STIGQter STIGQter: STIG Summary: Samsung OS 9 with Knox 3.x COBO Use Case KPE(AE) Deployment Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Apr 2020:

Samsung Android must be configured to enforce an application installation policy by specifying an application whitelist that restricts applications by the following characteristics: list of digital signatures, list of package names.

DISA Rule

SV-102949r1_rule

Vulnerability Number

V-92861

Group Title

PP-MDF-301090

Rule Version

KNOX-09-000070

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure Samsung Android to enforce an application installation whitelist.

The application installation whitelist does not control user access to/execution of all core and preinstalled applications, and guidance for doing so is covered in KNOX-09-000050.

Do one of the following:
- Method #1: Use managed Google Play for the Device (managed device).
- Method #2: Use Knox application installation whitelist.

****

Method #1: On the MDM console, for the device, in the "managed Google Play" group, add each AO-approved package to the managed Google Play application installation whitelist.

****

Method #2: On the MDM console, for the device, in the "Knox application" group, add each AO-approved package to the application installation whitelist.

Refer to the MDM documentation to determine the following:
- If an application installation blacklist is also required to be configured when enforcing an application installation whitelist.
- If the MDM supports adding packages to the application installation whitelist by package name and/or digital signature or supports a combination of the two.

****

Note: Refer to the "System Apps That Must Not Be Disabled" table in the Supplemental document for this STIG. These apps must be included in the application installation whitelist to allow updates.

Check Contents

Review device configuration settings to confirm that an application installation whitelist has been configured.

This procedure is performed only on the MDM Administration console.

Confirm if Method #1 or Method #2 is used at the Samsung device site and follow the appropriate procedure.

****

Method #1: On the MDM console, for the device, in the "managed Google Play" group, verify that each package listed on the application installation whitelist has been approved for DoD use by the Authorizing Official (AO).

If the application installation whitelist contains non-AO-approved packages, this is a finding.

****

Method #2: On the MDM console, for the device, in the "Knox application" group, verify that each package listed on the application installation whitelist has been approved for DoD use by the AO.

If the application installation whitelist contains non-AO-approved packages, this is a finding.

Vulnerability Number

V-92861

Documentable

False

Rule Version

KNOX-09-000070

Severity Override Guidance

Review device configuration settings to confirm that an application installation whitelist has been configured.

This procedure is performed only on the MDM Administration console.

Confirm if Method #1 or Method #2 is used at the Samsung device site and follow the appropriate procedure.

****

Method #1: On the MDM console, for the device, in the "managed Google Play" group, verify that each package listed on the application installation whitelist has been approved for DoD use by the Authorizing Official (AO).

If the application installation whitelist contains non-AO-approved packages, this is a finding.

****

Method #2: On the MDM console, for the device, in the "Knox application" group, verify that each package listed on the application installation whitelist has been approved for DoD use by the AO.

If the application installation whitelist contains non-AO-approved packages, this is a finding.

Check Content Reference

M

Target Key

3495

Comments