| Review Samsung Android 8 with Knox configuration settings to determine if the mobile device is enforcing Account Whitelisting. |
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.
On the MDM console, do the following:
1. Ask the MDM Administrator to display the "Account whitelist" setting in the "Android Accounts" rule.
2. Verify the whitelist only contains DoD-approved email domains (for example, mail.mil).
Note: Proper configuration of Account blacklist is required for this configuration to function correctly.
On the Samsung Android 8 with Knox device, do the following:
1. Open device settings.
2. Select "Accounts".
3. Select "Accounts".
4. Select "Add account".
5. Select "Email" (and repeat for Microsoft Exchange ActiveSync) and attempt to add an email account with a DoD-approved domain.
6. Verify the email account can be added.
7. Attempt to add an email account with a domain not approved by DoD.
8. Verify that the email account cannot be added.
If the MDM console "Account whitelist" is not set to contain DoD-approved email domains, or on the Samsung Android 8 with Knox device, the user is able to successfully configure the email account with a domain not approved by DoD, or the user is not able to install the DoD-approved email account, this is a finding.