STIGQter STIGQter: STIG Summary: Samsung Android OS 8 with Knox 3.x COPE Use Case Security Technical Implementation Guide

Version: 1

Release: 4 Benchmark Date: 25 Oct 2019

CheckedNameTitle
SV-94971r1_ruleSamsung Android 8 with Knox must implement the management setting: CONTAINER Account whitelist.
SV-94973r1_ruleSamsung Android 8 with Knox must implement the management setting: CONTAINER Account blacklist.
SV-94975r1_ruleSamsung Android 8 with Knox must implement the management setting: Configure application disable list.
SV-94977r1_ruleThe Samsung Android 8 with Knox CONTAINER must implement the management setting: Configure CONTAINER application disable list.
SV-94979r1_ruleSamsung Android 8 with Knox must implement the management setting: Configure CONTAINER application install blacklist.
SV-94981r1_ruleSamsung Android 8 with Knox must be configured to enforce a CONTAINER application installation policy by specifying an application whitelist that restricts applications by the following characteristics: List of digital signatures, names.
SV-94983r1_ruleThe Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Transmit mobile device (MD) diagnostic data to non-DoD servers.
SV-94985r1_ruleThe Samsung Android 8 with Knox CONTAINER whitelist must be configured to not include applications with the following characteristics: Back up mobile device (MD) data to non-DoD cloud servers (including user and application access to cloud backup services).
SV-94987r1_ruleThe Samsung Android 8 with Knox CONTAINER whitelist must be configured to not include applications with the following characteristics: Transmit mobile device (MD) diagnostic data to non-DoD servers.
SV-94989r1_ruleThe Samsung Android 8 with Knox CONTAINER whitelist must be configured to not include applications with the following characteristics: Voice assistant application if available when mobile device (MD) is locked.
SV-94991r1_ruleThe Samsung Android 8 with Knox CONTAINER whitelist must be configured to not include applications with the following characteristics: Voice dialing application if available when mobile device (MD) is locked.
SV-94993r1_ruleThe Samsung Android 8 with Knox CONTAINER whitelist must be configured to not include applications with the following characteristics: Allows synchronization of data or applications between devices associated with user.
SV-94995r1_ruleThe Samsung Android 8 with Knox CONTAINER whitelist must be configured to not include applications with the following characteristics: Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other mobile devices (MDs) or printers.
SV-94997r1_ruleSamsung Android 8 with Knox must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, MDM server, mobile application store]: Disable unknown sources.
SV-94999r1_ruleSamsung Android 8 with Knox must be configured to: Add the MDM Client application to the Battery optimizations modes Whitelist.
SV-95001r1_ruleSamsung Android 8 with Knox must be configured to: Add the MDM Client application to the CONTAINER Battery optimizations modes Whitelist.
SV-95003r1_ruleThe Samsung Android 8 with Knox CONTAINER must be configured to: Disable Bixby Vision.
SV-95005r1_ruleSamsung Android 8 with Knox must implement the management setting: Enable Audit Log.
SV-95007r1_ruleSamsung Android 8 with Knox must be configured to disable exceptions to the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes.
SV-95009r1_ruleSamsung Android 8 with Knox must be configured to implement the management setting: Enable CONTAINER.
SV-95011r1_ruleSamsung Android 8 with Knox must use a NIAP-certified CONTAINER for work data and applications.
SV-95013r1_ruleSamsung Android 8 with Knox must implement the management setting: Disable sharing of notification details outside the CONTAINER when the CONTAINER is locked.
SV-95015r1_ruleSamsung Android 8 mobile device users must complete required training.
SV-95017r1_ruleThe Samsung DeX Station/Pad multimedia dock must not be connected directly to a DoD network.
SV-95019r1_ruleSamsung Android 8 with Knox must be configured to enforce a minimum password length of six characters.
SV-95021r1_ruleSamsung Android 8 with Knox must implement the management setting: Configure to enforce a minimum CONTAINER password length of four characters.
SV-95023r1_ruleSamsung Android 8 with Knox must be configured to not allow passwords that include more than two repeating or sequential characters.
SV-95025r1_ruleSamsung Android 8 with Knox must be configured to not allow CONTAINER passwords that include more than two repeating or sequential characters.
SV-95027r2_ruleSamsung Android 8 with Knox must implement the management setting: Configure minimum password complexity.
SV-95029r2_ruleSamsung Android 8 with Knox must implement the management setting: Configure minimum CONTAINER password complexity.
SV-95031r1_ruleSamsung Android 8 with Knox must be configured to lock the display after 15 minutes (or less) of inactivity.
SV-95033r1_ruleSamsung Android 8 with Knox must be configured to lock the CONTAINER after 15 minutes (or less) of inactivity.
SV-95035r1_ruleSamsung Android 8 with Knox must be configured to not allow more than 10 consecutive failed authentication attempts.
SV-95037r1_ruleSamsung Android 8 with Knox must implement the management setting: Configure to prohibit more than 10 consecutive failed CONTAINER authentication attempts.
SV-95039r1_ruleSamsung Android 8 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including biometric fingerprint, iris, face, voice, hybrid authentication factor: Disable Trust Agents. Note: This requirement is Not Applicable (NA) if the non-Password Authentication Factor mechanism is included in the products Common Criteria evaluation (fingerprint and iris scan are allowed).
SV-95041r1_ruleThe Samsung Android 8 with Knox CONTAINER must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including biometric fingerprint, iris, face, voice, and hybrid authentication factor: Disable Trust Agents. Note: This requirement is Not Applicable (NA) if the non-Password Authentication Factor mechanism is included in the products Common Criteria evaluation (fingerprint and iris scan are allowed).
SV-95043r1_ruleSamsung Android 8 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including biometric fingerprint, iris, face, voice, and hybrid authentication factor: Disable Intelligent Scanning. Note: This requirement is Not Applicable (NA) if the non-Password Authentication Factor mechanism is included in the products Common Criteria evaluation (fingerprint and iris scan are allowed).
SV-95045r1_ruleSamsung Android 8 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including biometric fingerprint, iris, face, voice, and hybrid authentication factor: Disable Face Recognition. Note: This requirement is Not Applicable (NA) if the non-Password Authentication Factor mechanism is included in the products Common Criteria evaluation (fingerprint and iris scan are allowed).
SV-95047r1_ruleSamsung Android 8 with Knox must implement the management setting: Disable automatic completion of CONTAINER browser text input.
SV-95049r1_ruleSamsung Android 8 with Knox must be configured to disable multi-user modes.
SV-95051r1_ruleSamsung Android 8 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Google Crash Report.
SV-95053r1_ruleSamsung Android 8 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Report Diagnostic Info.
SV-95055r1_ruleThe Samsung Android 8 with Knox CONTAINER must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Google Crash Report.
SV-95057r1_ruleSamsung Android 8 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Google Usage and diagnostics.
SV-95059r1_ruleThe Samsung Android 8 with Knox CONTAINER must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Google Usage and diagnostics.
SV-95061r1_ruleSamsung Android 8 with Knox must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (HandsFree Profile), and SPP (Serial Port Profile).
SV-95063r1_ruleSamsung Android 8 with Knox must implement the management setting: Disable Allow New Admin Install.
SV-95065r1_ruleSamsung Android 8 with Knox must implement the management setting: Disable Admin Remove.
SV-95067r1_ruleThe Samsung Android 8 with Knox CONTAINER must implement the management setting: Disable Allow New Admin Install.
SV-95069r1_ruleThe Samsung Android 8 with Knox CONTAINER must implement the management setting: Disable S Voice.
SV-95071r1_ruleSamsung Android 8 with Knox must be configured to disable USB mass storage mode.
SV-95073r2_ruleSamsung Android 8 with Knox must implement the management setting: Enable CC mode.
SV-95075r1_ruleSamsung Android 8 with Knox must implement the management setting: Disable Manual Date Time Changes.
SV-95077r1_ruleSamsung Android 8 with Knox must implement the management setting: USB host mode whitelist.
SV-95079r1_ruleThe Samsung Android 8 with Knox CONTAINER must implement the management setting: Configure disable Share Via List.
SV-95081r1_ruleThe Samsung Android 8 with Knox CONTAINER must be configured to: Disable upload of DoD contact information.
SV-95083r1_ruleSamsung Android 8 with Knox for Android must implement the management setting: Disable Samsung Wi-Fi Sharing.
SV-95085r1_ruleThe Samsung Android 8 with Knox CONTAINER must be configured to not allow backup of [all applications, configuration data] to remote systems: Disable Allow Google Accounts Auto Sync.
SV-95087r1_ruleSamsung Android 8 with Knox must be configured to not allow backup of [all applications, configuration data] to locally connected systems.
SV-95089r1_ruleSamsung Android 8 with Knox must be configured to not allow backup of [all applications, configuration data] to remote systems: Deselect Allow Google Backup.
SV-95091r1_ruleSamsung Android 8 with Knox must be configured to disable developer modes.
SV-95093r1_ruleSamsung Android 8 with Knox must be configured to enable authentication of personal hotspot connections to the device using a pre-shared key.
SV-95095r1_ruleThe Samsung Android 8 with Knox device must have the latest available Samsung Android operating system (OS) installed.
SV-95097r1_ruleSamsung Android 8 with Knox must be configured to enable encryption for information at rest on removable storage media or alternately, the use of removable storage media must be disabled.
SV-95099r1_ruleSamsung Android 8 with Knox must implement the management setting: Enable Certificate Revocation Status (CRL) Check.
SV-95101r1_ruleThe Samsung Android 8 with Knox CONTAINER must implement the management setting: Enable Certificate Revocation Status (CRL) Check.
SV-95103r1_ruleSamsung Android 8 with Knox must implement the management setting: Install DoD root and intermediate PKI certificates on the device.
SV-95105r1_ruleThe Samsung Android 8 with Knox CONTAINER must implement the management setting: Install DoD root and intermediate PKI certificates on the device.
SV-95107r1_ruleSamsung Android 8 with Knox must be configured to display the DoD advisory warning message at start-up or each time the user unlocks the device.
SV-95109r1_ruleSamsung Android 8 with Knox must implement the management setting: Disable Move Files from CONTAINER to Personal.
SV-95111r1_ruleSamsung Android 8 with Knox must implement the management setting: Disable sharing of calendar information outside the CONTAINER.
SV-95113r1_ruleSamsung Android 8 with Knox must implement the management setting: Disable sharing of clipboard information outside the CONTAINER.
SV-95115r1_ruleSamsung Android 8 with Knox must be configured to disable sharing of contact information outside the CONTAINER.
SV-95117r1_ruleSamsung Android 8 with Knox must implement the management setting: Disable Move Applications to CONTAINER.
SV-95119r1_ruleThe Samsung Android 8 with Knox VPN client must be configured in one of the following configurations: 1. Disabled; 2. Configured for CONTAINER use only; or 3. Configured for per app use for the personal side.
SV-95121r1_ruleThe Samsung Android 8 with Knox VPN client must be configured in one of the following configurations: 1. Disabled; 2. Configured for CONTAINER use only; or 3. Configured for per app use for the personal side.
SV-95123r1_ruleThe Samsung Android 8 with Knox VPN client must be configured in one of the following configurations: 1. Disabled; 2. Configured for CONTAINER use only; or 3. Configured for per app use for the personal side.
SV-95125r1_ruleIf a third-party VPN client is installed in the personal space, it must not be configured with a DoD network (work) VPN profile.