STIGQter STIGQter: STIG Summary: Samsung Android OS 9 with Knox 3.x COPE Use Case KPE(Legacy) Deployment Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 24 Jul 2020:

Samsung Android must be configured to disable all Bluetooth profiles except HSP (Headset Profile), HFP (HandsFree Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile).

DISA Rule

SV-103977r2_rule

Vulnerability Number

V-93891

Group Title

PP-MDF-301110

Rule Version

KNOX-09-000665

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Configure Samsung Android to disable all Bluetooth profiles except HSP, HFP, SPP, A2DP, AVRCP, and PBAP.

On the MDM console, for the device, in the "Knox Bluetooth" group, select "HFP, HSP, SPP, A2DP, AVRCP, and PBAP" in the "allowed profiles".

Check Contents

Review device configuration settings to confirm that all Bluetooth profiles are disabled except HSP, HFP, and SPP, A2DP, AVRCP, and PBAP.

This procedure is performed on both the MDM Administration console and the Samsung Android device.

On the MDM console, for the device, in the "Knox Bluetooth" group, verify that only "HFP, HSP, SPP, A2DP, AVRCP, and PBAP" are selected in the "allowed profiles".

On the Samsung Android device, verify that a Bluetooth peripheral that uses a profile other than HSP, HFP, SPP, A2DP, AVRCP, or PBAP (e.g., a Bluetooth keyboard) cannot be paired.

If on the MDM console "allowed profiles" has any selection other than "HSP, HFP, SPP, A2DP, AVRCP, and PBAP", or the Samsung Android device is able to pair with a Bluetooth keyboard, this is a finding.

Note: Disabling the Bluetooth radio will satisfy this requirement.

Vulnerability Number

V-93891

Documentable

False

Rule Version

KNOX-09-000665

Severity Override Guidance

Review device configuration settings to confirm that all Bluetooth profiles are disabled except HSP, HFP, and SPP, A2DP, AVRCP, and PBAP.

This procedure is performed on both the MDM Administration console and the Samsung Android device.

On the MDM console, for the device, in the "Knox Bluetooth" group, verify that only "HFP, HSP, SPP, A2DP, AVRCP, and PBAP" are selected in the "allowed profiles".

On the Samsung Android device, verify that a Bluetooth peripheral that uses a profile other than HSP, HFP, SPP, A2DP, AVRCP, or PBAP (e.g., a Bluetooth keyboard) cannot be paired.

If on the MDM console "allowed profiles" has any selection other than "HSP, HFP, SPP, A2DP, AVRCP, and PBAP", or the Samsung Android device is able to pair with a Bluetooth keyboard, this is a finding.

Note: Disabling the Bluetooth radio will satisfy this requirement.

Check Content Reference

M

Target Key

3509

Comments