STIGQter STIGQter: STIG Summary: Samsung Android (with Knox 2.x) STIG Version: 1 Release: 4 Benchmark Date: 22 Apr 2016: The Samsung Knox for Android platform must be configured to disable firmware updates over-the-air (FOTA).

DISA Rule

SV-72379r1_rule

Vulnerability Number

V-57949

Group Title

PP-MDF-991000

Rule Version

KNOX-35-023700

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the mobile operating system to disable FOTA.

On the MDM Administration Console, disable the "Allow FOTA" setting in the "Android Restrictions" rule.

Check Contents

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.

Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Allow FOTA" setting in the "Android Restrictions" rule.
2. Verify the setting is disabled.

On the Samsung Knox for Android device:
1. Open device settings.
2. Select "About device".
3. Attempt to select "Software update".
(**Note: Location of this menu can vary between models.)

If the "Allow FOTA" configuration in the MDM console is enabled, or if the user is able to successfully select software update, this is a finding.

**Note. After reviewing the update and adjusting any necessary policies (i.e. disabling applications determined to pose risk), the administrator can re-enable FOTA.

Vulnerability Number

V-57949

Documentable

False

Rule Version

KNOX-35-023700

Severity Override Guidance

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.

Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Allow FOTA" setting in the "Android Restrictions" rule.
2. Verify the setting is disabled.

On the Samsung Knox for Android device:
1. Open device settings.
2. Select "About device".
3. Attempt to select "Software update".
(**Note: Location of this menu can vary between models.)

If the "Allow FOTA" configuration in the MDM console is enabled, or if the user is able to successfully select software update, this is a finding.

**Note. After reviewing the update and adjusting any necessary policies (i.e. disabling applications determined to pose risk), the administrator can re-enable FOTA.

Check Content Reference

M

Target Key

2699

Comments