STIGQter STIGQter: STIG Summary: Samsung Android OS 7 with Knox 2.x Security Technical Implementation Guide Version: 1 Release: 6 Benchmark Date: 25 Oct 2019: The Samsung Android 7 with Knox must be configured to not allow backup of [all applications, configuration data] to remote systems: Disable Allow Google Accounts Auto Sync.

DISA Rule

SV-91255r1_rule

Vulnerability Number

V-76559

Group Title

PP-MDF-301230

Rule Version

KNOX-07-004950

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the Samsung Android 7 with Knox to disable backup to remote systems (including commercial clouds).

On the MDM console, do the following:
- Deselect the "Allow Google Accounts Auto Sync" checkbox in the "Android Restrictions" rule.
- List all pre-installed public cloud backup applications, in the application disable list

Check Contents

This requirement is Not Applicable if the AO has approved unmanaged personal space/container (COPE use case). The site must have an AO signed document showing the AO has assumed the risk for using an unmanaged personal container.

Review Samsung Android 7 with Knox configuration settings to determine if the capability to back up to a remote system has been disabled.

This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.

On the MDM console, do the following:
1. Ask the MDM administrator to display the "Allow Google Accounts Auto Sync" checkbox in the "Android Restrictions" rule.
2. Verify the checkbox is not selected.
3. View the "application disable list".
4. Verify the list contains all preinstalled cloud backup applications.

On the Samsung Android 7 with Knox device, do the following:
1. Attempt to launch a cloud backup application located on the device.
2. Verify the application will not launch.

If the MDM console "Allow Google Accounts Auto Sync" checkbox is selected, or on the Samsung Android 7 with Knox device, the user can enable "Back up my data", this is a finding.

If the "Application disable list" configuration in the MDM console does not contain all pre-installed public cloud backup applications, or if the user is able to successfully launch an application on this list, this is a finding.

Vulnerability Number

V-76559

Documentable

False

Rule Version

KNOX-07-004950

Severity Override Guidance

This requirement is Not Applicable if the AO has approved unmanaged personal space/container (COPE use case). The site must have an AO signed document showing the AO has assumed the risk for using an unmanaged personal container.

Review Samsung Android 7 with Knox configuration settings to determine if the capability to back up to a remote system has been disabled.

This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.

On the MDM console, do the following:
1. Ask the MDM administrator to display the "Allow Google Accounts Auto Sync" checkbox in the "Android Restrictions" rule.
2. Verify the checkbox is not selected.
3. View the "application disable list".
4. Verify the list contains all preinstalled cloud backup applications.

On the Samsung Android 7 with Knox device, do the following:
1. Attempt to launch a cloud backup application located on the device.
2. Verify the application will not launch.

If the MDM console "Allow Google Accounts Auto Sync" checkbox is selected, or on the Samsung Android 7 with Knox device, the user can enable "Back up my data", this is a finding.

If the "Application disable list" configuration in the MDM console does not contain all pre-installed public cloud backup applications, or if the user is able to successfully launch an application on this list, this is a finding.

Check Content Reference

M

Target Key

3253

Comments