STIGQter STIGQter: STIG Summary: Samsung Android OS 7 with Knox 2.x Security Technical Implementation Guide Version: 1 Release: 6 Benchmark Date: 25 Oct 2019: The Samsung Android 7 with Knox whitelist must be configured to not include applications with the following characteristics: - Back up MD data to non-DoD cloud servers (including user and application access to cloud backup services).

DISA Rule

SV-91225r1_rule

Vulnerability Number

V-76529

Group Title

PP-MDF-301100

Rule Version

KNOX-07-001600

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the Samsung Android 7 with Knox application disable list to include applications with the following characteristics:

- Back up MD data to non-DoD cloud servers (including user and application access to cloud backup services).

On the MDM console, add all applications which backup MD data to non-DoD cloud servers (including user and application access to cloud backup services) to the "Application disable list" setting in the "Android Applications" rule.

Note: Refer to the Supplemental document for additional information.

Note: Include Samsung Accounts on the list.

Check Contents

Note, this requirement is Not Applicable if the AO has approved unmanaged personal space/container (COPE use case). The site must have an AO signed document showing the AO has assumed the risk for using an unmanaged personal container.

Review Samsung Android 7 with Knox configuration settings to determine if the mobile device has an application disable list configured to include applications with the following characteristics:

-Back up MD data to non-DoD cloud servers (including user and application access to cloud backup services).

This validation procedure is performed only on the MDM Administration Console.

On the MDM console, do the following:
1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule.
2. Verify the list contains all applications which backup MD data to non-DoD cloud servers (including user and application access to cloud backup services).

If the MDM console "Application disable list" is not properly configured or on the Samsung Android 7 with Knox device, the user is able to launch the applications on the list, this is a finding.

Note: The following applications are known to be pre-installed public cloud applications, but other applications can be found on other devices: Google Drive, Dropbox, Verizon Cloud, AT&T Locker, Microsoft OneDrive, and Microsoft OneNote.

Note: The following applications allows a user to configure a Samsung Account on the device which allows the user to backup files (including S Health data) to Samsung servers, as well as download applications from Samsung Apps (Galaxy Apps) store: Samsung Account application.

Note: Refer to the Supplemental document for additional information.

Vulnerability Number

V-76529

Documentable

False

Rule Version

KNOX-07-001600

Severity Override Guidance

Note, this requirement is Not Applicable if the AO has approved unmanaged personal space/container (COPE use case). The site must have an AO signed document showing the AO has assumed the risk for using an unmanaged personal container.

Review Samsung Android 7 with Knox configuration settings to determine if the mobile device has an application disable list configured to include applications with the following characteristics:

-Back up MD data to non-DoD cloud servers (including user and application access to cloud backup services).

This validation procedure is performed only on the MDM Administration Console.

On the MDM console, do the following:
1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule.
2. Verify the list contains all applications which backup MD data to non-DoD cloud servers (including user and application access to cloud backup services).

If the MDM console "Application disable list" is not properly configured or on the Samsung Android 7 with Knox device, the user is able to launch the applications on the list, this is a finding.

Note: The following applications are known to be pre-installed public cloud applications, but other applications can be found on other devices: Google Drive, Dropbox, Verizon Cloud, AT&T Locker, Microsoft OneDrive, and Microsoft OneNote.

Note: The following applications allows a user to configure a Samsung Account on the device which allows the user to backup files (including S Health data) to Samsung servers, as well as download applications from Samsung Apps (Galaxy Apps) store: Samsung Account application.

Note: Refer to the Supplemental document for additional information.

Check Content Reference

M

Target Key

3253

Comments