, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-018400The Samsung Android 7 with Knox must implement the management setting: Configure application disable list.<VulnDiscussion>Applications from various sources (including the vendor, the carrier, and Google) are installed on the device at the time of manufacture. Core apps are apps preinstalled by Google. Third-party preinstalled apps included apps from the vendor and carrier. Some of the applications can compromise DoD data or upload users' information to non-DoD-approved servers. A user must be blocked from using such applications that exhibit behavior that can result in compromise of DoD data or DoD user information. The site administrator must analyze all pre-installed applications on the device and block all applications not approved for DoD use by configuring the application disable list.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to enforce application disabled list.
On the MDM console, add all pre-installed applications that are not DoD-approved to the "Application disable list" setting in the "Android Applications" rule.
Note: Refer to the Supplemental document for additional information.
Note: Include Samsung Accounts on the list.Note, this requirement is Not Applicable if the AO has approved unmanaged personal space/container (COPE use case). The site must have an AO signed document showing the AO has assumed the risk for using an unmanaged personal container.
Review Samsung Android 7 with Knox Container configuration settings to determine if the mobile device is enforcing application disabled list.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Applications" rule.
2. Verify the list contains all core and pre-installed applications not approved for DoD use by the Authorizing Official (AO).
Note: Refer to the Supplemental document for additional information.
On the Samsung Android 7 with Knox device, attempt to launch an application that is included on the disable list.
Note: This application should not be visible.
If the MDM console "Application disable list" is not set to contain all core and pre-installed applications not approved by DoD or on the Samsung Android 7 with Knox device, the user is able to successfully launch an application on this list, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-018600The Samsung Android 7 with Knox must implement the management setting: Configure minimum password complexity.<VulnDiscussion>Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. A minimum level of complexity is needed to ensure a simple password or easily guessed password is not used.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to have a minimum password complexity.
On the MDM console, configure "Minimum Password Complexity" to PIN in the "Android Password Restrictions" rule.
Note: Some MDM consoles may display “Numeric” and “Numeric-Complex” instead of “PIN”. Either selection is acceptable but “Numeric-Complex” is recommended. Alphabetic, Alphanumeric, and Complex are also acceptable selections but these selections will cause the user to select a complex password, which is not required by the STIG.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device has been configured with a minimum password complexity.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Minimum Password Complexity" setting in the "Android Restrictions" rule.
2. Verify the setting is "PIN". (see Note)
On the Samsung Android 7 with Knox device, do the following:
1. Open the device settings.
2. Select "Lock screen and security".
3. Select "Lock screen type".
4. Verify "Swipe", "Pattern", and "None" are disabled (grayed out) and cannot be enabled.
If the MDM console "Minimum Password Complexity" is not configured to "PIN", or on the Samsung Android 7 with Knox device, the user cannot enable the setting, this is a finding.
Note: Some MDM consoles may display “Numeric” and “Numeric-Complex” instead of “PIN”. Either selection is acceptable but “Numeric-Complex” is recommended. Alphabetic, Alphanumeric, and Complex are also acceptable selections but these selections will cause the user to select a complex password, which is not required by the STIG.
PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-018800The Samsung Android 7 with Knox must implement the management setting: Enable Audit Log.<VulnDiscussion>Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks, so that breaches can either be prevented or limited in their scope. They facilitate analysis to improve performance and security. The Requirement Statement lists key events that the system must generate an audit record for.
SFR ID: FAU_GEN.1.1 #8</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to enable "Audit Log".
On the MDM console, select the "Enable Audit Log" checkbox in the "Android AuditLog" rule.Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is configured to enable the Audit Log.
This validation procedure is performed on the MDM Administration Console only.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Enable Audit Log" checkbox in the "Android Audit Log" rule.
2. Verify the checkbox is selected.
If the MDM console "Enable Audit Log" is not selected, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-018900The Samsung Android 7 with Knox must use a NIAP certified container for work data and applications.<VulnDiscussion>When a DoD mobile device contains apps in the personal container that have not been vetted by the DoD for malware or risky behaviors, the personal container must be considered an untrusted environment. Therefore the data separation implementation between the personal data container and the work container must meet the requirements of Mobile Device Fundamentals Protection Profile (FDP_ACF_EXT.1.2) to insure sensitive DoD data in the work container is adequately separated.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Deploy DoD Samsung mobile devices with the Knox container and implement the Knox container. (See requirement KNOX-07-012800.)
Note: Samsung Knox is currently the only container technology/application that is NIAP certified for Samsung mobile devices.Not Applicable for the COBO use case.
Not Applicable if the AO has not approved unmanaged personal container.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device has the Knox container enabled.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Android Knox Container" rule.
2. Verify the existence of this rule.
On the Samsung Android 7 with Knox device, do the following:
Verify the existence of the Knox icon on the device home screen or application menu or the notification bar pull-down menu.
If the MDM console "Android Knox Container" rule is not found in the MDM agent rule list (MDM vendor-specific check), or on the Samsung Android 7 with Knox device, the Knox icon is not present, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-019000Samsung Android 7 mobile device users must complete required training.<VulnDiscussion>The security posture of Samsung devices requires the device user to configure several required policy rules on their device. User Based Enforcement (UBE) is required for these controls. In addition, if the AO has approved the use of an unmanaged personal container, than the user must receive training on risks. If a user is not aware of their responsibilities and does not comply with UBE requirements, the security posture of the Samsung mobile device may become compromised and DoD sensitive data may become compromised.
SFR ID: NA</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Have all Samsung device users complete training on the following topics. Users should acknowledge they have received training via a signed User Agreement or similar written record.
Training Topics:
- Operational security concerns introduced by unmanaged applications/unmanaged personal space/container including applications utilizing global positioning system (GPS) tracking
- Need to ensure no DoD data is saved to the personal container or transmitted from a personal app (for example, from personal email)
- If the Purebred key management app is used, users are responsible for maintaining positive control of their credentialed device at all times. The DoD PKI certificate policy requires subscribers to maintain positive control of the devices that contain private keys, and to report any loss of control so that the credentials can be revoked. Upon device retirement, turn in, or reassignment, ensure a factory data reset is performed prior to device hand off. Follow Mobility service provider decommissioning procedures as applicable.
- How to configure the following User Based Enforcement (UBE) controls (users must configure the control) on the Samsung device:
- secure use of Calendar Alarm
- local screen mirroring and MirrorLink procedures (authorized/not authorized for use)
- disable Report Diagnostic Info
- do not connect Samsung DeX Station to any DoD network via Ethernet connection
- disable Phone Visibility
- disable Smart Call
- disable Nearby device scanning
- do not remove DoD intermediate and root PKI digital certificates
- disable WiFi Sharing
- do not configure a DoD network (work) VPN profile on any third-party VPN client installed in the personal space/container
- AO guidance on acceptable use and restrictions, if any, on downloading and installing personal apps and data (music, photos, etc.) in the Samsung device personal space/container.Review a sample of site User Agreements of Samsung device users or similar training records and training course content. Verify Samsung device users have completed required training.
Any Samsung device user is found to not have completed required training, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-019100The Samsung Android 7 with Knox platform must implement the management setting Disable Nearby devices.<VulnDiscussion>The Nearby devices feature allows the user to share files with other devices that are connected on the same WiFi access point using the DLNA technology. Even though the user must allow requests from other devices, this feature can potentially result in unauthorized access to and compromise of sensitive DoD files. Disabling this feature will mitigate this risk.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the mobile operating system to disable Nearby devices.This validation procedure is performed on the Samsung Android 7 with Knox device.
On the Samsung Android 7 with Knox device:
1. Open the device settings.
2. Select "More connection settings".
3. Select "Nearby devices".
4. Verify this is disabled.
If setting is enabled and cannot be disabled, this is a finding.
Note: This setting cannot be managed by the MDM administrator and is a User Based Enforcement (UBE) requirement.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-019200The Samsung Android 7 with Knox platform must implement the management setting: Disable Samsung WiFi Sharing.<VulnDiscussion>WiFi Tethering allows a device to act as an Access Point sharing its data connection with other wirelessly connected devices. Previously the device could only share its Mobile (Cellular) data connection. On the Device menus this is referred to as "Mobile Hotspot". The new feature is an optional configuration of WiFi Tethering/Mobile Hotspot, which allows the Device to share its WiFi connection with other wirelessly connected devices, instead of its Mobile (Cellular) connection.
WiFi sharing grants the "other" device access to a corporate WiFi network, and may possibly bypass the network access control mechanisms. This risk can be partially mitigated by requiring the use of a pre-shared key for personal hotspots.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Disable WiFi Sharing using one of the following methods:
1. If the AO has not approved hotspot tethering for site Samsung devices, on the MDM console, select the "Disable WiFi Tethering/Mobile Hotspot"" checkbox in the "WiFi Policy" rule.
OR
2. If the AO has approved hotspot tethering for site Samsung devices, on the Samsung device go to Settings >> Connections >> Mobile Hotspot and Tethering >> Mobile Hotspot.
Turn off WiFi Sharing if it is enabled. WiFi Sharing is disabled by default.
Note: Mobile Hotspot must be enabled in order to enable WiFi Sharing.Verify WiFi Sharing is disabled or alternately, the "WiFi Tethering/Mobile Hotspot" control is disabled.
First, determine if the AO has approved WiFi Tethering/Mobile Hotspot use. Written approval must be presented for verification of AO approval.
If there is no written AO approval that WiFi Tethering/Mobile Hotspot use do the following:
- On the MDM console, verify the "WiFi Tethering/Mobile Hotspot" control is disabled in the "WiFi Policy" rule.
If the AO has approved WiFi Tethering/Mobile Hotspot use do the following:
- On a sample of site Samsung devices, go to Settings >> Connections >> Mobile Hotspot and Tethering >> Mobile Hotspot and verify "Wi-Fi Sharing" is turned off.
Note: This setting cannot be managed by the MDM administrator and is a User Based Enforcement (UBE) requirement.
If the AO has not approved WiFi Tethering/Mobile Hotspot use and on the MDM console the "WiFi Tethering/Mobile Hotspot" control is not disabled in the "WiFi Policy" rule, this is a finding.
If the AO has approved WiFi Tethering/Mobile Hotspot use and the WiFi Sharing setting on a Samsung device is turned on, this is a finding.PP-MDF-301020<GroupDescription></GroupDescription>KNOX-07-900300The Samsung Android 7 with Knox must be configured to not allow Container passwords that include more than two repeating or sequential characters.<VulnDiscussion>Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or sequential characters are significantly easier to guess than those that do not contain repeating or sequential characters. Therefore, disallowing repeating or sequential characters increases password strength and decreases risk.
SFR ID: FMT_SMF_EXT.1.1 #1b</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to prevent Container passwords from containing more than two repeating or sequential characters.
On the MDM console, do the following:
1. Set the "Maximum Sequential Characters" value to "2" in the "Android Knox Container >> Container Password Restrictions" rule.
2. Set the "Maximum Sequential Numbers" value to "2" in the "Android Knox Container >> Container Password Restrictions" rule.Not Applicable for the COBO use case.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is prohibiting container passwords with more than two repeating or sequential characters. If feasible, use a spare device to try to create a password with more than two repeating or sequential characters (e.g., bbb, 888, hij, 654).
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Maximum Sequential Characters" setting in the "Android Knox Container >> Container Password Restrictions" rule.
2. Verify the value of the setting is set to two or less sequential characters.
3. Ask the MDM administrator to display the "Maximum Sequential Numbers" setting in the "Android Knox Container >> Container Password Restrictions" rule.
4. Verify the value of the setting is set to two or less sequential numbers.
On the Samsung Android 7 with Knox device, do the following:
1. Open the Knox Container.
2. Select "Knox Settings".
3. Select "Lock type.
4. Enter current password.
5. Select "Password".
6. Attempt to enter a password that contains more than two sequential characters or sequential numbers.
7. Verify the password is not accepted.
If the MDM console "Maximum Sequential Character" and "Maximum Sequential Number" are set to more than two repeating or sequential characters for the Knox container or on the Samsung Android 7 with Knox device, a password with more than two repeating or sequential characters is accepted for the Knox container, this is a finding.PP-MDF-301090<GroupDescription></GroupDescription>KNOX-07-901500The Samsung Android 7 with Knox must be configured to enforce a Container application installation policy by specifying an application whitelist that restricts applications by the following characteristics list of digital signatures, names.<VulnDiscussion>The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. Core application - any application integrated into the operating system (OS) by the OS or mobile device (MD) vendors. Pre-installed application - additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.
Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications.
The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the operating system (OS) by the OS vendor) and pre-installed applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications.
SFR ID: FMT_SMF_EXT.1.1 #8b</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366CCI-001806Configure the Samsung Android 7 with Knox to whitelist application installations into the container based on one of the following characteristics:
- Digital signature
- Package Name
Both whitelists apply to user installable applications only, and do not control user access/execution of core and preinstalled applications. To restrict user access/execution to core and pre-installed applications, the MDM administrator must configure the "application disable list”.
It is important to note that if the MDM administrator has not blacklisted an application characteristic (package name, digital signature) then it is implicitly whitelisted, as whitelists are exceptions to blacklists. If an application characteristic appears in both the blacklist and whitelist, the white list (as the exception to the blacklist) takes priority, and the User will be able to install the application. Therefore, the MDM administrator must configure the blacklists to include all package names or digital signatures for whitelisting to behave as intended.
On the MDM console, do one of the following:
1. Add each AO-approved package name to the "Package Name Whitelist" in the "Android Knox Container >> Container Applications" rule.
OR
2. Add each AO-approved digital signature to the "Signature Whitelist" in the "Android Knox Container >> Container Applications" rule.
Note: Either list may be empty if the Authorizing Official (AO) has not approved any app.
Note: Refer to the Supplemental document for additional information.Not Applicable for the COBO use case.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device has been configured to whitelist application installations into the container based on one of the following characteristics:
- Digital signature
- Package Name
Verify all applications listed on the whitelist have been approved by the Approving Official (AO).
This validation procedure is performed only on the MDM Administration Console.
On the MDM console, do 1 & 2 or 3 & 4:
1. Ask the MDM administrator to display the "Package Name Whitelist" in the "Android Knox Container >> Container Applications" rule.
2. Verify the whitelist includes only package names that the Authorizing Official (AO) has approved.
OR
3. Ask the MDM administrator to display the "Signature Whitelist" in the "Android Knox Container >> Container Applications" rule.
4. Verify the whitelist includes only digital signatures the Authorizing Official (AO) has approved.
Note: Either list may be empty if the Authorizing Official (AO) has not approved any app.
Note: Refer to the Supplemental document for additional information.
If the MDM console "Package Name Whitelist" or "Signature Whitelist" contains non-AO approved entries, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-912200The Samsung Android 7 with Knox must be configured to lock the container after 15 minutes (or less) of inactivity.<VulnDiscussion>The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum timeout period of 15 minutes has been selected to balance functionality and security; shorter timeout periods may be appropriate, depending on the risks posed to the mobile device.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to lock the container after "15" minutes (or less) of inactivity.
On the MDM console, set the "Maximum Time to Lock" to the organization-defined value ("15" minutes) in the "Android Knox Container >> Container Password Restrictions" rule.Not Applicable for the COBO use case.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is configured to lock the container after "15" minutes (or less) of inactivity.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Maximum Time to Lock" setting in the "Android Knox Container >> Container Password Restrictions" rule.
2. Verify the value of the setting is the organization-defined value ("15" minutes) or less.
On the Samsung Android 7 with Knox device, do the following:
1. Open the Knox Container.
2. Refrain from using the Knox Container for "15" minutes.
3. Verify the selected value is the organization-defined value ("15" minutes) or less.
If the MDM console "Maximum Time to Lock" is not set to organization-defined value ("15" minutes) or less or on the Samsung Android 7 with Knox device, the Knox Container does not lock after "15" minutes, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-913200The Samsung Android 7 with Knox must implement the management setting: Configure to enforce a minimum Container password length of 4 characters.<VulnDiscussion>Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to enforce a minimum Container password length of four characters.
On the MDM console, set the "Minimum Length" value to "4" or greater in the "Android Knox Container >> Container Password Restrictions" rule.Not Applicable for the COBO use case.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is configured to enforce a minimum Container password length of "4" characters.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Minimum Length" setting in the "Android Knox Container >> Container Password Restrictions" rule.
2. Verify the value of the setting is the same or greater than "4" characters.
On the Samsung Android 7 with Knox device, do the following:
1. Open the Knox Container.
2. Select "Knox Settings".
3. Select "Lock type".
4. Enter current password.
5. Attempt to enter a password with fewer than "4" characters.
6. Verify the password is not accepted.
If the MDM console "Minimum Length" is not set to the same or greater than "4" characters or on the Samsung Android 7 with Knox device, accepts a container password with fewer than the "4" characters, this is a finding.
Note: This configuration setting will allow users to implement fingerprint unlock for the container, which is approved for use. The use of a password to move between container and personal areas is only required if the password is needed to provide data separation between the two processing environments. For the Samsung devices, the password is required to enable the container and implement data separation.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-913300The Samsung Android 7 with Knox must implement the management setting: Disable sharing of calendar information outside the Container.<VulnDiscussion>Calendar events can include potentially DoD-sensitive data such as names, contacts, dates and times, and locations. If made available outside the container, this information will be accessible to personal applications, resulting in potential compromise of DoD data.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to enforce disabled sharing of calendar information outside the Container.
On the MDM console, disable the "Allow calendar info outside container" setting in the "Android Knox Container >> Container Restrictions" rule.Not Applicable for the COBO use case.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is enforcing disabled sharing of calendar information outside the Container.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Allow calendar info outside container" setting in the "Android Knox Container >> Container Restrictions" rule.
2. Verify the setting is disabled.
On the Samsung Android 7 with Knox device, do the following:
1. Open the Knox container.
2. Select "Knox Settings".
3. Select "Share contacts and calendars".
4. Verify "Export to Personal Mode – Calendar (from Knox)" (on some devices, shown as "Export to Personal Mode - S Planner") is disabled and attempt to enable this setting.
If the MDM console "Allow calendar info outside container" is not set to disabled or on the Samsung Android 7 with Knox device, the user is able to enable this setting, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-913400The Samsung Android 7 with Knox must implement the management setting: Configure to prohibit more than 10 consecutive failed Container authentication attempts.<VulnDiscussion>Users must not be able to override the system policy on the maximum number of consecutive failed authentication attempts because this could allow them to raise the maximum, thus giving adversaries more chances to guess/brute force passwords, which increases the risk of the mobile device being compromised. Therefore, only administrators should have the authority to set consecutive failed authentication attempt policies.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to enforce "10" or less failed Container authentication attempts.
On the MDM console, set the "Maximum Failed Attempts for wipe" to the organization-defined value in the "Android Knox Container >> Container Password Restrictions" rule.Not Applicable for the COBO use case.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is enforcing 10 or less failed Container authentication attempts.
This validation procedure is performed on both the MDM Administration Console only.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Maximum Failed Attempts for wipe" field in the "Android Knox Container >> Container Password Restrictions" rule.
2. Verify the value of the setting is "10" or less.
If the MDM console "Maximum Failed Attempts for wipe" is not set to "10" or less or on the Samsung Android 7 with Knox device, the user is able to fail more than "10" authentication attempts, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-913500The Samsung Android 7 with Knox must be configured to disable sharing of contact information outside the Container.<VulnDiscussion>Contacts can include DoD-sensitive data and personally identifiable information (PII) of DoD employees, including names, numbers, addresses, and email addresses. If made available outside the container, this information will be accessible to personal applications, resulting in potential compromise of DoD data.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to enforce disabled sharing of contact information outside the Container.
On the MDM console, do the following:
disable the "Allow contact info outside container" setting in the "Android Knox Container >> Container Restrictions" rule.Not Applicable for the COBO use case.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is enforcing disabled sharing of contact information outside the Container.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Allow contact info outside container" setting in the "Android Knox Container >> Container Restrictions" rule.
2. Verify the setting is disabled.
On the Samsung Android 7 with Knox device, do the following:
1. Open the Knox container.
2. Select "Knox Settings".
3. Select "Share contacts and calendars".
4. Verify "Export to Personal Mode - Contacts (from Knox)" is disabled and attempt to enable this setting.
If the MDM console "Allow contact info outside container" is not set to disabled or on the Samsung Android 7 with Knox device, the user is able to enable this setting, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-913600The Samsung Android 7 with Knox must implement the management setting: Disable sharing of notification details outside the Container when the container is locked.<VulnDiscussion>Application notifications can include DoD sensitive data. If made available outside the container, this information will be accessible to personal applications, resulting in potential compromise of DoD data.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to enforce disabled sharing of notification details outside the Container when the container is locked.
On the MDM console, disable the "Allow Show detailed notifications" setting in the "Android Knox Container >> Container Restrictions" rule.Not Applicable for the COBO use case.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is enforcing disabled sharing of notification details outside the Container when the container is locked.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Allow Show detailed notifications" setting in the "Android Knox Container >> Container Restrictions" rule.
2. Verify the setting is disabled.
On the Samsung Android 7 with Knox device, do the following:
1. Open the Knox container.
2. Select "Knox Settings".
3. Select "Notifications".
4. Verify "Hide content on lock screen" is disabled and attempt to enable this setting.
If the MDM console "Allow Show detailed notifications" is not set to disabled or on the Samsung Android 7 with Knox device, the user is able to enable this setting, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-913700The Samsung Android 7 with Knox must implement the management setting: Configure Container application install blacklist.<VulnDiscussion>Blacklisting all applications is required so only whitelisted applications can be installed on the device. Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist and blacklist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to Blacklist Container Application Install.
On the MDM console, do the following:
1. Add all package names by wildcard ('.*') to the "Package Name Blacklist" setting in the "Android Knox Container >> Container Application" rule.
2. Add all digital signatures by wildcard ('.*') to the "Signature Blacklist" setting in the "Android Knox Container >> Container Application" rule.Not Applicable for the COBO use case.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is Blacklisting Container Application Install.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Package Name Blacklist" setting in the "Android Knox Container >> Container Application" rule.
2. Verify the setting is configured to all package names (specified by the wildcard string ".*").
3. Ask the MDM administrator to display the "Signature Blacklist" setting in the "Android Knox Container >> Container Application" rule.
4. Verify the setting is configured to all digital signatures (specified by the wildcard string ".*").
On the Samsung Android 7 with Knox device, do the following:
1. Attempt to install any application that has not been whitelisted for installation by either package name or digital signature.
2. Verify that the application is blocked from being installed.
If the MDM console "Package Name Blacklist" or "Signature Blacklist" is not set to include all entries, or on the Samsung Android 7 with Knox device, the user is able to install the application, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-913800The Samsung Android 7 with Knox must implement the management setting: Disable Move Applications to Container.<VulnDiscussion>Applications determined to be acceptable for personal use outside the container might not be acceptable for use within the container. The Move Applications to Container feature allows users to install personal side applications into the container, resulting in potential compromise of DoD data. Disabling this feature mitigates this risk.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to enforce not allowing move of applications to Container.
On the MDM console, disable the "Move Applications to Container" setting in the "Android Knox Container >> Container Application" rule.Not Applicable for the COBO use case.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is enforcing not allowing move of applications to Container.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Move Applications to Container" setting in the "Android Knox Container >> Container Restrictions" rule.
2. Verify the setting is disabled.
On the Samsung Android 7 with Knox device, do the following:
1. Open the Knox Container.
2. Select "Knox Settings".
3. Verify "Install applications" cannot be selected. (Note: If the Knox Container is configured as a folder type, a "+" icon should not be visible in the list of applications.)
If the MDM console "Move Applications to Container" is not set to disabled or on the Samsung Android 7 with Knox device, user is able to select "Install applications", this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-914100The Samsung Android 7 with Knox must implement the management setting: Configure Container application disable list.<VulnDiscussion>Applications from various sources (including the vendor, the carrier, and Google) are installed on the device at the time of manufacture. Core apps are apps preinstalled by Google. Third-party preinstalled apps included apps from the vendor and carrier. Some of the applications can compromise DoD data or upload users' information to non-DoD-approved servers. A user must be blocked from using such applications that exhibit behavior that can result in compromise of DoD data or DoD user information. The site administrator must analyze all pre-installed applications on the device and block all applications not approved for DoD use by configuring the application disable list.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to enforce Container application disabled list.
On the MDM console, add all pre-installed container applications that are not DoD-approved to the "Application disable list" setting in the "Android Knox Container >> Container Application" rule.
Note: Refer to the Supplemental document for additional information.
Note: Include Samsung Accounts on the list.Not Applicable for the COBO use case.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is enforcing Container application disabled list.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Knox Container >> Container Application" rule.
2. Verify the list contains all core and pre-installed applications not approved for DoD use by the Authorizing Official (AO).
Note: Refer to the Supplemental document for additional information.
On the Samsung Android 7 with Knox device, do the following:
1. Open the Knox container.
2. Attempt to launch an application that is included on the disable list.
Note: This application should not be visible.
If the MDM console "Application disable list" is not set to contain all core and pre-installed applications not approved by DoD or on the Samsung Android 7 with Knox device, the user is able to successfully launch an application on this list, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-914200The Samsung Android 7 with Knox must implement the management setting: Disable automatic completion of Container browser text input.<VulnDiscussion>The auto-fill functionality in the web browser allows the user to complete a form that contains sensitive information, such as personally identifiable information (PII), without previous knowledge of the information. By allowing the use of auto-fill functionality, an adversary who learns a user's Samsung Android 7 with Knox device password, or who otherwise is able to unlock the device, may be able to further breach other systems by relying on the auto-fill feature to provide information unknown to the adversary. By disabling the auto-fill functionality, the risk of an adversary gaining further information about the device's user or compromising other systems is significantly mitigated.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to enforce disabled automatic completion of Container browser text input.
On the MDM console, deselect the "Allow Auto-Fill" checkbox in the "Android Knox Container >> Container Restrictions" rule.Not Applicable for the COBO use case.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is enforcing disabled automatic completion of Container browser text input.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Allow Auto-Fill" checkbox in the "Android Knox Container >> Container Restrictions" rule.
2. Verify the checkbox is not set.
On the Samsung Android 7 with Knox device, do the following:
1. Open the Knox container.
2. Launch the browser application.
3. Select the application's setting menu.
4. Select "Auto fill profile" and attempt to create a profile.
5. Select "Privacy" from the setting menu.
6. Attempt to enable "Save sign-in info".
If the MDM console "Allow Auto-Fill" checkbox is set or on the Samsung Android 7 with Knox device, the user is able to successfully create a profile or enable "Save sign-in info", this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-914400The Samsung Android 7 with Knox must implement the management setting: Container Account blacklist.<VulnDiscussion>Blacklisting all email accounts is required so only whitelisted accounts can be configured.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to enforce Container Account Blacklisting.
On the MDM console, add all email domains not approved by DoD to the "Account blacklist" setting in the "Container Accounts" rule.Not Applicable for the COBO use case.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is enforcing Container Account Blacklisting.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Account blacklist" setting in the "Container Accounts" rule.
2. Verify the setting is configured to all email domains not approved by DoD.
Note: All email domains are specified by the wildcard string ".*"
On the Samsung Android 7 with Knox device, do the following:
1. Open the Knox Container.
2. Open "Settings".
3. Select "Accounts".
4. Select "Add account".
5. Select "Email" (and repeat for Microsoft Exchange ActiveSync) and attempt to add an email account with a non-approved domain.
6. Verify the email account cannot be added.
If the MDM console "Account blacklist" is not set to all email domains not approved by DoD or on the Samsung Android 7 with Knox device, the user is able to successfully configure the non-DoD-approved email account, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-07-914500The Samsung Android 7 with Knox must implement the management setting: Configure minimum Container password complexity.<VulnDiscussion>Authentication mechanisms other than a Password Authentication Factor often provide convenience to users, but many of these mechanisms have known vulnerabilities. Configuring a minimum password complexity mitigates the risk associated with a weak authentication factor.
SFR ID: FMT_SMF_EXT.1.1 #47</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android OS 7 with Knox 2.xDISADPMS TargetSamsung Android OS 7 with Knox 2.x3253CCI-000366Configure the Samsung Android 7 with Knox to enforce minimum Container password complexity.
On the MDM console, set the "Minimum Password Complexity" value to "PIN" in the "Android Knox Container >> Container Password Restrictions" rule.
Note: Some MDM consoles may display “Numeric” and “Numeric-Complex” instead of “PIN”. Either selection is acceptable but “Numeric-Complex” is recommended. Some MDM consoles may display “Numeric” and “Numeric-Complex” instead of “PIN”. Either selection is acceptable but “Numeric-Complex” is recommended. Alphabetic, Alphanumeric, and Complex are also acceptable selections but these selections will cause the user to select a complex password, which is not required by the STIG.
Not Applicable for the COBO use case.
Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is enforcing minimum Container password complexity.
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.
On the MDM console, do the following:
1. Ask the MDM administrator to display the "Minimum Password Complexity" setting in the "Android Knox Container >> Container Password Restrictions" rule.
2. Verify the value of the setting is PIN. (see Note)
On the Samsung Android 7 with Knox device, do the following:
1. Open the Knox Container.
2. Select "Knox Settings".
3. Select "Lock type".
4. Enter current password.
5. Verify "Pattern" are grayed out and cannot be selected.
If the MDM console "Minimum Password Complexity" is not set to "Alphanumeric" or on the Samsung Android 7 with Knox device, the user is able to select "Pattern" from the "Lock Type" setting, this is a finding.
Note: This configuration setting will allow users to implement fingerprint unlock for the container, which is approved for use. However, this approval does not extend to fingerprint unlock for the Samsung device or any other DoD mobile device.
Note: Some MDM consoles may display “Numeric” and “Numeric-Complex” instead of “PIN”. Either selection is acceptable but “Numeric-Complex” is recommended. Alphabetic, Alphanumeric, and Complex are also acceptable selections but these selections will cause the user to select a complex password, which is not required by the STIG.