acceptedSamsung Android (with Knox 2.x) STIGDeveloped by Samsung Electronics Co., Ltd. in coordination with DISA for the DoD.DISASTIG.DOD.MILRelease: 4 Benchmark Date: 22 Apr 20161I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>PP-MDF-001008<GroupDescription></GroupDescription>KNOX-30-004400The Samsung Knox for Android platform must be configured to enable data-at-rest protection for built-in storage media.<VulnDiscussion>The operating system must ensure the data being written to the mobile device's built-in storage media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read storage media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running.
SFR ID: FMT_SMF.1.1 #22</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366CCI-001199Configure the mobile device to enable data-at-rest protection for built-in storage media.
Configure the OS to encrypt all data at rest on the mobile device.
On the MDM Administration Console, select the "Storage Encryption" check box in the "Android Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Storage Encryption" check box in the "Android Restrictions" rule. (**)
2. Verify the "Storage Encryption" check box is selected.
On the Samsung Knox for Android device:
1. Open the device settings.
2. Select "Security".
3. Verify "Encrypt device" is grayed out and "Encrypted" is displayed.
4. Select "Encrypt external SD card".
5. Verify "The encryption policy has been applied" is displayed at the bottom of the screen.
NOTE: If no SD card is inserted, Step 5 should display "SD card is not inserted" at the bottom of the screen.
If the specified encryption settings are not set to the appropriate values, this is a finding.
(**) On some MDM vendor consoles, "Storage Encryption" enables both internal and external storage encryption.PP-MDF-001009<GroupDescription></GroupDescription>KNOX-30-004410The Samsung Knox for Android platform must be configured to enable data-at-rest protection for removable storage media.<VulnDiscussion>The operating system must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read removable media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running.
SFR ID: FMT_SMF.1.1 #23</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366CCI-001199Configure the mobile device to enable data-at-rest protection for removable media.
Configure the OS to encrypt all data at rest on the mobile device.
On the MDM Administration Console, select the "Storage Encryption" and "External Storage Encryption" check box in the "Android Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Storage Encryption" and "External Storage Encryption" check box in the "Android Restrictions" rule. (**)
2. Verify the "Storage Encryption" and "External Storage Encryption" check boxes are selected.
On the Samsung Knox for Android device:
1. Open the device settings.
2. Select "Security".
3. Verify "Encrypt device" is grayed out and "Encrypted" is displayed.
4. Select "Encrypt external SD card".
5. Verify "The encryption policy has been applied" is displayed at the bottom of the screen.
NOTE: If no SD card is inserted, Step 5 should display "SD card is not inserted" at the bottom of the screen.
If the specified encryption settings are not set to the appropriate values, this is a finding.
(**) On some MDM vendor consoles, "Storage Encryption" enables both internal and external storage encryption.PP-MDF-001001<GroupDescription></GroupDescription>KNOX-34-008700The Samsung Knox for Android platform must be configured to enforce a minimum password length of 6 characters.<VulnDiscussion>Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise.
SFR ID: FMT_SMF.1.1 #01</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000205CCI-000366Configure the mobile device to enforce a minimum password length of 6 characters.
On the MDM Administration Console, set the "Min Length" value to 6 or greater in the "Android Password Restrictions" rule.
(**) When device encryption is enabled (always enabled by the DoD configuration), Samsung Knox for Android automatically enforces a minimum length 6.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Min Length" setting in the "Android Password Restrictions" rule.
2. Verify the value of the setting is the same or greater than the required length.
On the Samsung Knox for Android device:
1. Open the device settings.
2. Select "Lock screen".
3. Select "Screen lock".
4. Enter current password.
5. Select Password.
6. Attempt to enter a password with fewer characters than the required length.
7. Verify the password is not accepted.
If the configured value of the "Min Length" setting is less than the required length or if device accepts a password of less than the required length, this is a finding.
(**) When device encryption is enabled, Samsung Knox for Android automatically enforces a minimum length 6.PP-MDF-001003<GroupDescription></GroupDescription>KNOX-34-008900The Samsung Knox for Android platform must be configured to prohibit more than 10 consecutive failed authentication attempts.<VulnDiscussion>Users must not be able to override the system policy on the maximum number of consecutive failed authentication attempts because this could allow them to raise the maximum, thus giving adversaries more chances to guess/brute force passwords, which increases the risk of the mobile device being compromised. Therefore, only administrators should have the authority to set consecutive failed authentication attempt policies.
SFR ID: FMT_SMF.1.1 #02</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000043CCI-000044CCI-000366CCI-001382Configure the mobile device to allow only 10 or less consecutive failed authentication attempts.
On the MDM Administration Console, set the "Maximum Failed Attempts" to 10 or less in the "Android Password Restrictions" rule for the device unlock password.This validation procedure is performed only on the MDM Administration Console.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Maximum Failed Attempts" field in the "Android Password Restrictions" rule for the device unlock password.
2. Verify the value of the setting is 10 or less.
This configuration is not available on the Samsung Knox for Android device.
If the "Maximum Failed Attempts" field in the "Android Password Restrictions" rule for the device unlock password is not set to 10 or less, this is a finding.PP-MDF-001002<GroupDescription></GroupDescription>KNOX-34-012100The Samsung Knox for Android platform must be configured to lock the display after 15 minutes (or less) of inactivity.<VulnDiscussion>The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum timeout period of 15 minutes has been selected to balance functionality and security; shorter timeout periods may be appropriate, depending on the risks posed to the mobile device.
SFR ID: FMT_SMF.1.1 #02</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000057CCI-000059CCI-000366Configure the MOS to lock the device display after 15 minutes (or less) of inactivity.
On the MDM Administration Console, configure the "Max Time to Lock" option to 15 minutes in the "Android Password Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Max Time to Lock" setting in the "Android Password Restrictions" rule.
2. Verify the value of the setting is 15 minutes or less.
On the Samsung Knox for Android device:
1. Unlock the device.
2. Refrain from performing any activity on the device for 15 minutes.
3. Verify the device requires the user to enter the device unlock password to access the device.
(Note: Max time to lock is the sum of the display screen timeout and the lock screen delay on the device. On MDM configuration, the device makes a choice for these settings so that the sum is 15 minutes or less.)
If the user does not have to unlock the device after 15 minutes of inactivity, this is a finding.PP-MDF-001002<GroupDescription></GroupDescription>KNOX-34-012110The Samsung Knox for Android container must be configured to lock the display after 15 minutes (or less) of inactivity.<VulnDiscussion>The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum timeout period of 15 minutes has been selected to balance functionality and security; shorter timeout periods may be appropriate, depending on the risks posed to the mobile device.
SFR ID: FMT_SMF.1.1 #02</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000057CCI-000059CCI-000366Configure the OS to initiate a session lock after a time period of inactivity.
Configure the mobile operating system to lock the device after no more than 15 minutes of inactivity.
On the MDM Console, set the "Max Time to Lock" to organization-defined value (15 min) in the "Android Knox Container -> Container Password Restrictions" rule.This check procedure is performed on both the MDM Administration Console and the Samsung Knox device.
Check that the appropriate setting is configured on the MDM Administration Console.
1. Ask the MDM administrator to display the "Max Time to Lock" setting in the "Android Knox Container -> Container Password Restrictions" rule.
2. Verify the value of the setting is the organization-defined value (15 min) or less.
On the Samsung Knox for Android device:
1. Open the Knox Container.
2. Refrain from using the Knox Container for 15 min.
3. Verify the selected value is organization-defined value (15 min) or less.
If the selected value is larger than 15 min, or if the Knox Container does not lock after 15 min, this is a finding.PP-MDF-001004<GroupDescription></GroupDescription>KNOX-35-009000The Samsung Knox for Android platform must be configured to enforce an application installation policy by specifying one or more authorized application repositories: disable Google Play.<VulnDiscussion>Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DoD data accessible by these unauthorized/malicious applications.
SFR ID: FMT_SMF.1.1 #10</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile device to use one or more authorized application repositories.
Configure the OS to disable Google Play.
On the MDM Administration Console, disable "Enable Google Play" in the "Android Restrictions" rule.Configuring an application installation policy on Samsung Knox for Android by specifying an application repository involves three steps: (1) Disabling Google Play, (2) Disabling unknown application sources, and (3) Enrolling in an MDM (which designates the repository). This validation procedure covers the first of these steps. It is performed on both the MDM Administration Console and the Samsung Knox for Android device.
On the MDM Administration Console:
1. Ask the MDM administrator to display the "Enable Google Play" setting in the "Android Restrictions" rule.
2. Verify it is disabled.
On the Samsung Knox for Android device:
1. Attempt to locate the "Google Play" application.
2. Verify it is not present on the device.
If the "Enable Google Play" is not disabled, or if a user can successfully launch Google Play on the device, this is a finding.PP-MDF-001004<GroupDescription></GroupDescription>KNOX-35-009010The Samsung Knox for Android platform must be configured to enforce an application installation policy by specifying one or more authorized application repositories: disable unknown sources.<VulnDiscussion>Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DoD data accessible by these unauthorized/malicious applications.
SFR ID: FMT_SMF.1.1 #10</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable application installations from unknown sources.
On the MDM Administration Console, disable "Allow Unknown Sources" in the "Android Restrictions" rule.Configuring an application installation policy on Samsung Knox for Android by specifying an application repository involves three steps: (1) Disabling Google Play, (2) Disabling unknown application sources, and (3) Enrolling in MDM (which designates the repository). This validation procedure covers the second of these steps. It is performed on both the MDM Administration Console and the Samsung Knox for Android device.
On the MDM Administration Console:
1. Ask the MDM administrator to display the "Allow Unknown Sources" settings in the "Android Restrictions" rule.
2. Verify it is disabled.
On the Samsung Knox for Android device:
1. Open the device settings.
2. Select "Security".
3. Attempt to enable "Unknown sources".
4. Verify it cannot be enabled.
If the "Enable Google Play" setting is not disabled, or if a user can successfully enable "Unknown sources" on the device, this is a finding.PP-MDF-001004<GroupDescription></GroupDescription>KNOX-35-009020The Samsung Knox for Android platform must be configured to enforce an application installation policy by specifying one or more authorized application repositories: enroll in MDM.<VulnDiscussion>Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DoD data accessible by these unauthorized/malicious applications.
SFR ID: FMT_SMF.1.1 #10</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Enroll the device in MDM.
Implement MDM to centrally manage configuration settings.Note: This validation procedure is identical to the one for KNOX-35-020900. It only needs to be performed once. If it is found compliant on the first check, it is also compliant here. If it is determined to be a finding on first check, it is also a finding here. Redundant checks are necessary to maintain requirements traceability and provide complete risk management information to AOs.
Configuring an application installation policy on Samsung Knox for Android by specifying an application repository involves three steps: (1) Disabling Google Play, (2) Disabling unknown application sources, and (3) Enrolling in MDM (which designates the repository). This validation procedure covers the last of these steps. It is performed on the Samsung Knox for Android device only.
On the Samsung Knox for Android device:
1. Open the application list and verify the presence of an MDM agent.
2. Open the MDM agent and verify that the MDM agent has been enrolled.
Note: Verification on the MDM agent is MDM vendor specific.
If the MDM agent is not present on the Samsung Knox for Android device, or if the MDM agent has not been enrolled, this is a finding.PP-MDF-001005<GroupDescription></GroupDescription>KNOX-35-009100The Samsung Knox for Android platform must be configured to enforce an application installation policy through application whitelist specifying a set of allowed applications and versions.<VulnDiscussion>Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications.
SFR ID: FMT_SMF.1.1 #10</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile device to use an application whitelist.
On the MDM Administration Console, configure the list of white-listed applications in the "Android Applications" rule and ensure only AO-approved applications are on the list.
(Note: This list can be empty if no applications have been approved.)
(Note: Refer to the Supplemental document for additional information.)This validation procedure is performed on the MDM Administration Console.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the list of white-listed applications in the "Android Applications" rule.
2. Verify the list of white-listed applications has been approved by the Approving official (AO).
(Note: Refer to the Supplemental document for additional information.)
(Note: This list can be empty if no applications have been approved.)
If any of the applications on white-listed applications on the MDM Administration Console have not been approved by the AO, this is a finding.PP-MDF-001012<GroupDescription></GroupDescription>KNOX-35-009800The Samsung Knox for Android platform must be configured to disable USB mass storage mode.<VulnDiscussion>This data transfer capability could allow users to transfer sensitive DoD data onto unauthorized USB storage devices, thus leading to the compromise of this DoD data.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile device to disable data transfer capabilities for USB mass storage mode.
Configure the mobile operating system to disable USB mass storage.
On the MDM Administration Console, select the "Disable USB mass storage" check box in the "Android Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the PC.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Disable USB mass storage" check box in the "Android Restrictions" rule.
2. Verify the "Disable USB mass storage" check box is selected.
(Note: On new MDM consoles, disabling USB Media Player will also disable USB MTP, USB mass storage, USB vendor protocol (KIES).)
On the Samsung Knox for Android device:
1. Connect the device to a PC USB connection.
Note: Do not use a DoD network-managed PC for this test!
On the PC:
1. Verify the device is not shown in the PC finder.
If the specified setting is not set to the appropriate value, or if the device is shown in the PC finder, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-015800The Samsung Knox for Android platform must be configured to implement the management setting: disable USB debugging.<VulnDiscussion>USB debugging mode provides access to developer mode features. Developer modes circumvent certain security measures, so their use for standard operation is not recommended. Developer modes may increase the likelihood of compromise of confidentiality, integrity, and availability. Because of the security risks of developer modes, users must not be able to enable them.
SFR ID: FMT_SMF.1.1 #21</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the operating system to disable USB debugging.
On the MDM Administration Console, enable the "Disable USB Debugging" setting in the "Android Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Disable USB Debugging" settings in the "Android Restrictions" rule.
2. Verify this setting is enabled.
On the Samsung Knox for Android device:
1. Open the device settings.
2. Select "Developer options". (**)
3. Attempt to enable "USB Debugging".
4. Verify "USB Debugging" is disabled and cannot be enabled.
(Note: Disabling Developer Modes will also automatically disable USB Debugging and Mock Locations. The "Developer Modes" configuration setting may not be available in all MDM consoles.)
If the "Disable USB Debugging" setting in the MDM console is not enabled, or if the user is able to enable "USB Debugging" on the device, this is a finding.
(**) "Developer options" is initially hidden to users. To unhide this menu item:
1. Open the device settings.
2. Select "About phone".
3. Rapidly tap on "Build number" multiple times until the device displays that "Developer options" has been turned on.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-015900The Samsung Knox for Android platform must be configured to implement the management setting: disable mock locations.<VulnDiscussion>Developers often use mock locations in the development of apps that leverage location-based services. Developer modes circumvent certain security measures, so their use for standard operation is not recommended. Developer modes may increase the likelihood of compromise of confidentiality, integrity, and availability.
In particular, malicious applications can use the mock locations feature in the Android OS to override the device GPS location and provide a fake location to the user or network provider.
SFR ID: FMT_SMF.1.1 #21</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable mock locations.
On the MDM Administration Console, disable the "Allow mock locations" setting in the "Android Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Allow mock locations" setting in the "Android Restrictions" rule.
2. Verify the setting is disabled.
On the Samsung Knox for Android device:
1. Open the device settings.
2. Select "Developer options". (**)
3. Attempt to enable "Allow mock locations".
4. Verify "Allow mock locations" cannot be enabled.
(Note: Disabling Developer Modes will also automatically disable USB Debugging and Mock Locations. The "Developer Modes" configuration setting may not be available in all MDM consoles.)
If the "Allow mock locations" setting in the MDM console is enabled, or if the user is able to enable "Allow mock locations" on the device, this is a finding.
(**) "Developer options" is initially hidden to users. To unhide this menu item:
1. Open the device settings.
2. Select "About phone".
3. Rapidly tap on "Build number" multiple times until the device displays that "Developer options" has been turned on.PP-MDF-001007<GroupDescription></GroupDescription>KNOX-35-020000The Samsung Knox for Android platform must be configured to disable developer modes.<VulnDiscussion>Developer modes circumvent certain security measures, so their use for standard operation is not recommended. Developer modes may increase the likelihood of compromise of confidentiality, integrity, and availability.
SFR ID: FMT_SMF.1.1 #21</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile device to disable developer modes.
Configure the platform to disable Developer Mode.
On the MDM Administration Console, enable the "Disable Developer Mode" setting in the "Android Restrictions" rule.This check procedure is performed on both the MDM Administration Console and the Samsung Knox device.
Check that the appropriate setting is configured on the MDM Administration Console.
1. Ask the MDM administrator to display the "Disable Developer Mode" settings in the "Android Restrictions" rule.
2. Verify that the "Disable Developer Mode" setting is enabled.
On the Samsung Knox for Android Device:
1. Open the device settings.
2. Select "Developer options". (**)
3. Attempt to enable "Developer options".
If the "Disable Developer Mode" setting in the MDM console is disabled, or if the user is able to enable "Developer options" on the device, this is a finding.
(Note: The "Developer Modes" configuration setting may not be available in older MDM consoles. Disabling USB Debugging and Mock Locations also disables developer modes on the mobile device.)
(**) "Developer options" is initially hidden to users. To unhide this menu item:
1. Open the device settings.
2. Select "About phone".
3. Rapidly tap on "Build number" multiple times until device displays the developer options menu item.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-020400The Samsung Knox for Android platform must be configured to implement the management setting: disable Insecure VPN Connections.<VulnDiscussion>Without strong mutual authentication, a mobile device may connect to an unauthorized network. In many cases, the user may falsely believe that the device is connected to an authorized network and then provide authentication credentials and other sensitive information. A strong bidirectional, cryptographically based authentication method mitigates this risk.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the operating system to authenticate devices before establishing remote connections.
On the MDM Console, select the "Disable Insecure VPN Connections" check box in the "Android Restrictions" rule.This validation procedure is performed on the MDM Administrative Console.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Disable Insecure VPN Connections" check box in the "Android Restrictions" rule.
2. Verify the check box is selected.
If the "Disable Insecure VPN Connections" check box is not selected, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-020600The Samsung Knox for Android platform must be configured to implement the management setting: install DoD root and intermediate PKI certificates on the device.<VulnDiscussion>DoD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the root and intermediate certificates are not available, an adversary could falsely sign a certificate in such a way that it could not be detected. Providing access to the DoD root and intermediate PKI certificates greatly diminishes the risk of this attack.
SFR ID: FMT_SMF.1.1 #13</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Install DoD root and intermediate certificates on the device.
On the MDM Console, add the PEM encoded representations of the DoD root and intermediate certificates to the certificate whitelist in the "Android Certificate Configuration" rule.
The current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://iase.disa.mil/pki-pke (for NIPRNet) or
http://iase.rel.disa.smil.mil/pki-pke/function_pages/tools.html (for SIPRNet).This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
The current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://iase.disa.mil/pki-pke (for NIPRNet) or
http://iase.rel.disa.smil.mil/pki-pke/function_pages/tools.html (for SIPRNet).
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the list of server authentication certificates in the "Android Certificate Configuration" rule.
2. Verify the DoD root and intermediate PKI certificates are present.
On the Samsung Knox for Android device:
1. Open the device settings.
2. Select "Security".
3. Select "Trusted Credentials".
4. Review Certificate Authorities listed under the "System" and "User" tabs.
5. Verify the presence of the DoD root and intermediate certificates.
If the DoD root and intermediate certificates are not present in the MDM Console whitelist or on the device, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-020700The Samsung Knox for Android platform must be configured to implement the management setting: whitelist DoD root and intermediate PKI certificates.<VulnDiscussion>If unauthorized device authentication certificates are installed on the device, there is the potential that the device may connect to a rogue device or network. Rogue devices can mimic the behavior of authorized equipment to trick the user into providing authentication credentials, which could then in turn be used to compromise DoD information and networks. Restricting device authentication certificates to an authorized list mitigates the risk of attaching to rogue devices and networks.
SFR ID: FMT_SMF.1.1 #14</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Remove non-approved server authentication certificates from the device.
On the MDM Console, modify the certificate whitelist so that it only includes DoD PKI-issued or DoD-approved server authentication certificates in the "Android Certificate Configuration" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the list of server authentication certificates in the "Android Certificate Configuration" rule.
2. Verify only DoD PKI-issued or DoD-approved server authentication certificates are present (Note: These may include those approved by the local command).
On the Samsung Knox for Android device:
1. Open device settings.
2. Select "Security".
3. Select "Trusted credentials".
4. Select the "User" tab.
5. Verify no certificates are listed, or that any that are listed have been authorized.
If there are unapproved device authentication certificates present on the MDM whitelist or on the "User" tab, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-020900The Samsung Knox for Android platform must be configured to implement the management setting. Employ mobile device management services to centrally manage security relevant configuration and policy settings.<VulnDiscussion>Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Enroll the device in MDM.
Implement MDM to centrally manage configuration settings.This validation procedure is performed on the Samsung Knox for Android device only.
On the Samsung Knox for Android device:
1. Open the application list and verify the presence of an MDM agent.
2. Open the MDM agent and verify that the MDM agent has been enrolled.
Note: Verification on the MDM agent is MDM vendor specific.
If the MDM agent is not present on the Samsung Knox for Android device, or if the MDM agent has not been enrolled, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-021000The Samsung Knox for Android platform must be configured to implement the management setting: disable Allow New Admin Install.<VulnDiscussion>An application with administrator permissions (e.g., MDM agent) is allowed to configure policies on the device. If a user is allowed to install another MDM agent on the device, then this will allow another MDM administrator (assuming it has the proper Knox licenses) the ability to configure potentially conflicting policies on the device that may not meet DoD security requirements. Although an MDM cannot disable another MDM's policies or remove another MDM from the device, there is the potential of creating policies that could conflict with enterprise policies. Therefore, other applications requesting administrator permissions should be blocked from installation.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disallow new admin installations.
On the MDM Administration Console, disable the "Allow New Admin Install" setting in the "Android Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Allow New Admin Install" setting in the "Android Restrictions" rule.
2. Verify the setting is disabled.
(Note: With some MDM consoles, this policy is automatically configured when the user enrolls with the MDM.)
On the Samsung Knox for Android device:
1. Attempt to install an application that requires admin permissions.
2. Verify that the application is blocked from being installed.
If the "Allow New Admin Install" setting in the MDM console is enabled, or if the user is able to install another application requiring admin permissions on the device, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-021100The Samsung Knox for Android platform must be configured to implement the management setting: configure application install blacklist.<VulnDiscussion>Blacklisting all applications is required so that only white-listed applications can be installed on the device. Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist and blacklist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to add all applications to the install blacklist.
On the MDM Administration Console, add all applications to the "Application install blacklist" setting in the "Android Applications" rule.This validation procedure is performed on the MDM Administration Console.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Application install blacklist" setting in the "Android Applications" rule.
2. Verify the setting is configured to include all applications (specified by the wildcard string ".*").
If the "Application install blacklist" setting in the MDM console does not include all applications, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-021200The Samsung Knox for Android platform must be configured to implement the management setting: configure application disable list.<VulnDiscussion>Applications from various sources (including the vendor, the carrier, and Google) are pre-installed on the device at the time of manufacture. Some of the applications can compromise DoD data or upload user's information to non-DoD approved servers. A user must be blocked from using such applications that exhibit behavior that can result in compromise of DoD data or DoD user information. The site administrator must analyze all pre-installed applications on the device and block all applications not approved for DoD use by configuring the application disable list.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable pre-installed applications not approved for DoD use.
On the MDM Administration Console, add all pre-installed applications not approved for DoD to the "Application disable list" setting in the "Android Applications" rule.
(Note: Refer to the Supplemental document for additional information.)This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule.
2. Verify the list contains all pre-installed (core) applications not approved for DoD use by the Approving Official (AO).
(Note: Refer to the Supplemental document for additional information.)
On the Samsung Knox for Android device:
1. Attempt to locate and launch the pre-installed applications on the application disable list.
If the "Application disable list" configuration is not properly configured, or if the user is able to launch the applications on the list, this is a finding.
Note: Core applications are pre-installed on the device and include applications integrated into the Android OS by Google and applications added to the OS load by Samsung or by the carrier.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-021300The Samsung Knox for Android platform must be configured to implement the management setting: disable Google auto sync.<VulnDiscussion>When a user configures their personal Google account on the device, the Google auto sync feature is automatically enabled. This results in the automatic upload and sync of data on the device (including contacts, files, calendar events, user information) to Google cloud servers. With this feature enabled, sensitive information will be backed up to Google's servers and database. This data is stored at a location that has unauthorized employees accessing this data. This data is stored on a server that has a location unknown to the DoD. Disabling this feature mitigates the risk of automatically enabling a backup feature that stores sensitive data on a server that has the potential to be located in a country other than the United States. (Note: Disabling this feature does not disable manual syncing by the user from each application that makes use of the Google account.)
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable Google Auto Sync.
On the MDM Administration Console, disable the "Google Auto Sync" setting in the "Android Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Google Auto Sync" setting in the "Android Restrictions" rule.
2. Verify the setting is disabled.
On the Samsung Knox for Android device:
1. Open the device settings.
2. Select Accounts.
3. Configure a Google account.
4. Select the configured Google account.
5. Verify that all sync check boxes are unselected.
If the "Google Auto Sync" configuration in the MDM console is enabled, or if the user is able to enable auto sync, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-021400The Samsung Knox for Android platform must be configured to implement the management setting: disable Google crash report.<VulnDiscussion>Applications that can be downloaded from Google Play (including pre-installed applications) will prompt the user to send a crash report to Google servers when the application crashes. The crash report will include application logs and stack traces, as well as device information that could potentially include user information. With this feature enabled, sensitive information will be backed up to the manufacturer's servers and database. This data is stored at a location that has unauthorized employees accessing this data. This data is stored on a server that has a location unknown to the DoD. Disabling this feature mitigates the risk of a backup feature that stores sensitive data on a server that has the potential to be located in a country other than the United States.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable Google Crash Report.
On the MDM Administration Console, disable the "Google Crash Report" setting in the "Android Restrictions" rule.This validation procedure is performed on the MDM Administration Console.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Google Crash Report" setting in the "Android Restrictions" rule.
2. Verify the setting is disabled.
If the "Google Crash Report" configuration in the MDM console is enabled, or if the user is able to send a crash report, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-021500The Samsung Knox for Android platform must be configured to implement the management setting: disable Wi-Fi Direct.<VulnDiscussion>Wi-Fi Direct allows the device to connect directly to another device via Wi-Fi without accessing a Wi-Fi access point and using DoD-required security mechanisms since Wi-Fi Direct can be used by applications to exchange files between devices. Disabling this feature mitigates the risk of compromising sensitive DoD data.
Note: Disabling Wi-Fi Direct also disables S Beam.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable Wi-Fi Direct.
On the MDM Administration Console, disable the "Wi-Fi Direct" setting in the "Android Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Wi-Fi Direct" setting in the "Android Restrictions" rule.
2. Verify the setting is disabled.
On the Samsung Knox for Android device:
1. Open the device settings.
2. Select Wi-Fi.
3. Select settings.
4. Select Wi-Fi Direct.
5. Verify W-Fi direct cannot be enabled.
If the "Wi-Fi Direct" configuration in the MDM console is enabled, or if the user is able to enable Wi-Fi Direct, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-021600The Samsung Knox for Android platform must be configured to implement the management setting: disable USB host storage.<VulnDiscussion>The USB host storage feature allows the device to connect to select USB devices (e.g., USB flash drives, USB mouse, USB keyboard) using a micro USB to USB adapter cable. A user can copy sensitive DoD information to external USB storage unencrypted, resulting in compromise of DoD data. Disabling this feature mitigates the risk of compromising sensitive DoD data.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable USB host storage.
On the MDM Administration Console, disable the "USB host storage" setting in the "Android Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "USB host storage" setting in the "Android Restrictions" rule.
2. Verify the setting is disabled.
On the Samsung Knox for Android device:
1. Connect a Micro USB to USB OTG adaptor to the device.
2. Connect a USB thumb drive to the adaptor.
3. Verify the device cannot access the USB thumb drive.
If the "USB host storage" configuration in the MDM console is enabled, or if the user is able to access the USB thumb drive from the device, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-021900The Samsung Knox for Android platform must be configured to implement the management setting.
Not allow the device unlock password to contain more than two sequential or repeating characters (e.g., 456, aaa).<VulnDiscussion>Password complexity or strength refers to how difficult it is to determine a password using a dictionary or brute-force attack. Passwords with sequential or repeating numbers or alphabetic characters (e.g., 456, 987, 222, abc, ddd) are considered easier to crack than random patterns. Therefore, disallowing sequential or repeating numbers or alphabetic characters makes it more difficult for an adversary to discover the password.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile device to enforce a password that does not contain more than two sequential or repeating characters or numbers.
On the MDM Administration Console, set the "Max Sequential Characters" and "Max Sequential Numbers" values to 2 in the "Android Password Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Max Sequential Characters" and "Max Sequential Numbers" settings in the "Android Password Restrictions" rule.
2. Verify the value of the setting is the same or less than the required length.
On the Samsung Knox for Android device:
1. Open the device settings.
2. Select "Lock screen".
3. Select "Screen lock".
4. Enter current password.
5. Select Password.
6. Attempt to enter a password that contains sequential characters or sequential numbers of length greater than the required length.
7. Verify the password is not accepted.
If the configured values of the "Max Sequential Character" and "Max Sequential Number" settings are greater than the required length, or if device accepts a password that contains sequential characters or sequential numbers of length greater than the required length, this is a finding.
Note: On some MDM servers there may only be one configuration setting ("Max Sequential Characters") since this API actually disables both sequential and repeating characters.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-022000The Samsung Knox for Android platform must be configured to implement the management setting: disable Google backup.<VulnDiscussion>A cloud backup feature may gather a user's information, such as PII, or sensitive documents. With this feature enabled, sensitive information will be backed up to the manufacturer's servers and database. This data is stored at a location that has unauthorized employees accessing this data. This data is stored on a server that has a location unknown to the DoD. Disabling this feature mitigates the risk of a backup feature that stores sensitive data on a server that has the potential to be located in a country other than the United States.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile device to disable backups to Google servers.
On the MDM Administration Console, disable the "Allow Google backup" setting in the "Android Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Allow Google Backup" settings in the "Android Restrictions" rule.
2. Verify the setting is disabled.
On the Samsung Knox for Android device:
1. Open the device settings.
2. Select "Backup and reset".
3. Verify "Back up my data" is disabled and cannot be enabled.
If the "Allow Google Backup" setting is enabled, or if the user is able to enable the setting on the device, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-022100The Samsung Knox for Android platform must be configured to implement the management setting: configure Knox License.<VulnDiscussion>A cloud backup feature may gather a user's information, such as PII, or sensitive documents. With this feature enabled, sensitive information will be backed up to the manufacturer's servers and database. This data is stored at a location that has unauthorized employees accessing this data. This data is stored on a server that has a location unknown to the DoD. Disabling this feature mitigates the risk of a backup feature that stores sensitive data on a server that has the potential to be located in a country other than the United States.
Note: Reporting information is required to periodically validate the Knox license on the device, and proper configuration of the Knox license ensures reporting information is sent to the correct enterprise servers.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile device to disable backups to Google servers.
On the MDM Administration Console, disable the "Allow Google backup" setting in the "Android Restrictions" rule.This validation procedure is performed on the MDM Administration Console.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Knox License" settings in the "Knox Management" rule.
2. Verify the correct DoD-issued Knox license is configured.
If the correct DoD-issued Knox license is not configured in the "Knox License" setting, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-022500The Samsung Knox for Android platform must be configured to implement the management setting.
Disable multi-user mode.<VulnDiscussion>By default the enterprise administrator will install and enroll MDM on the device's owner user space. Since some policies configured by the MDM will only apply to the owner space, the user can bypass some of these policies by creating and switching to a guest user space. This can potentially result in compromise of the device and DoD data via installation of malicious applications. Disabling this feature will mitigate this risk.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile device to disable use of multi-user mode.
On the MDM Administration Console, disable the "Allow multi-user mode" setting in the "Android Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Allow multi-user mode" settings in the "Android Restrictions" rule.
2. Verify the setting is disabled.
On the Samsung Knox for Android device:
1. Open the device settings.
2. Attempt to add a user in the "User" setting.
3. Verify that the "User" setting is not available.
(Note: Multi-user mode is currently supported on tablet devices only.)
If the "Allow multi-user mode" setting is enabled, or if the user is able to add a user, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-022600The Samsung Knox for Android platform must be configured to implement the management setting: disable public cloud backup apps.<VulnDiscussion>A cloud backup feature may gather a user's information, such as PII, or sensitive documents. With this feature enabled, sensitive information will be backed up to the manufacturer's servers and database. This data is stored at a location that has unauthorized employees accessing this data. This data is stored on a server that has a location unknown to the DoD. Disabling this feature mitigates the risk of a backup feature that stores sensitive data on a server that has the potential to be located in a country other than the United States.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable all pre-installed public cloud backup applications.
On the MDM Administration Console, add all pre-installed public cloud backup applications that are not DoD-approved to the "Application disable list" setting in the "Android Application" rule.
(Note: Refer to the Supplemental document for the list.)This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule.
2. Verify the setting includes all pre-installed public cloud backup applications.
(Note: The following applications are known to be pre-installed public cloud applications, but other applications can be found on other devices: Google Drive, Dropbox, Verizon Cloud, AT&T Locker.)
(Note: Refer to the Supplemental document for the list.)
On the Samsung Knox for Android device:
1. Attempt to locate and launch the pre-installed public cloud applications that are included on the disable list.
(Note: this application will not be visible)
If the "Application disable list" configuration in the MDM console does not contain all pre-installed public cloud backup applications, or if the user is able to successfully launch an application on this list, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-022700The Samsung Knox for Android platform must be configured to implement the user-based enforcement setting: disable messaging preview notifications in lock screen.<VulnDiscussion>Text messages can potentially include sensitive information. When this feature is enabled, both text message data and the sender's name or number will be displayed on the lock screen. This may result in an adversary obtaining potentially sensitive data even when the device is in a locked state. Disabling this feature will mitigate this risk.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable preview of messages in the lock screen.This validation procedure is performed on the Samsung Knox for Android device.
On the Samsung Knox for Android device:
1. Open the Samsung native messaging application.
2. Select settings.
3. Select "Notifications".
4. Verify "Lock screen" setting under Preview Message is disabled.
If "Lock screen" setting is enabled and cannot be disabled, this is a finding.
(Note: This setting cannot be managed by the MDM administrator and is a User Based Enforcement (UBE) requirement.)PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-022800The Samsung Knox for Android platform must be configured to implement the management setting: disable S Voice.<VulnDiscussion>On MOS devices, users (may be able to) access the device's contact database or calendar to obtain phone numbers and other information using a human voice even when the mobile device is locked. Often this information is personally identifiable information (PII), which is considered sensitive. It could also be used by an adversary to profile the user or engage in social engineering to obtain further information from other unsuspecting users. Disabling access to the contact database and calendar in these situations mitigates the risk of this attack. The AO may waive this requirement with written notice if the operational environment requires this capability.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable the S Voice application.
On the MDM Administration Console, add S Voice application to the "Application disable list" setting in the "Android Application" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule.
2. Verify the setting includes the S Voice application.
On the Samsung Knox for Android device:
1. Attempt to locate and launch S Voice
(Note: this application will not be visible)
If the "Application disable list" configuration in the MDM console does not contain S Voice, or if the user is able to successfully launch S Voice, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-022900The Samsung Knox for Android platform must be configured to implement the management setting.
Disable mobile payment.<VulnDiscussion>Mobile payment makes use of NFC to transmit personal account information from the device to the NFC reader. Compromise of this data can result in financial loss to both the individual and DoD. Disabling this feature mitigates this risk.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable all pre-installed mobile payment applications.
Identify all pre-installed mobile payment applications on the device. On the MDM Administration Console, add this list of applications to the "Application disable list" setting in the "Android Application" rule.
(Note: Refer to the Supplemental document for the list.)This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule.
2. Verify the setting includes the list of pre-installed mobile payment applications.
(Note: Some U.S. carriers pre-install ISIS Wallet.)
(Note: Refer to the Supplemental document for the list.)
On the Samsung Knox for Android device:
1. Attempt to locate and launch the pre-installed mobile payment applications.
(Note: This application will not be visible.)
If the "Application disable list" configuration in the MDM console does not contain the list of pre-installed mobile payment applications, or if the user is able to successfully launch these applications, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-023000The Samsung Knox for Android platform must be configured to implement the management setting: disable mobile printing.<VulnDiscussion>Mobile printing allows the device to connect to a printer over a Wi-Fi connection. Data is sent unencrypted over the Wi-Fi connection, potentially resulting in the compromise of sensitive DoD data. Disabling this feature mitigates the risk.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable all pre-installed mobile printing plugin applications.
Identify all pre-installed mobile printing plugin applications on the device. On the MDM Administration Console, add this list of applications to the "Application disable list" setting in the "Android Application" rule.
(Note: Refer to the Supplemental document for the list.)This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule.
2. Verify the setting includes the list of pre-installed mobile printing plugin applications.
(Note: Some carrier versions pre-install Samsung Print Service Plugin and HP Print Service Plugin.)
(Note: Refer to the Supplemental document for the list.)
On the Samsung Knox for Android device:
1. Open device settings.
2. Select "NFC and sharing".
3. Select "Printing".
4. Attempt to select a vendor print service.
If the "Application disable list" configuration in the MDM console does not contain the list of pre-installed mobile printing plugin applications, or if the user is able to successfully launch these vendor print services, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-023100The Samsung Knox for Android platform must be configured to implement the management setting: disable NFC.<VulnDiscussion>NFC is a wireless technology that transmits small amounts of information from the device to the NFC reader. Any data transmitted can be potentially compromised. Disabling this feature mitigates this risk.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable NFC.
On the MDM Administration Console, disable the "Allow NFC" setting in the "Android Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Allow NFC" setting in the "Android Restrictions" rule.
2. Verify the setting is disabled.
On the Samsung Knox for Android device:
1. Open device settings.
2. Select "NFC".
3. Verify the setting is disabled.
If the "Allow NFC" configuration in the MDM console is enabled, or if the setting is enabled on the device, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-023200The Samsung Knox for Android platform must be configured to implement the user-based enforcement setting: disable screen mirroring.<VulnDiscussion>Screen mirroring allows the user to display device content to a compatible device (e.g., TV) over a Wi-Fi connection. Although this feature uses HDCP 2.x protocol and encryption of visual data to transmit data, vulnerabilities in the 2.0 and 2.1 protocol implementation can result in compromise of sensitive DoD data. Disabling this feature will mitigate this risk.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable screen mirroring.This validation procedure is performed on the Samsung Knox for Android device.
On the Samsung Knox for Android device:
1. Open the device settings.
2. Select "Screen Mirroring".
3. Verify this is disabled.
If setting is enabled and cannot be disabled, this is a finding.
(Note: This setting cannot be managed by the MDM administrator and is a User Based Enforcement (UBE) requirement.)PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-023300The Samsung Knox for Android platform must be configured to implement the user-based enforcement setting: disable Samsung Account.<VulnDiscussion>Configuring a Samsung Account on the device allows the user to backup files (including S Health data) to Samsung servers, as well as download applications from Samsung Apps (Galaxy Apps) store. This data is stored at a location that has unauthorized employees accessing this data. This data is stored on a server that has a location unknown to the DoD. Disabling this feature mitigates the risk of a backup feature that stores sensitive data on a server that has the potential to be located in a country other than the United States.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable Samsung Account.
On the MDM Administration Console, add the Samsung Account application to the "Application disable list" setting in the "Android Application" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule.
2. Verify the setting includes the Samsung Account application.
On the Samsung Knox for Android device:
1. Open device settings.
2. Select "Accounts".
3. Attempt to add a Samsung Account.
If the "Application disable list" configuration in the MDM console does not contain the Samsung Account application, or if the user is able to successfully add a Samsung account, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-023500The Samsung Knox for Android platform must be configured to implement the user-based enforcement setting: disable Nearby devices.<VulnDiscussion>The Nearby devices feature allows the user to share files with other devices that are connected on the same Wi-Fi access point using the DLNA technology. Even though the user must allow requests from other devices, this feature can potentially result in unauthorized access to and compromise of sensitive DoD files. Disabling this feature will mitigate this risk.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable Nearby devices.This validation procedure is performed on the Samsung Knox for Android device.
On the Samsung Knox for Android device:
1. Open the device settings.
2. Select "Nearby devices".
3. Verify this is disabled.
If setting is enabled and cannot be disabled, this is a finding.
(Note: This setting cannot be managed by the MDM administrator and is a User Based Enforcement (UBE) requirement.)PP-MDF-001012<GroupDescription></GroupDescription>KNOX-35-023600The Samsung Knox for Android platform must be configured to disable USB media player.<VulnDiscussion>This data transfer capability could allow users to transfer sensitive DoD data onto unauthorized USB storage devices, thus leading to the compromise of this DoD data.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile device to disable data transfer capabilities for USB media player.
Configure the mobile operating system to disable USB media player.
On the MDM Administration Console, select the "Disable USB media player" check box in the "Android Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the PC.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Disable USB media player" check box in the "Android Restrictions" rule.
2. Verify the "Disable USB media player" check box is selected.
(Note: On new MDM consoles, disabling USB Media Player will also disable USB MTP, USB mass storage, and USB vendor protocol (KIES).)
On the Samsung Knox for Android device:
1. Connect the device to a PC USB connection.
Note: Do not use a DoD network-managed PC for this test!
On the PC:
1. Verify the device is not shown in the PC finder.
If the specified setting is not set to the appropriate value, or if the device is shown in the PC finder, this is a finding.PP-MDF-001011<GroupDescription></GroupDescription>KNOX-36-009700The Samsung Knox for Android platform must be configured to require the user to manifest consent to the terms of the DoD-specified warning banner each time the user unlocks the device.<VulnDiscussion>The mobile operating system is required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Required banners help ensure that DoD can audit and monitor the activities of mobile device users without legal restriction.
System use notification messages can be displayed when individuals first access or unlock the mobile device. The banner shall be implemented as a "click-through" banner at device unlock (to the extent permitted by the operating system). A "click-through" banner prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating “OK.”
The approved DoD text must be used exactly as specified in the DoDI 8500.01. For devices accommodating banners of 1300 characters, the banner text is:
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
For Blackberries and other PDAs/PEDs with severe character limitations, the banner text is:
I've read & consent to terms in IS user agreem't.
The administrator must configure the banner text exactly as written without any changes.
SFR ID: FMT_SMF.1.1 #41</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000049CCI-000366Configure the mobile device to display the appropriate warning banner text.
On the MDM Administration Console, select the "Enable DoD Banner" check box, and enter the correct text in the "Banner Text" field in the "Android Restrictions" rule.
(**) On some MDM vendor consoles, the logon banner automatically is displayed upon reboot while the device is MDM enrolled. On these consoles, this control is not configurable through the MDM server or on the device.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Enable DoD Banner" check box and "Banner Text" field in the "Android Restrictions" rule.
2. Verify the "Enable DoD Banner" check box is selected.
3. Verify the correct DoD-specified warning text is displayed in the Banner Text field or the field is blank.
Note: The default device banner matches the required DoD banner. If the DoD banner is enabled without entering any text, the device will display a default text.
On the Samsung Knox for Android device:
1. Reboot the device.
2. Verify the device displays the DoD banner.
3. Verify the DoD banner is set to one of the authorized messages.
If the specified setting is not set to the appropriate value, or the device does not display the DoD banner on reboot, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-38-012600The Samsung Knox for Android platform must be configured to implement the management setting: disable Manual Date Time Changes.<VulnDiscussion>Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events.
Periodically synchronizing internal clocks with an authoritative time source is needed in order to correctly correlate the timing of events that occur across the enterprise. The three authoritative time sources for mobile operating systems are an authoritative time server that is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network (NIPRNet or SIPRNet), or the Global Positioning System (GPS), or the wireless carrier.
Time stamps generated by the audit system in mobile operating systems shall include both date and time. The time may be expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to synchronize the internal clock at least once every 24 hours with an authoritative time server or the Global Positioning System.
On the MDM Console, check the "Disable Manual Date Time Changes" check box in the "Android Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Disable Manual Date Time Changes" check box in the "Android Restrictions" rule.
2. Verify the check box is selected.
On the Samsung Knox for Android device:
1. Open the device settings.
2. Select "Date and time".
3. Verify the "Automatic date and time" check box is selected.
4. Verify a user cannot unselect the "Automatic date and time" check box.
If either the "Disable Manual Date Time Changes" check box is not selected on the MDM administration console; or the "Automatic date and time" check box is not selected on the device; or if it is possible to unselect this option on the device, this is a finding.PP-MDF-001001<GroupDescription></GroupDescription>KNOX-39-014900The Samsung Knox for Android container must be configured to enforce a minimum password length of 4 characters.<VulnDiscussion>Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise.
SFR ID: FMT_SMF.1.1 #01</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000205CCI-000366Configure the mobile device to enforce a minimum password length of 4 characters.
On the MDM Console, set the "Min Length" value to 4 or greater in the "Android Knox Container -> Container Password Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Min Length" setting in the "Android Knox Container -> Container Password Restrictions" rule.
2. Verify the value of the setting is the same or greater than the required length.
On the Samsung Knox for Android device:
1. Open the Knox Container.
2. Select "Knox Settings".
3. Select "Change password".
4. Enter current password.
5. Attempt to enter a password with fewer characters than the required length.
6. Verify the password is not accepted.
If the configured value of the "Min Length" setting is less than the required length, or if Samsung Knox for Android accepts a container password with fewer characters than the required length, this is a finding.
Note: This configuration setting will allow users to implement fingerprint unlock for the container, which is approved for use. However, this approval does not extend to fingerprint unlock for the Samsung device or any other DoD mobile device.PP-MDF-001003<GroupDescription></GroupDescription>KNOX-39-015200The Samsung Knox for Android container must be configured to prohibit more than 10 consecutive failed authentication attempts.<VulnDiscussion>Users must not be able to override the system policy on the maximum number of consecutive failed authentication attempts because this could allow them to raise the maximum, thus giving adversaries more chances to guess/brute force passwords, which increases the risk of the mobile device being compromised. Therefore, only administrators should have the authority to set consecutive failed authentication attempt policies.
SFR ID: FMT_SMF.1.1 #02</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000043CCI-000044CCI-000366CCI-001382Configure the mobile operating system to allow only 10 or less consecutive failed authentication attempts.
On the MDM Administration Console, set the "Maximum Failed Attempts" to the organization-defined value in the "Android Knox Container -> Container Password Restrictions" rule.This validation procedure is performed on the MDM Administration Console only.
Check whether the device lock screen setting is configured on the MDM server.
1. Ask the MDM administrator to display the "Maximum Failed Attempts" field in the "Android Knox Container -> Container Password Restrictions" rule.
2. Verify the value of the setting is 10 or less.
If there is no value configured for the "Maximum Failed Attempts" field, or if it is greater than 10, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-39-015400The Samsung Knox for Android container must be configured to implement the management setting: enable container.<VulnDiscussion>The container must be enabled by the administrator/MDM or the container's protections will not apply to the mobile device. This will cause the mobile device's apps and data to be at significantly higher risk of compromise because they are not protected by encryption, isolation, etc.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366On the MDM Administration Console, create the "Android Knox Container" rule and push this rule to the device.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Android Knox Container" rule.
2. Verify the existence of this rule.
3. Pushing this rule to the device that does not have a container installed will result in creation of the container.
On the Samsung Knox for Android device:
1. From the device home screen, pull down the notification bar.
2. Verify the existence of the KNOX icon.
3. If available on the MDM agent, verify the container rule in the list of rules received by the MDM agent.
If the MDM Administrator cannot configure the "Android Knox Container" rule, or if the KNOX icon is not present in the notification bar, or if the container rule is not found in the MDM agent rule list (MDM vendor-specific check), this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-39-015600The Samsung Knox for Android platform must be configured to implement the management setting: enable CC mode.<VulnDiscussion>CC mode implements several security controls required by the Mobile Device Functional Protection Profile (MDFPP). If CC mode is not implemented, DoD data is more at risk of being compromised, and the MD is more at risk of being compromised if lost or stolen.
CC mode implements the following controls:
- enables the OpenSSL FIPS crypto library
- sets the password failure settings to wipe the device to 5 (5 failed consecutive attempts will wipe the device)
- disables ODIN mode (download mode)
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the operating system to enable CC mode.
On the MDM Administration Console, enable the "CC mode" setting in the "Android Restrictions" rule.
If this setting is not available on the console, install the CC mode APK, and enable CC mode from this application.
This APK will be made available by Samsung.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "CC Mode" settings in the "Android Restrictions" rule.
2. Verify the value is enabled.
Note: If the MDM does not support CC Mode, ask the MDM Administrator if the Samsung APK has been installed and CC Mode enabled.
On the Samsung Knox for Android device:
1. Open the device settings.
2. Select "About Device".
3. Verify the value of "Security software version" displays "Enforced".
If the CC mode setting is not enabled, or if the "Security software version" on the device does not display "Enforced", this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-39-015700The Samsung Knox for Android platform must be configured to implement the management setting: disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-Free Profile), and SPP (Serial Port Profile).<VulnDiscussion>Unsecure Bluetooth profiles may allow either unauthenticated connections to mobile devices or transfer of sensitive DoD data without required DoD information assurance (IA) controls. Only the HSP, HFP, and SPP profiles are required to meet current DoD Bluetooth needs and DoD data and voice IA controls.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the operating system to only allow HSP, HFP, and SPP Bluetooth profiles.
On the MDM Administration Console, configure the "Bluetooth Profiles" setting to only allow HSP, HFP, and SPP in the "Android Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Bluetooth Profiles" settings in the "Android Restrictions" rule.
2. Verify the only profiles allowed are HSP, HFP, and SPP.
On the Samsung Knox for Android device:
1. Attempt to pair a Bluetooth peripheral that uses profiles other than HSP, HFP, and SPP (e.g., a Bluetooth keyboard).
2. Verify the Bluetooth peripheral does not pair with the Samsung Knox for Android device.
If the Bluetooth profiles other than HSP, HFP, and SPP are configured to be allowed, or if the device is able to pair with a Bluetooth keyboard, this is a finding.PP-MDF-001005<GroupDescription></GroupDescription>KNOX-39-020100The Samsung Knox for Android container must be configured to enforce an application installation policy through application whitelist specifying a set of allowed applications and versions.<VulnDiscussion>Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications.
SFR ID: FMT_SMF.1.1 #10</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile device to use an application whitelist.
On the MDM Administration Console, configure the list of white-listed applications in the "Android Knox Container -> Container Applications" rule and ensure only AO-approved applications are on the list.
(Note: This list can be empty if no applications have been approved.)
(Note: Refer to the Supplemental document for additional information.)This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the list of white-listed applications in the "Android Knox Container -> Container Applications" rule.
2. Verify the list of white-listed applications have been approved by the Approving official (AO).
(Note: Refer to the Supplemental document for additional information.)
(Note: This list can be empty if no applications have been approved.)
On the Samsung Knox for Android device:
1. Open the Knox Container.
2. Attempt to install an application that is not in the application whitelist.
If any of the applications on white-listed applications on the MDM Administration Console have not been approved by the AO, or the device allows the user to successfully install the application, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-39-020300The Samsung Knox for Android container must be configured to implement the management setting: configure application install blacklist.<VulnDiscussion>Blacklisting all applications is required so that only white-listed applications can be installed on the device. Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist and blacklist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to add all applications to the install blacklist.
On the MDM Administration Console, add all applications to the "Application install blacklist" setting in the "Android Knox Container -> Container Application" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Application install blacklist" setting in the "Android Knox Container -> Container Application" rule.
2. Verify the setting is configured to all applications (specified by the wildcard string ".*").
On the Samsung Knox for Android device:
1. Attempt to install any application that is not configured in the application install whitelist.
2. Verify that the application is blocked from being installed.
If the "Application install blacklist" configuration in the MDM console has the wrong value, or if the user is able to install the application, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-39-020400The Samsung Knox for Android container must be configured to implement the management setting: disable Move Applications to Container.<VulnDiscussion>Applications determined to be acceptable for personal use outside the container might not be acceptable for use within the container. The Move Applications to Container feature allows users to install personal side applications into the container, resulting in potential compromise of DoD data. Disabling this feature mitigates this risk.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable Move Applications to Container.
On the MDM Administration Console, disable the "Move Applications to Container" setting in the "Android Knox Container -> Container Application" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Move Applications to Container" setting in the "Android Knox Container -> Container Restrictions" rule.
2. Verify the setting is disabled.
On the Samsung Knox for Android device:
1. Open the Knox Container.
2. Select "Knox Settings".
3. Verify "Select apps to install" cannot be selected.
If the "Move Applications to Container" configuration in the MDM console is enabled, or if the user is able to select "Select apps to install", this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-39-020500The Samsung Knox for Android container must be configured to implement the management setting: disable Move Files from Container to Personal.<VulnDiscussion>Allowing movement of files between the container and personal side will result in both personal data and sensitive DoD data being placed in the same space. This can potentially result in DoD data being transmitted to non-authorized recipients via personal email accounts or social applications, or transmission of malicious files to DoD accounts. Disabling this feature mitigates this risk.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable Move Files from Container to Personal.
On the MDM Administration Console, disable the "Move Files from Container to Personal" setting in the "Android Knox Container -> Container Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Move Files from Container to Personal" setting in the "Android Knox Container -> Container Restrictions" rule.
2. Verify the setting is disabled.
On the Samsung Knox for Android device:
1. Open the Knox Container.
2. Select "My Files" application.
3. Select a file by long pressing a selection.
4. Select settings.
5. Select "Move to Personal mode".
6. Verify that this operation is blocked.
If the "Move Files from Container to Personal" configuration in the MDM console is enabled, or if the user is able to successfully move the selected file to the personal space, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-39-020600The Samsung Knox for Android container must be configured to implement the management setting: disable Move Files from Personal to Container.<VulnDiscussion>Allowing movement of files between the container and personal side will result in both personal data and sensitive DoD data being placed in the same space. This can potentially result in DoD data being transmitted to non-authorized recipients via personal email accounts or social applications, or transmission of malicious files to DoD accounts. Disabling this feature mitigates this risk.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable Move Files from Personal to Container.
On the MDM Administration Console, disable the "Move Files from Personal to Container" setting in the "Android Knox Container -> Container Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Move Files from Personal to Container" setting in the "Android Knox Container -> Container Restrictions" rule.
2. Verify the setting is disabled.
On the Samsung Knox for Android device:
1. Select "My Files" application on the personal mode.
2. Select a file by long pressing a selection.
3. Select settings.
4. Select "Move to Knox mode".
5. Verify that this operation is blocked.
If the "Move Files from Personal to Container" configuration in the MDM console is enabled, or if the user is able to successfully move the selected file to the container, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-39-020700The Samsung Knox for Android container must be configured to implement the management setting: configure application disable list.<VulnDiscussion>Applications from various sources (including the vendor, the carrier, and Google) are installed on the device at the time of manufacture. Core apps are apps preinstalled by Google. Third-party preinstalled apps included apps from the vendor and carrier. Some of the applications can compromise DoD data or upload user's information to non-DoD approved servers. A user must be blocked from using such applications that exhibit behavior that can result in compromise of DoD data or DoD user information. The site administrator must analyze all pre-installed applications on the device and block all applications not approved for DoD use by configuring the application disable list.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable all pre-installed container applications that are not DoD-approved.
On the MDM Administration Console, add all pre-installed container applications that are not DoD-approved to the "Application disable list" setting in the "Android Knox Container -> Container Application" rule.
(Note: Refer to the Supplemental document for additional information.)This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Knox Container -> Container Application" rule.
2. Verify the list contains all core and pre-installed applications not approved for DoD use by the Approving Official (AO).
(Note: Refer to the Supplemental document for additional information.)
On the Samsung Knox for Android device:
1. Open the Knox container.
2. Attempt to launch an application that is included on the disable list. (Note: This application should not be visible.)
If the "Application disable list" configuration in the MDM console does not contain all core and pre-installed applications not approved by DoD, or if the user is able to successfully launch an application on this list, this is a finding.
Note: Core applications are apps installed in the operating system by the OS developer. In addition, third-party pre-installed apps are included in the OS build by the device vendor or wireless carrier.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-39-021200The Samsung Knox for Android container must be configured to implement the management setting: Account whitelist.<VulnDiscussion>Whitelisting of authorized email accounts (POP3, IMAP, EAS) prevents a user from configuring a personal email account that could be used to forward sensitive DoD data to unauthorized recipients.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to add DoD-approved email domains to the account whitelist.
On the MDM Administration Console, add all DoD-approved email domains to the "Account whitelist" setting in the "Container Accounts" rule.
Note: Recommended to add ".*@mail.mil"This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Account whitelist" setting in the "Container Accounts" rule.
2. Verify the whitelist only contains DoD-approved email domains (for example, mail.mil).
(Note: Proper configuration of Account blacklist is required for this configuration to function correctly.)
On the Samsung Knox for Android device:
1. Open the Knox Container.
2. Open Settings.
3. Select Accounts.
4. Select Add account.
5. Select Email (and repeat for Microsoft Exchange ActiveSync) and attempt to add an email account with a DoD-approved domain.
6. Verify that the email account can be added.
7. Attempt to add an email account with a domain not approved by DoD.
8. Verify that the email account cannot be added.
If the "Account whitelist" is not properly configured, or if the user is able to successfully configure the email account with a domain not approved by DoD, or if the user is not able to install the DoD-approved email account, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-39-021300The Samsung Knox for Android container must be configured to implement the management setting: Account blacklist.<VulnDiscussion>Blacklisting all email accounts is required so that only white-listed accounts can be configured.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to add email domains not approved by DoD to the account blacklist.
On the MDM Administration Console, add all email domains not approved by DoD to the "Account blacklist" setting in the "Container Accounts" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Account blacklist" setting in the "Container Accounts" rule.
2. Verify the setting is configured to all email domains not approved by DoD.
(Note: All email domains is specified by the wildcard string ".*")
On the Samsung Knox for Android device:
1. Open the Knox Container.
2. Open Settings.
3. Select Accounts.
4. Select Add account.
5. Select Email (and repeat for Microsoft Exchange ActiveSync) and attempt to add an email account with a non-approved domain.
6. Verify that the email account cannot be added.
If the "Account blacklist" is not properly configured, or if the user is able to successfully configure the non-DoD approved email account, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-39-021400The Samsung Knox for Android container must be configured to implement the user-based enforcement setting: disable Samsung Account.<VulnDiscussion>Configuring a Samsung Account on the device allows the user to backup files (including S Health data) to Samsung servers, as well as download applications from Samsung Apps (Galaxy Apps) store. This data is stored at a location that has unauthorized employees accessing this data. This data is stored on a server that has a location unknown to the DoD. Disabling this feature mitigates the risk of a backup feature that stores sensitive data on a server that has the potential to be located in a country other than the United States.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable Samsung Account in the container.
On the MDM Administration Console, add the Samsung Account application to the "Application disable list" setting in the "Android Knox Container -> Container Application" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Knox Container -> Container Application" rule.
2. Verify the setting includes the Samsung Account application.
On the Samsung Knox for Android device:
1. Open the Knox Container.
2. Open Settings.
3. Select "Accounts".
4. Attempt to add a Samsung Account.
If the "Application disable list" configuration in the MDM console does not contain the Samsung Account application, or if the user is able to successfully add a Samsung account, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-39-015100The Samsung Knox for Android container must be configured to implement the management setting.
Disable sharing of calendar information outside the container.<VulnDiscussion>Calendar events can include potentially DoD-sensitive data such as names, contacts, dates and times, and locations. If made available outside the container this information will be accessible to personal applications, resulting in potential compromise of DoD data.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable sharing of calendar information outside the container.
On the MDM Administration Console, disable the "Allow Export Calendar to Personal Mode" setting in the "Android Knox Container -> Container Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Allow Export Calendar to Personal Mode" setting in the "Android Knox Container -> Container Restrictions" rule.
2. Verify the setting is disabled.
On the Samsung Knox for Android device:
1. Open the Knox container.
2. Select "Knox Settings".
3. Select "Share data".
4. Verify "Export to Personal Mode - Calendar" is disabled and attempt to enable this setting.
If the "Allow Export Calendar to Personal Mode" configuration in the MDM console is enabled, or if the user is able to successfully enable this setting, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-39-015250The Samsung Knox for Android container must be configured to implement the management setting.
Disable sharing of contact information outside the container.<VulnDiscussion>Contacts can include DoD-sensitive data and PII of DoD employees including names, numbers, addresses, and email addresses. If made available outside the container this information will be accessible to personal applications, resulting in potential compromise of DoD data.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable sharing of contact information outside the container.
On the MDM Administration Console, disable the "Allow Export Contact to Personal Mode" setting in the "Android Knox Container -> Container Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Allow Export Contact to Personal Mode" setting in the "Android Knox Container -> Container Restrictions" rule.
2. Verify the setting is disabled.
On the Samsung Knox for Android device:
1. Open the Knox container.
2. Select "Knox Settings".
3. Select "Share data".
4. Verify "Export to Personal Mode - Contact" is disabled and attempt to enable this setting.
If the "Allow Export Contact to Personal Mode" configuration in the MDM console is enabled, or if the user is able to successfully enable this setting, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-39-015300The Samsung Knox for Android container must be configured to implement the management setting.
Disable sharing of notification details outside the container.<VulnDiscussion>Application notifications can include DoD-sensitive data. If made available outside the container this information will be accessible to personal applications, resulting in potential compromise of DoD data.
SFR ID: FMT_SMF.1.1 #42</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable sharing of notification details outside the container.
On the MDM Administration Console, disable the "Allow Show detailed notifications" setting in the "Android Knox Container -> Container Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Allow Show detailed notifications" setting in the "Android Knox Container -> Container Restrictions" rule.
2. Verify the setting is disabled.
On the Samsung Knox for Android device:
1. Open the Knox container.
2. Select "Knox Settings".
3. Verify "Show detailed notifications" is disabled and attempt to enable this setting.
If the "Allow Show detailed notifications" configuration in the MDM console is enabled, or if the user is able to successfully enable this setting, this is a finding.PP-MDF-991000<GroupDescription></GroupDescription>KNOX-35-023700The Samsung Knox for Android platform must be configured to disable firmware updates over-the-air (FOTA).<VulnDiscussion>FOTA allows the user to download and install firmware updates over-the-air. These updates can include OS upgrades, security patches, bug fixes, new features and applications. Since the updates are controlled by the carriers, DoD will not have an opportunity to review and update policies prior to update availability to end users. Disabling FOTA will mitigate the risk of allowing users access to applications that could compromise DoD sensitive data. After reviewing the update and adjusting any necessary policies (i.e. disabling applications determined to pose risk), the administrator can re-enable FOTA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699CCI-000366Configure the mobile operating system to disable FOTA.
On the MDM Administration Console, disable the "Allow FOTA" setting in the "Android Restrictions" rule.This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.
Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Allow FOTA" setting in the "Android Restrictions" rule.
2. Verify the setting is disabled.
On the Samsung Knox for Android device:
1. Open device settings.
2. Select "About device".
3. Attempt to select "Software update".
(**Note: Location of this menu can vary between models.)
If the "Allow FOTA" configuration in the MDM console is enabled, or if the user is able to successfully select software update, this is a finding.
**Note. After reviewing the update and adjusting any necessary policies (i.e. disabling applications determined to pose risk), the administrator can re-enable FOTA.Unsupported Mobile Operating System<GroupDescription></GroupDescription>KNOX-39-000000Samsung Android operating systems that are no longer supported by the vendor for security updates must not be installed on a system.<VulnDiscussion>Android operating systems that are no longer supported by Samsung for security updates are not evaluated or updated for vulnerabilities, leaving them open to potential attack. Organizations must transition to a supported operating system to ensure continued support.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung Android with Knox 2.xDISADPMS TargetSamsung Android with Knox 2.x2699Upgrade the Samsung Android mobile devices to a supported operating system of 5.0 or greater.1. On the home screen, tap Apps >> Settings.
2. Find and tap on “About Device”.
This displays the following information:
-- Model number: This number can indicate which carrier you are using, which KNOX components are preloaded, and which apps might be hidden by a carrier.
-- Android version: If the version number begins with 4.4, the device is running Android KitKat. If the version number begins with 5, the device is running Android Lollipop.
-- Build number: This number encodes the Android software build and when it was released:
- Android code family: L= Lollipop, K=KitKat, J=Jellybean
- Code branch: R=primary, S=secondary
- Release quarter: A=Q1 2009, T=Q4 2013
- Release date: 01=first day in quarter, so T49=Nov 18 2013, S15=Jul 15 2013
- Build made that day: A=first build, H=eighth build
If the version number is less than 5.0, this is a finding.