The administrator/MDM must configure the application installation policy by specifying authorized application repositories (Disable unknown sources).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-49683	KNOX-25-009010	SV-62619r1_rule		Medium

Description
Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DoD data accessible by these unauthorized/malicious applications. SFR ID: FMT_SMF.1.1 #10

STIG	Date
Samsung Android (with Knox 1.x) STIG	2014-04-22

Details

Check Text ( C-51567r1_chk )
Configuring an application installation policy on Samsung Knox Android by specifying an application repository involves three steps: (1) Disabling Google Play, (2) Disabling unknown application sources, and (3) Enrolling in MDM (which designates the repository). This validation procedure covers the second of these steps. It is performed on both the MDM Administration Console and the Samsung Knox Android device. On the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow Unknown Sources" settings in the "Android Restrictions" rule. 2. Verify it is disabled. On the Samsung Knox Android device: 1. Open the device settings. 2. Select "Security". 3. Attempt to enable "Unknown sources". 4. Verify it cannot be enabled. If the "Enable Google Play" setting is not disabled , or if a user can successfully enable "Unknown sources" on the device, this is a finding.

Check Text ( C-51567r1_chk )

Configuring an application installation policy on Samsung Knox Android by specifying an application repository involves three steps: (1) Disabling Google Play, (2) Disabling unknown application sources, and (3) Enrolling in MDM (which designates the repository). This validation procedure covers the second of these steps. It is performed on both the MDM Administration Console and the Samsung Knox Android device.

On the MDM Administration Console:
1. Ask the MDM administrator to display the "Allow Unknown Sources" settings in the "Android Restrictions" rule.
2. Verify it is disabled.

On the Samsung Knox Android device:
1. Open the device settings.
2. Select "Security".
3. Attempt to enable "Unknown sources".
4. Verify it cannot be enabled.

If the "Enable Google Play" setting is not disabled , or if a user can successfully enable "Unknown sources" on the device, this is a finding.

Fix Text (F-53197r1_fix)
Configure the mobile operating system to disable application installations from unknown sources. On the MDM Administration Console, disable "Allow Unknown Sources" in the "Android Restrictions" rule.