STIGQter STIGQter: STIG Summary: Samsung Android OS 7 with Knox 2.x Security Technical Implementation Guide

Version: 1

Release: 6 Benchmark Date: 25 Oct 2019

CheckedNameTitle
SV-91211r1_ruleThe Samsung Android 7 with Knox must be configured to enforce a minimum password length of six characters.
SV-91213r1_ruleThe Samsung Android 7 with Knox must be configured to not allow passwords that include more than two repeating or sequential characters.
SV-91215r1_ruleThe Samsung Android 7 with Knox must be configured to lock the display after 15 minutes (or less) of inactivity.
SV-91217r1_ruleThe Samsung Android 7 with Knox must be configured to not allow more than 10 consecutive failed authentication attempts.
SV-91219r1_ruleThe Samsung Android 7 with Knox must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, MDM server, mobile application store]. Disable Google Play.
SV-91221r1_ruleThe Samsung Android 7 with Knox must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, MDM server, mobile application store]. Disable unknown sources.
SV-91223r1_ruleThe Samsung Android 7 with Knox must be configured to enforce an application installation policy by specifying an application whitelist that restricts applications by either of the following characteristics: list of digital signatures, list of package names.
SV-91225r1_ruleThe Samsung Android 7 with Knox whitelist must be configured to not include applications with the following characteristics: - Back up MD data to non-DoD cloud servers (including user and application access to cloud backup services).
SV-91227r1_ruleThe Samsung Android 7 with Knox whitelist must be configured to not include applications with the following characteristics: - Transmit MD diagnostic data to non-DoD servers.
SV-91229r1_ruleThe Samsung Android 7 with Knox whitelist must be configured to not include applications with the following characteristics: - Voice assistant application if available when MD is locked.
SV-91231r1_ruleThe Samsung Android 7 with Knox whitelist must be configured to not include applications with the following characteristics: - Voice dialing application if available when MD is locked.
SV-91233r1_ruleThe Samsung Android 7 with Knox whitelist must be configured to not include applications with the following characteristics: - Allows synchronization of data or applications between devices associated with user.
SV-91235r1_ruleThe Samsung Android 7 with Knox whitelist must be configured to not include applications with the following characteristics: - Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
SV-91237r1_ruleThe Samsung Android 7 with Knox must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (HandsFree Profile), and SPP (Serial Port Profile).
SV-91239r1_ruleThe Samsung Android 7 with Knox must be configured to not display the following notifications when the device is locked: All notifications.
SV-91241r1_ruleThe Samsung Android 7 with Knox must be configured to enable encryption for information at rest on removable storage media or alternately, the use of removable storage media must be disabled.
SV-91243r1_ruleThe Samsung Android 7 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor and fingerprint authentication. Disable Trust Agents.
SV-91245r1_ruleThe Samsung Android 7 with Knox must be configured to disable developer modes.
SV-91247r1_ruleThe Samsung Android 7 with Knox must be configured to display the DoD advisory warning message at start-up or each time the user unlocks the device.
SV-91249r1_ruleThe Samsung Android 7 with Knox must be configured to disable USB mass storage mode.
SV-91251r1_ruleThe Samsung Android 7 with Knox must be configured to not allow backup of [all applications, configuration data] to locally connected systems.
SV-91253r1_ruleThe Samsung Android 7 with Knox must be configured to not allow backup of [all applications, configuration data] to remote systems: Deselect Allow Google Backup.
SV-91255r1_ruleThe Samsung Android 7 with Knox must be configured to not allow backup of [all applications, configuration data] to remote systems: Disable Allow Google Accounts Auto Sync.
SV-91257r1_ruleThe Samsung Android 7 with Knox must be configured to enable authentication of personal hotspot connections to the device using a preshared key.
SV-91259r1_ruleThe Samsung Android 7 with Knox must be configured to disable exceptions to the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes.
SV-91261r1_ruleThe Samsung Android 7 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. Disable Google Crash Report.
SV-91263r1_ruleThe Samsung Android 7 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. Disable Report Diagnostic Info.
SV-91265r1_ruleThe Samsung Android 7 with Knox must be configured to disable multi-user modes.
SV-91267r2_ruleThe Samsung Android 7 with Knox must implement the management setting: Enable CC mode.
SV-91269r1_ruleThe Samsung Android 7 with Knox must implement the management setting: Install DoD root and intermediate PKI certificates on the device.
SV-91271r1_ruleThe Samsung Android 7 with Knox must implement the management setting: Disable Allow New Admin Install.
SV-91273r1_ruleThe Samsung Android 7 with Knox must implement the management setting: Configure application install blacklist.
SV-91277r1_ruleThe Samsung Android 7 with Knox must implement the management setting: Disable USB host storage.
SV-91279r1_ruleThe Samsung Android 7 with Knox must implement the management setting: Disable S Voice.
SV-91281r1_ruleThe Samsung Android 7 with Knox must be configured to implement the management setting: Enable Container.
SV-91283r1_ruleThe Samsung Android 7 with Knox must implement the management setting: Disable Admin Remove.
SV-91285r1_ruleThe Samsung Android 7 with Knox must implement the management setting: Enable Certificate Revocation Status (CRL) Check.
SV-91287r1_ruleThe Samsung Android 7 with Knox must implement the management setting: Disable Manual Date Time Changes.
SV-91289r1_ruleThe Samsung Android 7 with Knox must implement the management setting: Disable Move Files from Container to Personal.
SV-91291r1_ruleThe Samsung Android 7 with Knox must implement the management setting: Container Account whitelist.
SV-91293r1_ruleThe Samsung DeX Station multimedia dock must not be connected directly to a DoD network.
SV-91295r1_ruleThe Samsung Android 7 with Knox VPN client must be configured in one of the following configurations: 1. Disabled 2. Configured for container use only. 3. Configured for per app use for the personal side.
SV-91297r1_ruleThe Samsung Android 7 with Knox VPN client must be configured in one of the following configurations: 1. Disabled 2. Configured for container use only 3. Configured for per app use for the personal side
SV-91299r1_ruleThe Samsung Android 7 with Knox VPN client must be configured in one of the following configurations: 1. Disabled 2. Configured for container use only. 3. Configured for per app use for the personal side.
SV-91301r1_ruleIf a third-party VPN client is installed in the personal space/container, it must not be configured with a DoD network (work) VPN profile.
SV-91303r1_ruleThe Samsung Android 7 with Knox must be configured to disable Phone Visibility.
SV-91305r1_ruleThe Samsung Android 7 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor. Disable Face Recognition.
SV-91309r1_ruleThe Samsung Android 7 with Knox must be configured to Disable Bixby.
SV-91311r1_ruleThe Samsung Android 7 with Knox must be configured to Disable Smart Call.
SV-91313r1_ruleThe Samsung Android 7 with Knox must be configured to Add the MDM Client application to the Battery optimizations modes Whitelist.
SV-91315r1_ruleThe Samsung Android 7 with Knox must implement the management setting: Configure application disable list.
SV-91317r2_ruleThe Samsung Android 7 with Knox must implement the management setting: Configure minimum password complexity.
SV-91319r1_ruleThe Samsung Android 7 with Knox must implement the management setting: Enable Audit Log.
SV-91321r1_ruleThe Samsung Android 7 with Knox must use a NIAP certified container for work data and applications.
SV-91323r1_ruleSamsung Android 7 mobile device users must complete required training.
SV-91325r1_ruleThe Samsung Android 7 with Knox platform must implement the management setting Disable Nearby devices.
SV-91327r1_ruleThe Samsung Android 7 with Knox platform must implement the management setting: Disable Samsung WiFi Sharing.
SV-91329r1_ruleThe Samsung Android 7 with Knox must be configured to not allow Container passwords that include more than two repeating or sequential characters.
SV-91331r1_ruleThe Samsung Android 7 with Knox must be configured to enforce a Container application installation policy by specifying an application whitelist that restricts applications by the following characteristics list of digital signatures, names.
SV-91333r1_ruleThe Samsung Android 7 with Knox must be configured to lock the container after 15 minutes (or less) of inactivity.
SV-91335r1_ruleThe Samsung Android 7 with Knox must implement the management setting: Configure to enforce a minimum Container password length of 4 characters.
SV-91337r1_ruleThe Samsung Android 7 with Knox must implement the management setting: Disable sharing of calendar information outside the Container.
SV-91339r1_ruleThe Samsung Android 7 with Knox must implement the management setting: Configure to prohibit more than 10 consecutive failed Container authentication attempts.
SV-91341r1_ruleThe Samsung Android 7 with Knox must be configured to disable sharing of contact information outside the Container.
SV-91343r1_ruleThe Samsung Android 7 with Knox must implement the management setting: Disable sharing of notification details outside the Container when the container is locked.
SV-91345r1_ruleThe Samsung Android 7 with Knox must implement the management setting: Configure Container application install blacklist.
SV-91347r1_ruleThe Samsung Android 7 with Knox must implement the management setting: Disable Move Applications to Container.
SV-91349r1_ruleThe Samsung Android 7 with Knox must implement the management setting: Configure Container application disable list.
SV-91351r1_ruleThe Samsung Android 7 with Knox must implement the management setting: Disable automatic completion of Container browser text input.
SV-91353r1_ruleThe Samsung Android 7 with Knox must implement the management setting: Container Account blacklist.
SV-91355r2_ruleThe Samsung Android 7 with Knox must implement the management setting: Configure minimum Container password complexity.