STIGQter: STIG Summary: Samsung Android 11 with Knox 3.x AE Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:

Samsung Android Work Environment must be configured to disable exceptions to the access control policy that prevents application processes, groups of application processes from accessing all, private data stored by other application processes, groups of application processes. - Disable Move files to personal

DISA Rule

SV-230992r607691_rule

Vulnerability Number

V-230992

Group Title

PP-MDF-301260

Rule Version

KNOX-11-008900

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-002191 - The organization defines the information flow control policies to be enforced by the information system using protected processing domains.

Weight

10

Fix Recommendation

Configure Samsung Android Work Environment to enable the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes.

This guidance is for disabling the moving of files to the Personal Environment and is applicable to COPE only.

On the management tool, in the device restrictions section, set "Move files to personal" to "Disallow".

NOTE: "Move files to workspace" may be configured if there is a DoD mission need for this feature.

Check Contents

Review Samsung Android Work Environment configuration settings to determine if the access control policy prevents groups of application processes from accessing all data stored by other groups of application processes.

This procedure is for verifying that the moving of files to the Personal Environment is disabled and is applicable to COPE only.

This procedure is performed on the management tool Administration console only.

This configuration is the default configuration. If the management tool does not provide the capability to configure "Move files to personal", there is NO finding because the default setting cannot be changed.

On the management tool, in the Work Environment RCP section, verify "Move files to personal" is set to "Disallow".

If the management tool provides the capability to configure the "Move files to personal" policy and it is not set to "Disallow", this is a finding.

If the management tool does not provide the capability to configure the policy, this requirement is inherently met and there is NO finding.

Vulnerability Number

V-230992

Documentable

False

Rule Version

KNOX-11-008900

Severity Override Guidance

Review Samsung Android Work Environment configuration settings to determine if the access control policy prevents groups of application processes from accessing all data stored by other groups of application processes.

This procedure is for verifying that the moving of files to the Personal Environment is disabled and is applicable to COPE only.

This procedure is performed on the management tool Administration console only.

This configuration is the default configuration. If the management tool does not provide the capability to configure "Move files to personal", there is NO finding because the default setting cannot be changed.

On the management tool, in the Work Environment RCP section, verify "Move files to personal" is set to "Disallow".

If the management tool provides the capability to configure the "Move files to personal" policy and it is not set to "Disallow", this is a finding.

If the management tool does not provide the capability to configure the policy, this requirement is inherently met and there is NO finding.

Check Content Reference

M

Target Key

5247

Comments