STIGQter STIGQter: STIG Summary: Samsung Android OS 9 with Knox 3.x COPE Use Case KPE(Legacy) Deployment Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 24 Jul 2020:

Samsung Android Workspace must be configured to enable a screen-lock policy that will lock the Workspace after a period of inactivity.

DISA Rule

SV-104031r2_rule

Vulnerability Number

V-93945

Group Title

PP-MDF-991000

Rule Version

KNOX-09-001475

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure Samsung Android Workspace to enforce a screen-lock policy that will lock the Workspace after a period of inactivity with a lock type that is configured with a minimum password quality.

On the MDM console, for the Workspace, in the "Knox password constraints" group, set "minimum password quality" to "PIN".

Note: Some MDM consoles may display “Numeric” and “Numeric-Complex” instead of “PIN”. Either selection is acceptable but “Numeric-Complex” is recommended. Alphabetic, Alphanumeric, and Complex are also acceptable selections but these selections will cause the user to select a complex password, which is not required by the STIG.

Check Contents

Review the Samsung Android Workspace configuration settings to confirm that the device uses a screen-lock policy that will lock the Workspace after a period of inactivity and that the lock type is configured with a minimum password quality.

This procedure is performed on both the MDM Administration console and the Samsung Android device.

On the MDM console, for the Workspace, in the "Knox password constraints" group, verify that the "minimum password quality" is "PIN".

On the Samsung Android device, do the following:
1. Open Settings.
2. Tap "Workspace".
3. Tap "Lock type".
4. Verify that "Swipe, Pattern, and None" cannot be enabled.

If on the MDM console "minimum password quality" is not set to "PIN", or on the Samsung Android device the user can select a lock type other than "password", this is a finding.
Note: Some MDM consoles may display “Numeric” and “Numeric-Complex” instead of “PIN”. Either selection is acceptable but “Numeric-Complex” is recommended. Alphabetic, Alphanumeric, and Complex are also acceptable selections but these selections will cause the user to select a complex password, which is not required by the STIG.

Vulnerability Number

V-93945

Documentable

False

Rule Version

KNOX-09-001475

Severity Override Guidance

Review the Samsung Android Workspace configuration settings to confirm that the device uses a screen-lock policy that will lock the Workspace after a period of inactivity and that the lock type is configured with a minimum password quality.

This procedure is performed on both the MDM Administration console and the Samsung Android device.

On the MDM console, for the Workspace, in the "Knox password constraints" group, verify that the "minimum password quality" is "PIN".

On the Samsung Android device, do the following:
1. Open Settings.
2. Tap "Workspace".
3. Tap "Lock type".
4. Verify that "Swipe, Pattern, and None" cannot be enabled.

If on the MDM console "minimum password quality" is not set to "PIN", or on the Samsung Android device the user can select a lock type other than "password", this is a finding.
Note: Some MDM consoles may display “Numeric” and “Numeric-Complex” instead of “PIN”. Either selection is acceptable but “Numeric-Complex” is recommended. Alphabetic, Alphanumeric, and Complex are also acceptable selections but these selections will cause the user to select a complex password, which is not required by the STIG.

Check Content Reference

M

Target Key

3509

Comments