STIGQter STIGQter: STIG Summary: Samsung Android OS 7 with Knox 2.x Security Technical Implementation Guide Version: 1 Release: 6 Benchmark Date: 25 Oct 2019: The Samsung Android 7 with Knox VPN client must be configured in one of the following configurations: 1. Disabled 2. Configured for container use only. 3. Configured for per app use for the personal side.

DISA Rule

SV-91295r1_rule

Vulnerability Number

V-76599

Group Title

PP-MDF-301060

Rule Version

KNOX-07-017100

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the Samsung Android 7 with Knox native VPN client in one of the following configurations so that the device VPN is not available in the personal space:
1. Disabled
2. Configured for container use only.
3. Configured for per app use for the personal side.

This implementation guidance covers the first of these options.

On the MDM console, deselect the "Allow VPN" checkbox in the "Android Restrictions" rule.

Check Contents

Not Applicable for the COBO use case.

The native VPN client on Samsung Android 7 with Knox must be configured in one of the following configurations:
1. Disabled
2. Configured for container use only
3. Configured for per app use for the personal side

This validation procedure covers the first of these options. This procedure is Not Applicable if option 2 or 3 was implemented at the site.

Review Samsung Android 7 with Knox configuration settings to determine if the mobile device native VPN client is disabled.

This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.

On the MDM console, do the following:
1. Ask the MDM administrator to display the "Allow VPN" checkbox in the "Android Restrictions" rule.
2. Verify the checkbox is not selected.

On the Samsung Android 7 with Knox device, do the following:
1. Open device settings.
2. Select "Connections".
3. Select "More".
4. Verify the "VPN" is disabled (grayed out) and cannot be selected.

If the MDM console "Allow VPN" checkbox is selected or on the Samsung Android 7 with Knox device, the user can select "VPN", this is a finding.

Vulnerability Number

V-76599

Documentable

False

Rule Version

KNOX-07-017100

Severity Override Guidance

Not Applicable for the COBO use case.

The native VPN client on Samsung Android 7 with Knox must be configured in one of the following configurations:
1. Disabled
2. Configured for container use only
3. Configured for per app use for the personal side

This validation procedure covers the first of these options. This procedure is Not Applicable if option 2 or 3 was implemented at the site.

Review Samsung Android 7 with Knox configuration settings to determine if the mobile device native VPN client is disabled.

This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.

On the MDM console, do the following:
1. Ask the MDM administrator to display the "Allow VPN" checkbox in the "Android Restrictions" rule.
2. Verify the checkbox is not selected.

On the Samsung Android 7 with Knox device, do the following:
1. Open device settings.
2. Select "Connections".
3. Select "More".
4. Verify the "VPN" is disabled (grayed out) and cannot be selected.

If the MDM console "Allow VPN" checkbox is selected or on the Samsung Android 7 with Knox device, the user can select "VPN", this is a finding.

Check Content Reference

M

Target Key

3253

Comments