Samsung Knox Android must allow only the administrator/MDM to enable/disable data-at-rest protection.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-48345	KNOX-25-008200	SV-61217r1_rule		Medium

Description
Users must not be able to override the system policy on data-at-rest protection. The operating system must ensure the data being written to the mobile device's built-in storage media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read storage media directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. There are also considerable security and operational risks in allowing users to enable data-at-rest protection because they are unlikely to configure it according to DoD requirements, thus creating weaknesses that can be exploited to gain unauthorized access to data. Therefore, only administrators and the MDM software should be able to set the data-at-rest protection policy. SFR ID: FMT_MOF.1.1(2) #12

Description

Users must not be able to override the system policy on data-at-rest protection. The operating system must ensure the data being written to the mobile device's built-in storage media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read storage media directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. There are also considerable security and operational risks in allowing users to enable data-at-rest protection because they are unlikely to configure it according to DoD requirements, thus creating weaknesses that can be exploited to gain unauthorized access to data. Therefore, only administrators and the MDM software should be able to set the data-at-rest protection policy. SFR ID: FMT_MOF.1.1(2) #12

STIG	Date
Samsung Android (with Knox 1.x) STIG	2014-04-22

Details

Check Text ( C-50777r3_chk )
Note: This validation procedure is identical to the one for KNOX-25-013600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on the first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to the DAAs. This validation procedure is performed on the Samsung Knox Android device only. On the Samsung Knox Android device: 1. Open the application list. 2. Verify the presence of an MDM agent. Note: Verification on the MDM agent is MDM vendor specific. For example, on the Fixmo MDM agent, open the MDM agent, press the Menu button and select "Details". 1. Verify Profile ID is not "NULL". 2. Press the Menu button. 3. Select "Poll Server". 4. Verify no errors are generated in the messages list. On the AirWatch MDM agent: 1. Open the MDM agent. 2. Select "Device Status". 3. Verify "Enrollment Status" is enrolled. If the MDM agent is not present on the Samsung Knox Android device, or if the MDM vendor specific checks do not show the proper value, this is a finding.

Check Text ( C-50777r3_chk )

Note: This validation procedure is identical to the one for KNOX-25-013600. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on the first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to the DAAs.

This validation procedure is performed on the Samsung Knox Android device only.

On the Samsung Knox Android device:
1. Open the application list.
2. Verify the presence of an MDM agent.
Note: Verification on the MDM agent is MDM vendor specific.

For example, on the Fixmo MDM agent, open the MDM agent, press the Menu button and select "Details".
1. Verify Profile ID is not "NULL".
2. Press the Menu button.
3. Select "Poll Server".
4. Verify no errors are generated in the messages list.

On the AirWatch MDM agent:
1. Open the MDM agent.
2. Select "Device Status".
3. Verify "Enrollment Status" is enrolled.

If the MDM agent is not present on the Samsung Knox Android device, or if the MDM vendor specific checks do not show the proper value, this is a finding.

Fix Text (F-51953r2_fix)
Configure the OS to allow only the administrator/MDM to disable the screen lock function. On the MDM Console, set the "Max Time to Lock" to the organization-defined value in the "Android Knox Container Password Restrictions" rule.