STIGQter STIGQter: STIG Summary: Samsung Android OS 7 with Knox 2.x Security Technical Implementation Guide Version: 1 Release: 6 Benchmark Date: 25 Oct 2019: The Samsung Android 7 with Knox must implement the management setting: Enable CC mode.

DISA Rule

SV-91267r2_rule

Vulnerability Number

V-76571

Group Title

PP-MDF-991000

Rule Version

KNOX-07-012100

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure the Samsung Android 7 with Knox to enforce CC mode.

On the MDM console, enable the "Enable CC mode" setting in the "Android Advanced Restrictions" rule.

If this setting is not available on the console, install the CC mode APK and enable CC mode from this application.

This APK will be made available by Samsung.

Note: Before applying CC policy, the CC mode state will be "Ready". Once policy is applied, the state will change to "Enforced" until device meets all the prerequisites.

If device meets all prerequisites, CC mode will be enabled after rebooting and state will change to "Enabled".

If the device is tampered or FIPS self-test is failed, the state will change to "Disabled".

Note: To fully enable CC mode, below prerequisites should be satisfied:
1. Enable Device Encryption
2. Enable SD Card Encryption
3. Set maximum Password Attempts before Wipe
4. Enable Certificate Revocation
5. Disable Password History

Check Contents

Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is enforcing CC mode.

This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.

On the MDM console, do the following:
1. Ask the MDM administrator to display the "CC Mode State" settings in the "Android Advanced Restrictions" rule.
2. Verify the value is enabled.

Note: If the MDM does not support CC mode, ask the MDM administrator if the Samsung APK has been installed and CC mode enabled.

On the Samsung Android 7 with Knox device, do the following:
1. Open the device settings.
2. Select "About Device".
3. Select "Software info". (Note: On some devices, this step is not needed.)
4. Verify the value of "Security software version" displays "Enabled".

If the MDM console "CC Mode State" is not set to "Enabled" or on the Samsung Android 7 with Knox device, "Security software version" does not display "Enabled", this is a finding.

Vulnerability Number

V-76571

Documentable

False

Rule Version

KNOX-07-012100

Severity Override Guidance

Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is enforcing CC mode.

This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.

On the MDM console, do the following:
1. Ask the MDM administrator to display the "CC Mode State" settings in the "Android Advanced Restrictions" rule.
2. Verify the value is enabled.

Note: If the MDM does not support CC mode, ask the MDM administrator if the Samsung APK has been installed and CC mode enabled.

On the Samsung Android 7 with Knox device, do the following:
1. Open the device settings.
2. Select "About Device".
3. Select "Software info". (Note: On some devices, this step is not needed.)
4. Verify the value of "Security software version" displays "Enabled".

If the MDM console "CC Mode State" is not set to "Enabled" or on the Samsung Android 7 with Knox device, "Security software version" does not display "Enabled", this is a finding.

Check Content Reference

M

Target Key

3253

Comments