STIGQter STIGQter: STIG Summary: Samsung Android OS 8 with Knox 3.x COBO Use Case Security Technical Implementation Guide

Version: 1

Release: 4 Benchmark Date: 25 Oct 2019

CheckedNameTitle
SV-94865r1_ruleSamsung Android 8 with Knox must implement the management setting: Account whitelist.
SV-94867r1_ruleSamsung Android 8 with Knox must implement the management setting: Account blacklist.
SV-94869r1_ruleSamsung Android 8 with Knox must implement the management setting: Configure application disable list.
SV-94871r1_ruleSamsung Android 8 with Knox must implement the management setting: Configure application install blacklist.
SV-94873r1_ruleSamsung Android 8 with Knox must be configured to enforce an application installation policy by specifying an application whitelist that restricts applications by either of the following characteristics: List of digital signatures or list of package names.
SV-94875r1_ruleThe Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Back up mobile device (MD) data to non-DoD cloud servers (including user and application access to cloud backup services).
SV-94877r1_ruleThe Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Voice assistant application if available when mobile device (MD) is locked.
SV-94879r1_ruleThe Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Voice dialing application if available when MD is locked.
SV-94881r1_ruleThe Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Allows synchronization of data or applications between devices associated with user.
SV-94883r1_ruleThe Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other mobile devices (MDs) or printers.
SV-94885r1_ruleThe Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Transmit mobile device (MD) diagnostic data to non-DoD servers.
SV-94887r1_ruleSamsung Android 8 with Knox must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, MDM server, mobile application store]: Disable unknown sources.
SV-94889r1_ruleSamsung Android 8 with Knox must be configured to: Add the MDM Client application to the Battery optimizations modes Whitelist.
SV-94891r1_ruleSamsung Android 8 with Knox must be configured to: Disable Bixby Vision.
SV-94893r1_ruleSamsung Android 8 with Knox must implement the management setting: Enable Audit Log.
SV-94895r1_ruleSamsung Android 8 with Knox must be configured to not display the following notifications when the device is locked: All notifications.
SV-94897r1_ruleSamsung Android 8 mobile device users must complete required training.
SV-94899r1_ruleThe Samsung DeX Station/Pad multimedia dock must not be connected directly to a DoD network.
SV-94901r1_ruleSamsung Android 8 with Knox must be configured to enforce a minimum password length of six characters.
SV-94903r1_ruleSamsung Android 8 with Knox must be configured to not allow passwords that include more than two repeating or sequential characters.
SV-94905r2_ruleSamsung Android 8 with Knox must implement the management setting: Configure minimum password complexity.
SV-94907r1_ruleSamsung Android 8 with Knox must be configured to lock the display after 15 minutes (or less) of inactivity.
SV-94909r1_ruleSamsung Android 8 with Knox must be configured to not allow more than 10 consecutive failed authentication attempts.
SV-94911r1_ruleSamsung Android 8 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including biometric fingerprint, iris, face, voice, hybrid authentication factor: Disable Trust Agents. Note: This requirement is Not Applicable (NA) if the non-Password Authentication Factor mechanism is included in the products Common Criteria evaluation (fingerprint and iris scan are allowed).
SV-94913r1_ruleSamsung Android 8 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including biometric fingerprint, iris, face, voice, and hybrid authentication factor: Disable Intelligent Scanning. Note: This requirement is Not Applicable (NA) if the non-Password Authentication Factor mechanism is included in the products Common Criteria evaluation (fingerprint and iris scan are allowed).
SV-94915r1_ruleSamsung Android 8 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including biometric fingerprint, iris, face, voice, and hybrid authentication factor: Disable Face Recognition. Note: This requirement is Not Applicable (NA) if the non-Password Authentication Factor mechanism is included in the products Common Criteria evaluation (fingerprint and iris scan are allowed).
SV-94917r1_ruleSamsung Android 8 with Knox must implement the management setting: Disable automatic completion of browser text input.
SV-94919r1_ruleSamsung Android 8 with Knox must be configured to disable multi-user modes.
SV-94921r1_ruleSamsung Android 8 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Google Crash Report.
SV-94923r1_ruleSamsung Android 8 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Report Diagnostic Info.
SV-94925r1_ruleSamsung Android 8 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Google Usage and diagnostics.
SV-94927r1_ruleSamsung Android 8 with Knox must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (HandsFree Profile), and SPP (Serial Port Profile).
SV-94929r1_ruleSamsung Android 8 with Knox must implement the management setting: Disable Allow New Admin Install.
SV-94931r1_ruleSamsung Android 8 with Knox must implement the management setting: Disable Admin Remove.
SV-94933r1_ruleSamsung Android 8 with Knox must implement the management setting: Disable S Voice.
SV-94935r1_ruleSamsung Android 8 with Knox must be configured to disable USB mass storage mode.
SV-94937r2_ruleSamsung Android 8 with Knox must implement the management setting: Enable CC mode.
SV-94939r1_ruleSamsung Android 8 with Knox must implement the management setting: Disable Manual Date Time Changes.
SV-94941r1_ruleSamsung Android 8 with Knox must implement the management setting: USB host mode whitelist.
SV-94943r1_ruleSamsung Android 8 with Knox must implement the management setting: Configure disable Share Via List.
SV-94945r1_ruleSamsung Android 8 with Knox must implement the management setting: Disable Android Beam.
SV-94947r1_ruleSamsung Android 8 with Knox must be configured to: Disable upload of DoD contact information.
SV-94949r1_ruleSamsung Android 8 with Knox for Android must implement the management setting: Disable Samsung Wi-Fi Sharing.
SV-94951r1_ruleSamsung Android 8 with Knox must be configured to not allow backup of [all applications, configuration data] to remote systems: Disable Allow Google Accounts Auto Sync.
SV-94953r1_ruleSamsung Android 8 with Knox must be configured to not allow backup of [all applications, configuration data] to locally connected systems.
SV-94955r1_ruleSamsung Android 8 with Knox must be configured to not allow backup of [all applications, configuration data] to remote systems: Deselect Allow Google Backup.
SV-94957r1_ruleSamsung Android 8 with Knox must be configured to disable developer modes.
SV-94959r1_ruleSamsung Android 8 with Knox must be configured to enable authentication of personal hotspot connections to the device using a pre-shared key.
SV-94961r1_ruleThe Samsung Android 8 with Knox device must have the latest available Samsung Android operating system (OS) installed.
SV-94963r1_ruleSamsung Android 8 with Knox must be configured to enable encryption for information at rest on removable storage media or alternately, the use of removable storage media must be disabled.
SV-94965r1_ruleSamsung Android 8 with Knox must implement the management setting: Enable Certificate Revocation Status (CRL) Check.
SV-94967r1_ruleSamsung Android 8 with Knox must implement the management setting: Install DoD root and intermediate PKI certificates on the device.
SV-94969r1_ruleSamsung Android 8 with Knox must be configured to display the DoD advisory warning message at start-up or each time the user unlocks the device.