The mobile operating system must lock the device after no more than 15 minutes of inactivity.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
KNOX-01-000300	KNOX-01-000300	KNOX-01-000300_rule		Medium

Description
The device lock function prevents further access to the system by initiating a session lock after a period of inactivity or upon receiving a request from a user. The device lock is retained until the user reestablishes access using established identification and authentication procedures. A device lock is a temporary action taken when a user stops work but does not want to shut down because of the temporary nature of the hiatus. During the device lock a publicly viewable pattern is visible on the associated display, hiding what was previously visible on the screen. Once invoked, the device lock shall remain in place until the user re-authenticates. No other system activity aside from re-authentication can unlock the system. The operating system must lock the device after the organization defined time period. This prevents others from gaining access to the device when not in the user's possession and accessing sensitive DoD information. A device lock mitigates the risk that an adversary can access data on an unattended mobile device but only after the maximum of 15 minute period of inactivity.

Description

The device lock function prevents further access to the system by initiating a session lock after a period of inactivity or upon receiving a request from a user. The device lock is retained until the user reestablishes access using established identification and authentication procedures. A device lock is a temporary action taken when a user stops work but does not want to shut down because of the temporary nature of the hiatus. During the device lock a publicly viewable pattern is visible on the associated display, hiding what was previously visible on the screen. Once invoked, the device lock shall remain in place until the user re-authenticates. No other system activity aside from re-authentication can unlock the system. The operating system must lock the device after the organization defined time period. This prevents others from gaining access to the device when not in the user's possession and accessing sensitive DoD information. A device lock mitigates the risk that an adversary can access data on an unattended mobile device but only after the maximum of 15 minute period of inactivity.

STIG	Date
Samsung Knox Android 1.0 STIG	2013-05-03

Details

Check Text ( C-KNOX-01-000300_chk )
This check procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check that the appropriate setting is configured on the MDM server. For example, on the Fixmo Sentinel Administration Console: 1. Ask the MDM administrator to display the "Max Time To Lock" setting in the "Android Password Restrictions" rule. 2. Verify the configured value is 15 or less. On the Samsung Knox Android device: 1. Unlock the device. 2. Refrain from performing any activity on the device for 15 minutes. 3. Verify the MOS requires user to enter the device unlock password to access the MOS. If the device is not configured to lock after 15 minutes or less of inactivity, this is a finding.

Check Text ( C-KNOX-01-000300_chk )

This check procedure is performed on both the MDM Administration Console and the Samsung Knox Android device.

Check that the appropriate setting is configured on the MDM server.

For example, on the Fixmo Sentinel Administration Console:
1. Ask the MDM administrator to display the "Max Time To Lock" setting in the "Android Password Restrictions" rule.
2. Verify the configured value is 15 or less.

On the Samsung Knox Android device:
1. Unlock the device.
2. Refrain from performing any activity on the device for 15 minutes.
3. Verify the MOS requires user to enter the device unlock password to access the MOS.

If the device is not configured to lock after 15 minutes or less of inactivity, this is a finding.

Fix Text (F-KNOX-01-000300_fix)
Configure the mobile operating system to lock the device after no more than 15 minutes of inactivity. For example, on the Fixmo Sentinel Administration Console, set the "Max Time To Lock" value to 15 or less in the "Android Password Restrictions" rule.