STIGQter STIGQter: STIG Summary: Samsung Android 11 with Knox 3.x AE Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:

Samsung Android must be enrolled as a COPE/COBO device.

DISA Rule

SV-231000r607691_rule

Vulnerability Number

V-231000

Group Title

PP-MDF-991000

Rule Version

KNOX-11-018500

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Enroll the Samsung Android device in a DoD-approved use case by either of the following methods:

Method #1: Work profile for company-owned devices (COPE)

On the management tool, configure the default enrollment as "Work profile for company-owned devices".

****

Method #2: Fully Managed (COBO)

On the management tool, configure the default enrollment as "Fully managed".

****

Refer to the management tool documentation to determine how to configure the device enrollment.

Check Contents

Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure.

This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.

****

Validation Procedure for Method #1: Work profile for company-owned devices (COPE)

On the management tool, verify that the default enrollment is set to "Work profile for company-owned devices".

On the Samsung Android device:
1. Open Settings >> Work profile >> Other security settings >> Device admin apps.
2. Verify that the management tool Agent is listed.
3. Go to the app drawer.
4. Verify that a "Personal" and "Work" tab are present.

If on the management tool the default enrollment is not set as "Work profile for company-owned devices", or on the Samsung Android device the "Personal" and "Work" tabs are not present or the management tool Agent is not listed, this is a finding.

****

Validation Procedure for Method #2: Fully Managed (COBO)

On the management tool, verify that the default enrollment is set as "Fully managed".

On the Samsung Android device:
1. Open Settings >> Biometric and security >> Other security settings >> Device admin apps.
2. Verify that the management tool Agent is listed.

****

If on the management tool the default enrollment is not set as "Fully managed", or the management tool Agent is not listed, this is a finding.

Vulnerability Number

V-231000

Documentable

False

Rule Version

KNOX-11-018500

Severity Override Guidance

Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure.

This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.

****

Validation Procedure for Method #1: Work profile for company-owned devices (COPE)

On the management tool, verify that the default enrollment is set to "Work profile for company-owned devices".

On the Samsung Android device:
1. Open Settings >> Work profile >> Other security settings >> Device admin apps.
2. Verify that the management tool Agent is listed.
3. Go to the app drawer.
4. Verify that a "Personal" and "Work" tab are present.

If on the management tool the default enrollment is not set as "Work profile for company-owned devices", or on the Samsung Android device the "Personal" and "Work" tabs are not present or the management tool Agent is not listed, this is a finding.

****

Validation Procedure for Method #2: Fully Managed (COBO)

On the management tool, verify that the default enrollment is set as "Fully managed".

On the Samsung Android device:
1. Open Settings >> Biometric and security >> Other security settings >> Device admin apps.
2. Verify that the management tool Agent is listed.

****

If on the management tool the default enrollment is not set as "Fully managed", or the management tool Agent is not listed, this is a finding.

Check Content Reference

M

Target Key

5247

Comments