Samsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: all notifications.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-99931	KNOX-10-001500	SV-109035r1_rule		Medium

Description
Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifications can contain sensitive information. When they are available on the lock screen, an adversary can see them merely by being in close physical proximity to the device. Configuring the MOS to not send notifications to the lock screen mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #19

Description

Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifications can contain sensitive information. When they are available on the lock screen, an adversary can see them merely by being in close physical proximity to the device. Configuring the MOS to not send notifications to the lock screen mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #19

STIG	Date
Samsung Android OS 10 with Knox 3.x Security Technical Implementation Guide	2020-03-24

Details

Check Text ( C-98781r1_chk )
Review Samsung Android configuration settings to determine if Samsung Android displays (Work Environment) notifications on the lock screen. Notifications of incoming phone calls are acceptable even when the device is locked. Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. ** Method #1: Disable unredacted notifications on the Keyguard (COBO or COPE). On the management tool, in the Work Environment restrictions section, verify that "Unredacted Notifications" is set to "Disallow". For COPE: On the Samsung Android device, do the following: 1. Open Settings >> Work profile >> Notification and data. 2. Verify that "Show notification content" is disabled. For COBO: On the Samsung Android device, do the following: 1. Open Settings >> Lock screen. 2. Verify that "Notifications" are disabled. If on the management tool "Unredacted Notifications" is not set to "Disallow", or on the Samsung Android device "Show notification content" is not disabled, this is a finding. ** Method #2: Use KPE notification sanitization for notifications (COPE only). On the management tool, in the Work Environment KPE RCP section, verify that "Show detailed notifications" is set to "Disallow". On the Samsung Android device, do the following: 1. Open Settings >> Work profile >> Notification and data. 2. Verify that "Show notification content" is disabled. If on the management tool "Show detailed notifications" is not set to "Disallow", or on the Samsung Android device "Show notification content" is not disabled, this is a finding.

Check Text ( C-98781r1_chk )

Review Samsung Android configuration settings to determine if Samsung Android displays (Work Environment) notifications on the lock screen. Notifications of incoming phone calls are acceptable even when the device is locked.

Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure.

This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.

****

Method #1: Disable unredacted notifications on the Keyguard (COBO or COPE).

On the management tool, in the Work Environment restrictions section, verify that "Unredacted Notifications" is set to "Disallow".

For COPE: On the Samsung Android device, do the following:
1. Open Settings >> Work profile >> Notification and data.
2. Verify that "Show notification content" is disabled.

For COBO: On the Samsung Android device, do the following:
1. Open Settings >> Lock screen.
2. Verify that "Notifications" are disabled.

If on the management tool "Unredacted Notifications" is not set to "Disallow", or on the Samsung Android device "Show notification content" is not disabled, this is a finding.

****

Method #2: Use KPE notification sanitization for notifications (COPE only).

On the management tool, in the Work Environment KPE RCP section, verify that "Show detailed notifications" is set to "Disallow".

On the Samsung Android device, do the following:
1. Open Settings >> Work profile >> Notification and data.
2. Verify that "Show notification content" is disabled.

If on the management tool "Show detailed notifications" is not set to "Disallow", or on the Samsung Android device "Show notification content" is not disabled, this is a finding.

Fix Text (F-105615r1_fix)
Configure Samsung Android to not display (Work Environment) notifications when the device is locked. Do one of the following: - Method #1: Disable unredacted notifications on the Keyguard (COBO or COPE). - Method #2: Use KPE notification sanitization for notifications (COPE only). ** Method #1: Disable unredacted notifications on the Keyguard (COBO or COPE). On the management tool, in the Work Environment restrictions section, set "Unredacted Notifications" to "Disallow". ** Method #2: Use KPE notification sanitization for notifications (COPE only). On the management tool, in the Work Environment KPE RCP section, set "Show detailed notifications" to "Disallow".

Fix Text (F-105615r1_fix)

Configure Samsung Android to not display (Work Environment) notifications when the device is locked.

Do one of the following:
- Method #1: Disable unredacted notifications on the Keyguard (COBO or COPE).
- Method #2: Use KPE notification sanitization for notifications (COPE only).

****

Method #1: Disable unredacted notifications on the Keyguard (COBO or COPE).

On the management tool, in the Work Environment restrictions section, set "Unredacted Notifications" to "Disallow".

****

Method #2: Use KPE notification sanitization for notifications (COPE only).

On the management tool, in the Work Environment KPE RCP section, set "Show detailed notifications" to "Disallow".