STIGQter: STIG Summary: Samsung Android OS 9 with Knox 3.x COPE Use Case KPE(Legacy) Deployment Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 24 Jul 2020:

Samsung Android Workspace must be configured to enforce an application installation policy by specifying an application whitelist that restricts applications by the following characteristics: list of digital signatures, list of package names.

DISA Rule

SV-103937r1_rule

Vulnerability Number

V-93851

Group Title

PP-MDF-301090

Rule Version

KNOX-09-000085

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-001806 - The organization defines methods to be employed to enforce the software installation policies.

Weight

10

Fix Recommendation

Configure Samsung Android Workspace to enforce an application installation whitelist.

The application installation whitelist does not control user access to/execution of all core and preinstalled applications, and guidance for doing so is covered in KNOX-09-000055.

On the MDM console, for the Workspace, in the "Knox application" group, add each AO-approved package to the application installation whitelist.

Refer to the MDM documentation to determine the following:
- If an application installation blacklist is also required to be configured when enforcing an application installation whitelist.
- If the MDM supports adding packages to the application installation whitelist by package name and/or digital signature or supports a combination of the two.

Note: Refer to the "System Apps That Must Not Be Disabled" table in the Supplemental document for this STIG. These apps must be included in the application installation whitelist to allow updates.

Check Contents

Review the Samsung Android Workspace configuration settings to confirm that an application installation whitelist has been configured.

This procedure is performed only on the MDM Administration console.

On the MDM console, for the Workspace, in the "Knox application" group, verify that each package listed on the application installation whitelist has been approved for DoD use by the Authorizing Official (AO).

If the application installation whitelist contains non-AO-approved packages, this is a finding.

Vulnerability Number

V-93851

Documentable

False

Rule Version

KNOX-09-000085

Severity Override Guidance

Review the Samsung Android Workspace configuration settings to confirm that an application installation whitelist has been configured.

This procedure is performed only on the MDM Administration console.

On the MDM console, for the Workspace, in the "Knox application" group, verify that each package listed on the application installation whitelist has been approved for DoD use by the Authorizing Official (AO).

If the application installation whitelist contains non-AO-approved packages, this is a finding.

Check Content Reference

M

Target Key

3509

Comments