STIGQter: STIG Summary: Samsung Android OS 10 with Knox 3.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Mar 2020: STIGQter: STIG Summary: Samsung Android OS 10 with Knox 3.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Mar 2020:SV-109093r1_rule
V-99989
PP-MDF-991000
KNOX-10-012000
CAT II
10
Configure Samsung Android Work Environment to enable Certificate Revocation checking.
Do one of the following:
- Method #1: CRL checking
- Method #2: OCSP with CRL fallback
****
Method #1: CRL checking
On the management tool, in the Work profile KPE certificate section, set "Revocation check" to "enable for all apps".
Refer to the management tool documentation to determine how to configure Revocation checking to "enable for all apps". Some may, for example, allow a wildcard string: "*".
****
Method #2: OCSP with CRL fallback
On the management tool, do the following:
1. In the Work profile KPE certificate section, set "Revocation check" to "enable for all apps".
2. In the Work profile KPE restrictions section, set "OCSP check" to "enable for all apps".
Refer to the management tool documentation to determine how to configure Revocation and OCSP checking to "enable for all apps". Some may, for example, allow a wildcard string: "*".
Review Samsung Android Work Environment configuration settings to determine if Certificate Revocation checking is enabled.
Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure.
This validation procedure is performed on the management tool Administration Console only.
****
Method #1: CRL checking
On the management tool, in the Work profile KPE certificate section, verify that "Revocation check" is set to "enable for all apps".
If on the management tool "Revocation check" is not set to "enable for all apps", this is a finding.
****
Method #2: OCSP with CRL fallback
On the management tool, do the following:
1. In the Work profile KPE certificate section, verify that "Revocation check" is set to "enable for all apps".
2. In the Work profile KPE restrictions section, verify that "OCSP check" is set to "enable for all apps".
If on the management tool "Revocation check" is not set to "enable for all apps" or if "OCSP check" is not set to "enable for all apps", this is a finding.
V-99989
False
KNOX-10-012000
Review Samsung Android Work Environment configuration settings to determine if Certificate Revocation checking is enabled.
Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure.
This validation procedure is performed on the management tool Administration Console only.
****
Method #1: CRL checking
On the management tool, in the Work profile KPE certificate section, verify that "Revocation check" is set to "enable for all apps".
If on the management tool "Revocation check" is not set to "enable for all apps", this is a finding.
****
Method #2: OCSP with CRL fallback
On the management tool, do the following:
1. In the Work profile KPE certificate section, verify that "Revocation check" is set to "enable for all apps".
2. In the Work profile KPE restrictions section, verify that "OCSP check" is set to "enable for all apps".
If on the management tool "Revocation check" is not set to "enable for all apps" or if "OCSP check" is not set to "enable for all apps", this is a finding.
M
3613