If a third-party VPN client is installed in the personal space, it must not be configured with a DoD network (work) VPN profile.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-80421	KNOX-08-023300	SV-95125r1_rule		Medium

Description
The device VPN must be configured to disable access from the personal space since it is considered an untrusted environment. Therefore, apps located in the personal space on the device should not have the ability to access a DoD network. In addition, smartphones do not generally meet security requirements for computer devices to connect directly to DoD networks. SFR ID: FMT_SMF_EXT.1.1 #3

STIG	Date
Samsung Android OS 8 with Knox 3.x COPE Use Case Security Technical Implementation Guide	2019-10-01

Details

Check Text ( C-80093r1_chk )
Review Samsung Android 8 with Knox configuration settings to determine if any third-party VPN client installed in the personal space/CONTAINER on the device has been configured with a DoD network (work) VPN profile. This validation procedure is performed on the Samsung Android 8 with Knox device only. On the Samsung Android 8 with Knox device, do the following: 1. Open the device settings. 2. Select "Apps". 3. Review the list of apps and if there are any VPN client apps installed, open each one in turn. Review the list of VPN profiles configured on the VPN client. 4. Verify there are no DoD network VPN profiles configured on the VPN client. If any third-party VPN client installed in the personal space has a DoD network VPN profile configured on the client, this is a finding. Note: This setting cannot be managed by the MDM Administrator and is a User Based Enforcement (UBE) requirement (unless an application whitelist/blacklist is configured for the personal space/CONTAINER).

Check Text ( C-80093r1_chk )

Review Samsung Android 8 with Knox configuration settings to determine if any third-party VPN client installed in the personal space/CONTAINER on the device has been configured with a DoD network (work) VPN profile.

This validation procedure is performed on the Samsung Android 8 with Knox device only.

On the Samsung Android 8 with Knox device, do the following:
1. Open the device settings.
2. Select "Apps".
3. Review the list of apps and if there are any VPN client apps installed, open each one in turn. Review the list of VPN profiles configured on the VPN client.
4. Verify there are no DoD network VPN profiles configured on the VPN client.

If any third-party VPN client installed in the personal space has a DoD network VPN profile configured on the client, this is a finding.

Note: This setting cannot be managed by the MDM Administrator and is a User Based Enforcement (UBE) requirement (unless an application whitelist/blacklist is configured for the personal space/CONTAINER).

Fix Text (F-87227r1_fix)
If a third-party VPN client is installed in the personal space on a Samsung Android 8 with Knox device, do not configure the VPN client with a DoD network VPN profile.