STIGQter: STIG Summary: Google Android 11 COPE Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 11 Sept 2020:

The Google Android 11 Work Profile must be configured to prevent users from adding personal email accounts to the work email app.

DISA Rule

SV-228630r505889_rule

Vulnerability Number

V-228630

Group Title

PP-MDF-991000

Rule Version

GOOG-11-009200

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure Google Android 11 device to prevent users from adding personal email accounts to the work email app.

On the EMM console:
1. Open "Set user restrictions".
2. Toggle "Disallow modify accounts" to On.

Refer to the EMM documentation to determine how to provision users' work email accounts for the work email app.

Check Contents

Review the Google Android 11 Work Profile configuration settings to confirm that users are prevented from adding personal email accounts to the work email app.

This procedure is performed on both the EMM Administrator console and the Google Android 11 device.

On the EMM console:
1. Open "Set user restrictions".
2. Verify that "Disallow modify accounts" is toggled to On.

On the Google Android 11 device, do the following:
1. Open Settings.
2. Tap "Accounts".
3. Verify that "Add account" is grayed out under the Work section.

If on the EMM console the restriction to "Disallow modify accounts" is not set, or on the Google Android 11 device the user is able to add an account in the Work section, this is a finding.

Vulnerability Number

V-228630

Documentable

False

Rule Version

GOOG-11-009200

Severity Override Guidance

Review the Google Android 11 Work Profile configuration settings to confirm that users are prevented from adding personal email accounts to the work email app.

This procedure is performed on both the EMM Administrator console and the Google Android 11 device.

On the EMM console:
1. Open "Set user restrictions".
2. Verify that "Disallow modify accounts" is toggled to On.

On the Google Android 11 device, do the following:
1. Open Settings.
2. Tap "Accounts".
3. Verify that "Add account" is grayed out under the Work section.

If on the EMM console the restriction to "Disallow modify accounts" is not set, or on the Google Android 11 device the user is able to add an account in the Work section, this is a finding.

Check Content Reference

M

Target Key

4229

Comments