{
"stig": {
"date": "2019-10-01",
"description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. This set of requirements is for the Corporate Owned Business Only (COBO) use case and assumes no personal data or applications are installed on the Samsung device and the full device is a secure work environment.",
"findings": {
"V-80161": {
"checkid": "C-79829r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device is enforcing Account Whitelisting. \n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Account whitelist\" setting in the \"Android Accounts\" rule. \n2. Verify the whitelist only contains DoD-approved email domains (for example, mail.mil).\nNote: Proper configuration of Account blacklist is required for this configuration to function correctly.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Open device settings.\n2. Select \"Accounts\".\n3. Select \"Accounts\".\n4. Select \"Add account\".\n5. Select \"Email\" (and repeat for Microsoft Exchange ActiveSync) and attempt to add an email account with a DoD-approved domain.\n6. Verify the email account can be added.\n7. Attempt to add an email account with a domain not approved by DoD.\n8. Verify that the email account cannot be added.\n\nIf the MDM console \"Account whitelist\" is not set to contain DoD-approved email domains, or on the Samsung Android 8 with Knox device, the user is able to successfully configure the email account with a domain not approved by DoD, or the user is not able to install the DoD-approved email account, this is a finding.",
"description": "Whitelisting of authorized email accounts (POP3, IMAP, EAS) prevents a user from configuring a personal email account that could be used to forward sensitive DoD data to unauthorized recipients.\n\nSFR ID: FMT_SMF_EXT.1.1 #47",
"fixid": "F-86967r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to enforce Account Whitelisting.\n\nOn the MDM console, add all DoD-approved email domains to the \"Account whitelist\" setting in the \"Android Accounts\" rule.\n\nNote: Recommended to add .*@mail.mil.",
"iacontrols": null,
"id": "V-80161",
"ruleID": "SV-94865r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must implement the management setting: Account whitelist.",
"version": "KNOX-08-000100"
},
"V-80163": {
"checkid": "C-79831r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device is enforcing Account Blacklisting.\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Account blacklist\" setting in the \"Android Accounts\" rule. \n2. Verify the setting is configured to all email domains not approved by DoD.\nNote: All email domains are specified by the wildcard string \".*\"\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Open device settings.\n2. Select \"Accounts\".\n3. Select \"Accounts\".\n4. Select \"Add account\".\n5. Select \"Email\" (and repeat for Microsoft Exchange ActiveSync) and attempt to add an email account with a non-approved domain.\n6. Verify the email account cannot be added.\n\nIf the MDM console \"Account blacklist\" is not set to all email domains not approved by DoD or on the Samsung Android 8 with Knox device, the user is able to successfully configure the non-DoD-approved email account, this is a finding.",
"description": "Blacklisting all email accounts is required so only whitelisted accounts can be configured.\n\nSFR ID: FMT_SMF_EXT.1.1 #47",
"fixid": "F-86969r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to enforce Account Blacklisting.\n\nOn the MDM console, add all email domains not approved by DoD to the \"Account blacklist\" setting in the \"Android Accounts\" rule or blacklist all accounts by using the wildcard string \".*\" The wildcard string will blacklist all email accounts except for those on the whitelist.",
"iacontrols": null,
"id": "V-80163",
"ruleID": "SV-94867r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must implement the management setting: Account blacklist.",
"version": "KNOX-08-000200"
},
"V-80165": {
"checkid": "C-79833r1_chk",
"checktext": "Review Samsung Android 8 with Knox CONTAINER configuration settings to determine if the mobile device is enforcing application disable list.\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Application disable list\" setting in the \"Android Applications\" rule. \n2. Verify the list contains all core and pre-installed applications not approved for DoD use by the Authorizing Official (AO).\n\nNote: Refer to the Supplemental document for additional information.\n\nOn the Samsung Android 8 with Knox device, attempt to launch an application that is included on the disable list. \n\nNote: This application should not be visible.\n\nIf the MDM console \"Application disable list\" is not set to contain all core and pre-installed applications not approved by DoD or on the Samsung Android 8 with Knox device, the user is able to successfully launch an application on this list, this is a finding.",
"description": "Applications from various sources (including the vendor, the carrier, and Google) are installed on the device at the time of manufacture. Core apps are apps pre-installed by Google. Third-party pre-installed apps include apps from the vendor and carrier.\n\nSome of the applications can compromise DoD data or upload users' information to non-DoD-approved servers. A user must be blocked from using such applications that exhibit behavior that can result in compromise of DoD data or DoD user information. The site Administrator must analyze all pre-installed applications on the device and block all applications not approved for DoD use by configuring the application disable list.\n\nSFR ID: FMT_SMF_EXT.1.1 #47",
"fixid": "F-86971r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to enforce application disable list.\n\nOn the MDM console, add all pre-installed applications that are not DoD-approved to the \"Application disable list\" setting in the \"Android Applications\" rule.\n\nNote: Refer to the Supplemental document for additional information.\n\nNote: Include Samsung Accounts on the list.",
"iacontrols": null,
"id": "V-80165",
"ruleID": "SV-94869r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must implement the management setting: Configure application disable list.",
"version": "KNOX-08-000700"
},
"V-80167": {
"checkid": "C-79835r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device is configured to Blacklist Application Install. \n\nThis validation procedure is performed on the MDM Administration Console only.\n\nOn the MDM console, perform Steps 1 and 2 or Steps 3 and 4:\n1. Ask the MDM Administrator to display the \"Package Name Blacklist\" setting in the \"Android Applications\" rule.\n2. Verify the setting is configured to include all package names (specified by the wildcard string \".*\").\n3. Ask the MDM Administrator to display the \"Signature Blacklist\" setting in the \"Android Applications\" rule.\n4. Verify the setting is configured to include all digital signatures (specified by the wildcard string \".*\").\n\nIf the MDM console \"Package Name Blacklist\" or \"Signature Blacklist\" settings are not set to include all entries, this is a finding.",
"description": "Blacklisting all applications is required so that only whitelisted applications can be installed on the device. Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist and blacklist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications.\n\nSFR ID: FMT_SMF_EXT.1.1 #47",
"fixid": "F-86973r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to Blacklist Application Install.\n\nOn the MDM console, do one of the following:\n1. Add all package names by wildcard (\".*\") to the \"Package Name Blacklist\" setting in the \"Android Applications\" rule.\n2. Add all digital signatures by wildcard (\".*\") to the \"Signature Blacklist\" setting in the \"Android Applications\" rule.",
"iacontrols": null,
"id": "V-80167",
"ruleID": "SV-94871r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must implement the management setting: Configure application install blacklist.",
"version": "KNOX-08-001000"
},
"V-80169": {
"checkid": "C-79837r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device has been configured to whitelist application installations based on one of the following characteristics:\n- Digital signature\n- Package name\n\nVerify all applications listed on the whitelist have been approved by the Authorizing Official (AO).\n\nThis validation procedure is performed only on the MDM Administration Console.\n\nOn the MDM console, do the following (perform Steps 1 and 2 or Steps 3 and 4):\n1. Ask the MDM Administrator to display the \"Package Name Whitelist\" in the \"Android Applications\" rule.\n2. Verify the whitelist includes only package names that the AO has approved.\nor\n3. Ask the MDM Administrator to display the \"Signature Whitelist\" in the \"Android Applications\" rule.\n4. Verify the whitelist includes only digital signatures the AO has approved.\n\nNote: Either list may be empty if the AO has not approved any apps.\n\nNote: Refer to the Supplemental document for additional information.\n\nIf the MDM console \"Package Name Whitelist\" or \"Signature Whitelist\" contains non-AO-approved entries, this is a finding.\n\nNote: The application Whitelist must be implemented so that only approved applications can be downloaded from the Google Play Store. Access to the Google Play Store must be enabled so that apps used by Google Play Services can be updated. The following app packages must be included in the app whitelist so that Google Play services can be updated:\n\n\u2022 com.android.vending\n\u2022 com.google.android.finsky\n\u2022 com.google.android.gm\n\u2022 com.google.android.gms\n\u2022 com.google.android.gsf.login\n\u2022 com.google.android.setupwizard\n\u2022 com.google.android.gsf",
"description": "The application whitelist, in addition to controlling the installation of applications on the mobile device (MD), must control user access/execution of all core and pre-installed applications, or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications.\n\nCore application: Any application integrated into the operating system (OS) by the OS or MD vendors.\n\nPre-installed application: Additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.\n\nRequiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications.\n\nThe application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the OS by the OS vendor) and pre-installed applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications.\n\nSFR ID: FMT_SMF_EXT.1.1 #8b",
"fixid": "F-86975r1_fix",
"fixtext": "Configure the Samsung Android 8 with Knox device to whitelist application installations based on one of the following characteristics:\n- Digital signature\n- Package name\n\nBoth whitelists apply to user installable applications only and do not control user access/execution of core and pre-installed applications. To restrict user access/execution to core and pre-installed applications, the MDM Administrator must configure the \"application disable list\".\n\nIt is important to note that if the MDM Administrator has not blacklisted an application characteristic (package name, digital signature), it is implicitly whitelisted, as whitelists are exceptions to blacklists. If an application characteristic appears in both the blacklist and whitelist, the whitelist (as the exception to the blacklist) takes priority, and the user will be able to install the application. Therefore, the MDM Administrator must configure the blacklists to include all package names and digital signatures for whitelisting to behave as intended. Note that some MDM vendors have implemented the Blacklist function described above behind the scenes, and there may not be a Blacklist function for the System Administrator to configure.\n\nOn the MDM console, do one of the following:\nAdd each AO-approved package name to the \"Package Name Whitelist\" in the \"Android Applications\" rule.\nor\nAdd each AO-approved digital signature to the \"Signature Whitelist\" in the \"Android Applications\" rule.\n\nNote: Either list may be empty if the AO has not approved any apps.\n\nNote: Refer to the Supplemental document for additional information.\n\nNote: The application Whitelist must be implemented so that only approved applications can be downloaded from the Google Play Store. Access to the Google Play Store must be enabled so that apps used by Google Play Services can be updated. The following app packages must be included in the app whitelist so that Google Play services can be updated:\n\n\u2022 com.android.vending\n\u2022 com.google.android.finsky\n\u2022 com.google.android.gm\n\u2022 com.google.android.gms\n\u2022 com.google.android.gsf.login\n\u2022 com.google.android.setupwizard\n\u2022 com.google.android.gsf",
"iacontrols": null,
"id": "V-80169",
"ruleID": "SV-94873r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must be configured to enforce an application installation policy by specifying an application whitelist that restricts applications by either of the following characteristics: List of digital signatures or list of package names.",
"version": "KNOX-08-001300"
},
"V-80171": {
"checkid": "C-79839r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device has an application disable list configured to include applications with the following characteristics:\n\n- back up MD data to non-DoD cloud servers (including user and application access to cloud backup services).\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Application disable list\" setting in the \"Android Application\" rule. \n2. Verify the \"Application disable list\" contains all pre-installed applications that back up MD data to non-DoD cloud servers.\n\nIf the MDM console \"Application disable list\" is not properly configured or on the Samsung Android 8 with Knox device, the user is able to launch the applications on the list, this is a finding.\n\nNote: The following applications are known to be pre-installed public cloud applications, but other applications can be found on other devices: Google Drive, Dropbox, Verizon Cloud, AT&T Locker, Microsoft OneDrive, and Microsoft OneNote.\n\nNote: The following application allows a user to configure a Samsung account on the device, which allows the user to back up files (including S Health data) to Samsung servers and download applications from the Samsung Apps (Galaxy Apps) store: Samsung Account application.\n\nNote: Refer to the Supplemental document for additional information.",
"description": "Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the MD, causing a compromise of DoD data accessible by these applications. Applications with the listed characteristics have features that can cause the compromise of sensitive DoD data or have features with no known application in the DoD environment.\n\nApplication note: The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and pre-installed applications, or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications.\n\nCore application: Any application integrated into the operating system (OS) by the OS or MD vendors.\n\nPre-installed application: Additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.\n\nSFR ID: FMT_SMF_EXT.1.1 #8b",
"fixid": "F-86977r1_fix",
"fixtext": "Configure the Samsung Android 8 with Knox application disable list to include applications with the following characteristics:\n\n- back up MD data to non-DoD cloud servers (including user and application access to cloud backup services).\n\nOn the MDM console, add all applications that back up MD data to non-DoD cloud servers (including user and application access to cloud backup services) to the \"Application disable list\" setting in the \"Android Applications\" rule.\n\nNote: Refer to the Supplemental document for additional information.\n\nNote: Include Samsung accounts on the list.",
"iacontrols": null,
"id": "V-80171",
"ruleID": "SV-94875r1_rule",
"severity": "medium",
"title": "The Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Back up mobile device (MD) data to non-DoD cloud servers (including user and application access to cloud backup services).",
"version": "KNOX-08-001600"
},
"V-80173": {
"checkid": "C-79841r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device has an application disable list configured to include applications with the following characteristics:\n\n- voice assistant application if available when MD is locked.\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Application disable list\" setting in the \"Android Application\" rule. \n2. Verify the list contains all applications that allow voice assistant when MD is locked.\n\nIf the MDM console \"Application disable list\" is not properly configured or on the Samsung Android 8 with Knox device, the user is able to launch the applications on the list, this is a finding.",
"description": "Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the MD, causing a compromise of DoD data accessible by these applications. Applications with the listed characteristics have features that can cause the compromise of sensitive DoD data or have features with no known application in the DoD environment.\n\nApplication note: The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and pre-installed applications, or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications.\n\nCore application: Any application integrated into the operating system (OS) by the OS or MD vendors.\n\nPre-installed application: Additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.\n\nSFR ID: FMT_SMF_EXT.1.1 #8b",
"fixid": "F-86979r1_fix",
"fixtext": "Configure the Samsung Android 8 with Knox application disable list to include applications with the following characteristics:\n\n- voice assistant application if available when MD is locked.\n\nOn the MDM console, add all applications that provide voice assistant when MD is locked to the \"Application disable list\" setting in the \"Android Applications\" rule.\n\nNote: Refer to the Supplemental document for additional information.",
"iacontrols": null,
"id": "V-80173",
"ruleID": "SV-94877r1_rule",
"severity": "medium",
"title": "The Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Voice assistant application if available when mobile device (MD) is locked.",
"version": "KNOX-08-001700"
},
"V-80175": {
"checkid": "C-79843r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device has an application disable list configured to include applications with the following characteristics:\n\n- voice dialing application if available when MD is locked.\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Application disable list\" setting in the \"Android Application\" rule. \n2. Verify the list contains all applications that allow voice dialing when MD is locked.\n\nIf the MDM console \"Application disable list\" is not properly configured or on the Samsung Android 8 with Knox device, the user is able to launch the applications on the list, this is a finding.",
"description": "Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device (MD), causing a compromise of DoD data accessible by these applications. Applications with the listed characteristics have features that can cause the compromise of sensitive DoD data or have features with no known application in the DoD environment.\n\nApplication note: The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and pre-installed applications, or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications.\n\nCore application: Any application integrated into the OS by the OS or MD vendors.\n\nPre-installed application: Additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.\n\nSFR ID: FMT_SMF_EXT.1.1 #8b",
"fixid": "F-86981r1_fix",
"fixtext": "Configure the Samsung Android 8 with Knox application disable list to include applications with the following characteristics:\n\n- voice dialing application if available when MD is locked.\n\nOn the MDM console, add all applications that provide voice dialing when MD is locked to the \"Application disable list\" setting in the \"Android Applications\" rule.\n\nNote: Refer to the Supplemental document for additional information.",
"iacontrols": null,
"id": "V-80175",
"ruleID": "SV-94879r1_rule",
"severity": "medium",
"title": "The Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Voice dialing application if available when MD is locked.",
"version": "KNOX-08-001800"
},
"V-80177": {
"checkid": "C-79845r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device has an application disable list configured to include applications with the following characteristics:\n\n- allows synchronization of data or applications between devices associated with user.\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Application disable list\" setting in the \"Android Application\" rule. \n2. Verify the list contains all applications that allow synchronization of data or applications between devices associated with user.\n\nIf the MDM console \"Application disable list\" is not properly configured or on the Samsung Android 8 with Knox device, the user is able to launch the applications on the list, this is a finding.\n\nNote: The following applications are known to be pre-installed applications that allow synchronization of data or applications between devices associated with user, but other applications can be found on other devices: Google Drive, Dropbox, Verizon Cloud, AT&T Locker, Microsoft OneDrive, and Microsoft OneNote.\n\nNote: Refer to the Supplemental document for additional information.",
"description": "Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, (MD) causing a compromise of DoD data accessible by these applications. Applications with the listed characteristics have features that can cause the compromise of sensitive DoD data or have features with no known application in the DoD environment.\n\nApplication note: The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and pre-installed applications, or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications.\n\nCore application: Any application integrated into the operating system (OS) by the OS or MD vendors.\n\nPre-installed application: Additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.\n\nSFR ID: FMT_SMF_EXT.1.1 #8b",
"fixid": "F-86983r1_fix",
"fixtext": "Configure the Samsung Android 8 with Knox application disable list to include applications with the following characteristics:\n\n- allows synchronization of data or applications between devices associated with user.\n\nOn the MDM console, add all applications that allow synchronization of data or applications between devices associated with user to the \"Application disable list\" setting in the \"Android Applications\" rule.\n\nNote: Refer to the Supplemental document for additional information.",
"iacontrols": null,
"id": "V-80177",
"ruleID": "SV-94881r1_rule",
"severity": "medium",
"title": "The Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Allows synchronization of data or applications between devices associated with user.",
"version": "KNOX-08-001900"
},
"V-80179": {
"checkid": "C-79847r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device has an application disable list configured to include applications with the following characteristics:\n\n- allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Application disable list\" setting in the \"Android Application\" rule. \n2. Verify the list contains all applications that allow unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.\n\nIf the MDM console \"Application disable list\" is not properly configured or on the Samsung Android 8 with Knox device, the user is able to launch the applications on the list, this is a finding.\n\nNote: Refer to the Supplemental document for additional information.",
"description": "Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the MD, causing a compromise of DoD data accessible by these applications. Applications with the listed characteristics have features that can cause the compromise of sensitive DoD data or have features with no known application in the DoD environment.\n\nApplication note: The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and pre-installed applications, or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications.\n\nCore application: Any application integrated into the operating system (OS) by the OS or MD vendors.\n\nPre-installed application: Additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.\n\nSFR ID: FMT_SMF_EXT.1.1 #8b",
"fixid": "F-86985r1_fix",
"fixtext": "Configure the Samsung Android 8 with Knox application disable list to include applications with the following characteristics:\n\n- allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.\n\nOn the MDM console, add all applications that allow unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers to the \"Application disable list\" setting in the \"Android Applications\" rule.\n\nNote: Refer to the Supplemental document for additional information.",
"iacontrols": null,
"id": "V-80179",
"ruleID": "SV-94883r1_rule",
"severity": "medium",
"title": "The Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other mobile devices (MDs) or printers.",
"version": "KNOX-08-002000"
},
"V-80181": {
"checkid": "C-79851r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device has an application disable list configured to include applications with the following characteristics:\n\n- transmit MD diagnostic data to non-DoD servers.\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Application disable list\" setting in the \"Android Application\" rule. \n2. Verify the list contains all applications that allow transmission of MD diagnostic data to non-DoD servers.\n\nIf the MDM console \"Application disable list\" is not properly configured or on the Samsung Android 8 with Knox device, the user is able to launch the applications on the list, this is a finding.",
"description": "Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the MD, causing a compromise of DoD data accessible by these applications. Applications with the listed characteristics have features that can cause the compromise of sensitive DoD data or have features with no known application in the DoD environment.\n\nApplication note: The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and pre-installed applications, or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications.\n\nCore application: Any application integrated into the operating system (OS) by the OS or MD vendors.\n\nPre-installed application: Additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.\n\nSFR ID: FMT_SMF_EXT.1.1 #8b",
"fixid": "F-86987r1_fix",
"fixtext": "Configure the Samsung Android 8 with Knox application disable list to include applications with the following characteristics:\n\n- transmit MD diagnostic data to non-DoD servers.\n\nOn the MDM console, add all applications that transmit MD diagnostic data to non-DoD servers to the \"Application disable list\" setting in the \"Android Applications\" rule.\n\nNote: Refer to the Supplemental document for additional information.",
"iacontrols": null,
"id": "V-80181",
"ruleID": "SV-94885r1_rule",
"severity": "medium",
"title": "The Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Transmit mobile device (MD) diagnostic data to non-DoD servers.",
"version": "KNOX-08-002100"
},
"V-80183": {
"checkid": "C-79855r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device has only approved application repositories (DoD-approved commercial app repository, MDM server, and/or mobile application store). \n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Allow Install Non Market App\" check box in the \"Android Restrictions\" rule. \n2. Verify the check box is not selected.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Open the device settings.\n2. Select \"Apps\".\n3. Select \"Special access\" in the overflow menu.\n4. Select \"Install unknown apps\".\n5. Attempt to enable \"Allow from this source\" for any application.\n6. Verify it cannot be enabled.\n\nIf the MDM console \"Allow Install Non Market App\" check box is selected or on the Samsung Android 8 with Knox device, the user can successfully enable \"Allow from this source\" for an application, this is a finding.",
"description": "Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DoD data accessible by these unauthorized/malicious applications.\n\nSFR ID: FMT_SMF_EXT.1.1 #8a",
"fixid": "F-86989r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to disable unauthorized application repositories.\n\nOn the MDM console, deselect the \"Allow Install Non Market App\" check box in the \"Android Restrictions\" rule.\n\nNote: Some MDM consoles may refer to \"Unknown Sources\" instead of \"Non Market App\".",
"iacontrols": null,
"id": "V-80183",
"ruleID": "SV-94887r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, MDM server, mobile application store]: Disable unknown sources.",
"version": "KNOX-08-002900"
},
"V-80185": {
"checkid": "C-79857r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device is configured to add the MDM Client application to the Battery optimizations modes Whitelist.\n\nThis validation procedure is performed on the MDM Administration Console only.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Battery optimizations modes Whitelist\" setting in the \"Android Application\" rule. \n2. Verify the list contains the MDM Client.\n\nNote: Some MDM products automatically apply this setting and there is no configuration to verify.\n\nIf the MDM console \"Battery optimizations modes Whitelist\" does not contain the MDM Client, this is a finding.",
"description": "Doze and App Standby are power-saving features that extend battery life by deferring background CPU and network activity.\n\nIf the MDM Client is put into Doze or App Standby mode, the MDM Administrator may not be able to administrate the mobile device (MD).\n\nSFR ID: FMT_SMF_EXT.1.1 #47",
"fixid": "F-86991r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to add the MDM Client application to the Battery optimizations modes Whitelist.\n\nOn the MDM console, add the MDM Client Package name to the \"Battery optimizations modes Whitelist\" in the \"Android Applications\" rule.\n\nNote: Some MDM products automatically apply this setting so there is no configuration setting to apply.\n\nNote: Some MDM consoles may require (or take as an optional input) the MDM Client Signature.",
"iacontrols": null,
"id": "V-80185",
"ruleID": "SV-94889r1_rule",
"severity": "low",
"title": "Samsung Android 8 with Knox must be configured to: Add the MDM Client application to the Battery optimizations modes Whitelist.",
"version": "KNOX-08-003200"
},
"V-80187": {
"checkid": "C-79859r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device is configured to disable Bixby Vision.\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Application disable list\" setting in the \"Android Application\" rule. \n2. Verify the list contains all Bixby Vision-related packages.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Open the Samsung Camera application.\n2. Press the Bixby Vision \"eye\" icon.\n3. Verify Bixby does not start.\n\nIf the Samsung Android 8 with Knox device starts Bixby Vision when pressing the Bixby Vision \"eye\" icon, this is a finding.",
"description": "Bixby Vision's image and text recognition capabilities use cloud-based processing. This may leak sensitive DoD data.\n\nSFR ID: FMT_SMF_EXT.1.1 #47",
"fixid": "F-86993r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to disable Bixby Vision.\n\nOn the MDM console, add all packages associated with the Bixby Vision feature to the \"Application disable list\" setting in the \"Android Applications\" rule.\n\nNote: Refer to the Supplemental document for additional information.",
"iacontrols": null,
"id": "V-80187",
"ruleID": "SV-94891r1_rule",
"severity": "low",
"title": "Samsung Android 8 with Knox must be configured to: Disable Bixby Vision.",
"version": "KNOX-08-003500"
},
"V-80189": {
"checkid": "C-79861r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device is configured to enable the Audit Log.\n\nThis validation procedure is performed on the MDM Administration Console only.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Enable Audit Log\" check box in the \"Android Audit Log\" rule. \n2. Verify the check box is selected.\n\nIf the MDM console \"Enable Audit Log\" is not selected, this is a finding.",
"description": "Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks so that breaches can either be prevented or limited in their scope. They facilitate analysis to improve performance and security. The Requirement Statement lists key events for which the system must generate an audit record.\n\nSFR ID: FAU_GEN.1.1 #8",
"fixid": "F-86995r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to enable \"Audit Log\".\n\nOn the MDM console, select the \"Enable Audit Log\" check box in the \"Android AuditLog\" rule.",
"iacontrols": null,
"id": "V-80189",
"ruleID": "SV-94893r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must implement the management setting: Enable Audit Log.",
"version": "KNOX-08-004000"
},
"V-80191": {
"checkid": "C-79863r1_chk",
"checktext": "Review Samsung Android 8 with Knox settings to determine if Samsung Android 8 with Knox displays (work CONTAINER) notifications on the lock screen. Notifications of incoming phone calls are acceptable even when the device is locked.\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Notifications on lock screen\" settings in the \"Android Restrictions\" rule. \n2. Verify that the \"Hide content\" or \"Do not show notification\" setting is enabled and \"Show content\" setting is disabled.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Lock the device while there are notifications shown in the notification bar.\n2. Turn the display on and verify that notification contents are hidden (\"Hide content\") or that no notifications are shown (\"Do not show notification\") on the lock screen.\n\nIn the MDM console, if \"Show content\" is enabled and the Samsung Android 8 with Knox device allows notifications on the lock screen, this is a finding.",
"description": "Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifications can contain sensitive information. When they are available on the lock screen, an adversary can see them merely by being in close physical proximity to the device. Configuring the Samsung Android 8 with Knox to not send notifications to the lock screen mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #19",
"fixid": "F-86997r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to not display (work CONTAINER) notifications when the device is locked.\n\nOn the MDM console, enable \"Hide content\" or \"Do not show notification\" in the \"Notifications on lock screen\" setting in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-80191",
"ruleID": "SV-94895r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must be configured to not display the following notifications when the device is locked: All notifications.",
"version": "KNOX-08-007300"
},
"V-80193": {
"checkid": "C-79865r1_chk",
"checktext": "Review a sample of site User Agreements of Samsung device users or similar training records and training course content. \n\nVerify Samsung device users have completed required training. The intent is that required training is renewed on a periodic basis in a time period determined by the AO.\n\nIf any Samsung device user is found not to have completed required training, this is a finding.",
"description": "The security posture of Samsung devices requires the device user to configure several required policy rules on their device. User Based Enforcement (UBE) is required for these controls. In addition, if the Authorizing Official (AO) has approved the use of an unmanaged personal space, the user must receive training on risks. If a user is not aware of their responsibilities and does not comply with UBE requirements, the security posture of the Samsung mobile device may become compromised and DoD sensitive data may become compromised.\n\nSFR ID: NA",
"fixid": "F-86999r1_fix",
"fixtext": "Have all Samsung device users complete training on the following topics. Users should acknowledge they have reviewed training via a signed User Agreement or similar written record.\n\nTraining topics:\n\n- Operational security concerns introduced by unmanaged applications/unmanaged personal space including applications using global positioning system (GPS) tracking.\n- Need to ensure no DoD data is saved to the personal space or transmitted from a personal app (for example, from personal email).\n- If the Purebred key management app is used, users are responsible for maintaining positive control of their credentialed device at all times. The DoD PKI certificate policy requires subscribers to maintain positive control of the devices that contain private keys and to report any loss of control so the credentials can be revoked. Upon device retirement, turn-in, or reassignment, ensure a factory data reset is performed prior to device hand-off. Follow Mobility service provider decommissioning procedures as applicable. \n- How to configure the following UBE controls (users must configure the control) on the Samsung device:\n**Secure use of Calendar Alarm\n**Local screen mirroring and MirrorLink procedures (authorized/not authorized for use)\n**Disable Report Diagnostic Info and Google Usage & Diagnostics\n**Do not connect Samsung DeX Station to any DoD network via Ethernet connection\n**Do not upload DoD contacts via smart call and caller ID services\n**Do not remove DoD intermediate and root PKI digital certificates\n**Disable Wi-Fi Sharing\n**Do not configure a DoD network (work) VPN profile on any third-party VPN client installed in the personal space\n- AO guidance on acceptable use and restrictions, if any, on downloading and installing personal apps and data (music, photos, etc.) in the Samsung device personal space.",
"iacontrols": null,
"id": "V-80193",
"ruleID": "SV-94897r1_rule",
"severity": "medium",
"title": "Samsung Android 8 mobile device users must complete required training.",
"version": "KNOX-08-008100"
},
"V-80195": {
"checkid": "C-79867r1_chk",
"checktext": "Review Samsung DeX Station/Pad installations at the site and verify the stations are not connected to DoD networks via wired or wireless connections.\n\nIf Samsung DeX Station installations at the site are connected to DoD networks via wired or wireless connections, this is a finding.\n\nNote: Connections to a site's guest wired or wireless network that provides Internet-only access can be used.\n\nNote: This setting cannot be managed by the MDM Administrator and is a User Based Enforcement (UBE) requirement.",
"description": "If the Samsung DeX Station/Pad multimedia dock is connected to a DoD network, the Samsung smartphone connected to the DeX Station will be connected to the DoD network as well. The Samsung smartphone most likely has a number of personal apps installed that may include malware or have high risk behaviors (for example, offload data from the phone to third-party servers outside the United States). In addition, smartphones do not generally meet security requirements for computer devices to connect directly to DoD networks.\n\nNote: The Samsung DeX Station will not work unless \"USB host storage\" is enabled (see requirement KNOX-08-015700 for more information).\n\nSFR ID: FMT_MOF_EXT.1.2 #47",
"fixid": "F-87001r1_fix",
"fixtext": "When using the DeX Station/Pad multimedia dock with a DoD Samsung smartphone, do not connect the DeX Station to a DoD network via a wired or wireless connection.\n\nNote: This setting cannot be managed by the MDM Administrator and is a UBE requirement.",
"iacontrols": null,
"id": "V-80195",
"ruleID": "SV-94899r1_rule",
"severity": "medium",
"title": "The Samsung DeX Station/Pad multimedia dock must not be connected directly to a DoD network.",
"version": "KNOX-08-008200"
},
"V-80197": {
"checkid": "C-79869r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device is enforcing a minimum password length of six characters.\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Minimum Length\" setting in the \"Android Password Restrictions\" rule. \n2. Verify the value of the setting is set to six or more characters.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Open the device settings.\n2. Select \"Lock screen and security\".\n3. Select \"Screen lock type\".\n4. Enter current password.\n5. Select \"Password\".\n6. Attempt to enter a password with fewer than six characters.\n7. Verify the password is not accepted.\n\nIf the MDM console \"Minimum Length\" setting is not set to six characters or more or on the Samsung Android 8 with Knox device, a password of less than six characters is accepted, this is a finding.",
"description": "Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise.\n\nSFR ID: FMT_SMF_EXT.1.1 #1a",
"fixid": "F-87003r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to enforce a minimum password length of six characters.\n\nOn the MDM console, set the \"Minimum Length\" value to \"6\" or greater in the \"Android Password Restrictions\" rule.",
"iacontrols": null,
"id": "V-80197",
"ruleID": "SV-94901r1_rule",
"severity": "low",
"title": "Samsung Android 8 with Knox must be configured to enforce a minimum password length of six characters.",
"version": "KNOX-08-008300"
},
"V-80199": {
"checkid": "C-79871r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device is prohibiting passwords with more than two repeating or sequential characters. If feasible, use a spare device to try to create a password with more than two repeating or sequential characters (e.g., bbb, 888, hij, 654). \n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Maximum Sequential Characters\" setting in the \"Android Password Restrictions\" rule. \n2. Verify the value of the setting is set to two or fewer sequential characters.\n3. Ask the MDM Administrator to display the \"Maximum Sequential Numbers\" setting in the \"Android Password Restrictions\" rule. \n4. Verify the value of the setting is set to two or fewer sequential characters.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Open the device settings.\n2. Select \"Lock screen and security\".\n3. Select \"Screen lock type\".\n4. Enter current password.\n5. Select \"Password\".\n6. Attempt to enter a password that contains more than two sequential characters or sequential numbers.\n7. Verify the password is not accepted.\n\nIf the MDM console \"Maximum Sequential Character\" and \"Maximum Sequential Number\" are set to more than two repeating or sequential characters or on the Samsung Android 8 with Knox device, a password with more than two repeating or sequential characters is accepted, this is a finding.",
"description": "Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or sequential characters are significantly easier to guess than those that do not contain repeating or sequential characters. Therefore, disallowing repeating or sequential characters increases password strength and decreases risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #1b",
"fixid": "F-87005r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to prevent passwords from containing more than two repeating or sequential characters.\n\nOn the MDM console, do the following:\n1. Set the \"Maximum Sequential Characters\" value to \"2\" in the \"Android Password Restrictions\" rule.\n2. Set the \"Maximum Sequential Numbers\" value to \"2\" in the \"Android Password Restrictions\" rule.",
"iacontrols": null,
"id": "V-80199",
"ruleID": "SV-94903r1_rule",
"severity": "low",
"title": "Samsung Android 8 with Knox must be configured to not allow passwords that include more than two repeating or sequential characters.",
"version": "KNOX-08-008600"
},
"V-80201": {
"checkid": "C-79873r2_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device has been configured with a minimum password complexity.\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following: \n1. Ask the MDM Administrator to display the \"Minimum Password Complexity\" setting in the \"Android Restrictions\" rule. \n2. Verify the setting is \"PIN\" (see note).\n\nOn the Samsung Android 8 with Knox device, do the following: \n1. Open the device settings.\n2. Select \"Lock screen and security\".\n3. Select \"Screen lock type\".\n4. Verify \"Swipe\", \"Pattern\", and \"None\" are disabled (grayed out) and cannot be enabled.\n\nIf the MDM console \"Minimum Password Complexity\" is not configured to \"PIN\" or on the Samsung Android 8 with Knox device, the user can enable the setting, this is a finding.\n\nNote: Some MDM consoles may display \u201cNumeric\u201d and \u201cNumeric-Complex\u201d instead of \u201cPIN\u201d. Either selection is acceptable but \u201cNumeric-Complex\u201d is recommended. Alphabetic, Alphanumeric, and Complex are also acceptable selections, but these selections will cause the user to select a complex password, which is not required by the STIG.\n",
"description": "Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. A minimum level of complexity is needed to ensure a simple password or easily guessed password is not used.\n\nSFR ID: FMT_SMF_EXT.1.1 #47",
"fixid": "F-87007r2_fix",
"fixtext": "Configure Samsung Android 8 with Knox to have a minimum password complexity.\n\nOn the MDM console, configure \"Minimum Password Complexity\" to \"PIN\" in the \"Android Password Restrictions\" rule. \n\nNote: Some MDM consoles may display \u201cNumeric\u201d and \u201cNumeric-Complex\u201d instead of \u201cPIN\u201d. Either selection is acceptable but \u201cNumeric-Complex\u201d is recommended. Alphabetic, Alphanumeric, and Complex are also acceptable selections, but these selections will cause the user to select a complex password, which is not required by the STIG. \n",
"iacontrols": null,
"id": "V-80201",
"ruleID": "SV-94905r2_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must implement the management setting: Configure minimum password complexity.",
"version": "KNOX-08-008800"
},
"V-80203": {
"checkid": "C-79875r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device is configured to lock the screen after 15 minutes (or less) of inactivity. \n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Maximum Time to Lock\" setting in the \"Android Password Restrictions\" rule. \n2. Verify the value of the setting is the organization-defined value minus the maximum screen timeout or less. In this case, with Android 8, the value of the setting must be 5 minutes or less.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Unlock the device. \n2. Refrain from performing any activity on the device for 15 minutes.\n3. Verify the device requires the user to enter the device unlock password to access the device.\n\nIf the MDM console \"Maximum Time to Lock\" is not set to 5 minutes or less for the lock timeout or on the Samsung Android 8 with Knox device, if after 15 minutes of inactivity the user does not have to enter a password to unlock the device, this is a finding.\n\nNote: This value defines the amount of time from when the screen turns off until the device locks. Since the maximum screen timeout a user can select on Android 8 is 10 minutes, a 5-minute or less lock time value fulfills this requirement.",
"description": "The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum timeout period of 15 minutes has been selected to balance functionality and security; shorter timeout periods may be appropriate depending on the risks posed to the mobile device.\n\nSFR ID: FMT_SMF_EXT.1.1 #2a, 2b",
"fixid": "F-87009r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to lock the device display after 15 minutes (or less) of inactivity.\n\nOn the MDM console, configure the \"Maximum Time to Lock\" option to 15 minutes in the \"Android Password Restrictions\" rule.\n\nNote: On some devices the max time to lock is the sum of the display screen timeout setting and the secured lock time setting on the device. On MDM configuration, the device makes a choice for these settings so that the sum is 15 minutes or less.",
"iacontrols": null,
"id": "V-80203",
"ruleID": "SV-94907r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must be configured to lock the display after 15 minutes (or less) of inactivity.",
"version": "KNOX-08-009100"
},
"V-80205": {
"checkid": "C-79877r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device has the maximum number of consecutive failed authentication attempts set to \"10\" or fewer. \n\nThis validation procedure is performed on the MDM Administration Console only.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Maximum Failed Attempts for wipe\" field in the \"Android Password Restrictions\" rule for the device unlock password.\n2. Verify the value of the setting is set to \"10\" or fewer.\n\nIf the MDM console \"Maximum Failed Attempts for wipe\" is not set to \"10\" or fewer, this is a finding.",
"description": "The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on the device. Setting a limit on the number of attempts mitigates this risk. Setting the limit at 10 or fewer gives authorized users the ability to make a few mistakes when entering the password but still provides adequate protection against dictionary or brute force attacks on the password.\n\nSFR ID: FMT_SMF_EXT.1.1 #2c, FIA_AFL_EXT.1.5",
"fixid": "F-87011r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to allow only 10 or fewer consecutive failed authentication attempts.\n\nOn the MDM console, set the \"Maximum Failed Attempts for wipe\" to \"10\" or fewer in the \"Android Password Restrictions\" rule for the device unlock password.",
"iacontrols": null,
"id": "V-80205",
"ruleID": "SV-94909r1_rule",
"severity": "low",
"title": "Samsung Android 8 with Knox must be configured to not allow more than 10 consecutive failed authentication attempts.",
"version": "KNOX-08-009400"
},
"V-80207": {
"checkid": "C-79879r1_chk",
"checktext": "Review documentation on Samsung Android 8 with Knox and inspect the configuration on Samsung Android 8 with Knox to disable Trust Agents.\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Minimum Password Complexity\" setting in the \"Android Password Restrictions\" rule. \n2. Verify the settings are \"Alphanumeric\".\n3. Ask the MDM Administrator to display the \"Disable Keyguard Trust Agents\" check box in the \"Android Password Restrictions\" rule. \n4. Verify the check box is selected.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Open the device settings.\n2. Select \"Lock screen and security\".\n3. Select \"Other security settings\".\n4. Select \"Trust agents\".\n5. Verify all Trust Agents are disabled (grayed out) and cannot be enabled.\n\nIf the MDM console \"Disable Keyguard Trust Agents\" check box is not selected, or if \"Minimum Password Complexity\" is not configured to \"Alphanumeric\", or on the Samsung Android 8 with Knox device, the user can enable the settings, this is a finding.",
"description": "Trust Agents allow a user to unlock a mobile device without entering a passcode when the mobile device is, for example, connected to a user-selected Bluetooth device or in a user-selected location. This technology would allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of non-password authentication mechanisms, users are forced to use passcodes that meet DoD passcode requirements.\n\nSFR ID: FMT_SMF_EXT.1.1 #23, FIA_UAU.5.1",
"fixid": "F-87013r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor (e.g., using a fingerprint, iris, face, voice, or hybrid authentication factor) unless the mechanism is DoD approved.\n\nConfigure Samsung Android 8 with Knox to disable Trust Agents.\n\nOn the MDM console, select the \"Disable Keyguard Trust Agents\" setting in the \"Android Password Restrictions\" rule.\n\nNote: Disabling Trust Agents will disable Smart Lock.",
"iacontrols": null,
"id": "V-80207",
"ruleID": "SV-94911r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including biometric fingerprint, iris, face, voice, hybrid authentication factor: Disable Trust Agents.\n\nNote: This requirement is Not Applicable (NA) if the non-Password Authentication Factor mechanism is included in the products Common Criteria evaluation (fingerprint and iris scan are allowed).",
"version": "KNOX-08-010300"
},
"V-80209": {
"checkid": "C-79881r1_chk",
"checktext": "Review documentation on Samsung Android 8 with Knox and inspect the configuration on Samsung Android 8 with Knox to disable Face Recognition.\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Minimum Password Complexity\" setting in the \"Android Restrictions\" rule. \n2. Verify the settings are \"Alphanumeric\".\n3. Ask the MDM Administrator to display the \"Face recognition\" and \"Iris Scanner\" check box in the \"Password Policy\" rule. \n4. Verify at least one of the check boxes is deselected.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Open the device settings.\n2. Select \"Lock screen and security\".\n3. Select \"Screen lock type\".\n4. Enter PIN.\n5. \"Intelligent Scanning\" will be grayed out.\n\nIf on the MDM console the \"Face recognition\" check box or the \"Iris Scanner\" check box is not deselected or on the Samsung 8 mobile device in the \"Password Policy\" rule \"Intelligent Scanning\" is not grayed out, this is a finding.",
"description": "The Intelligent Scanning feature allows a user's face and iris to be registered and used such that either authentication method returning a match will unlock the device.\n\nIntelligent Scanning combines the known weaknesses of iris and face scanning that could allow adversaries to unlock and gain access to the device.\n\nDisabling this feature will mitigate this risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #23, FIA_UAU.5.1",
"fixid": "F-87015r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor (e.g., using a fingerprint, iris, face, voice, or hybrid authentication factor), unless the mechanism is DoD approved.\n\nOn the MDM console, deselect the \"Face\" or \"Iris\" check box in the \"Android Password Restrictions\" rule.",
"iacontrols": null,
"id": "V-80209",
"ruleID": "SV-94913r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including biometric fingerprint, iris, face, voice, and hybrid authentication factor: Disable Intelligent Scanning.\n\nNote: This requirement is Not Applicable (NA) if the non-Password Authentication Factor mechanism is included in the products Common Criteria evaluation (fingerprint and iris scan are allowed).",
"version": "KNOX-08-010800"
},
"V-80211": {
"checkid": "C-79883r2_chk",
"checktext": "Review documentation on Samsung Android 8 with Knox and inspect the configuration on Samsung Android 8 with Knox to disable Face Recognition.\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Minimum Password Complexity\" setting in the \"Android Restrictions\" rule. \n2. Verify the settings are \"Alphanumeric\".\n3. Ask the MDM Administrator to display the \"Face recognition\" check box in the \"Password Policy\" rule. \n4. Verify the check box is deselected.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Open the device settings.\n2. Select \"Lock screen and security\".\n3. Select \"Screen lock type\".\n4. Enter PIN.\n5. \"Face recognition\" will be grayed out.\n\nIf the MDM console the \"Face recognition\" check box is not deselected or on the Samsung Android 8 device \"Face recognition\" is not grayed out, this is a finding.",
"description": "The Face Recognition feature allows a user's face to be registered and used to unlock the device. This technology would allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of non-password authentication mechanisms, users are forced to use passcodes that meet DoD passcode requirements.\n\nSFR ID: FMT_SMF_EXT.1.1 #23, FIA_UAU.5.1",
"fixid": "F-87017r1_fix",
"fixtext": "Configure the mobile operating system to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor (e.g., using a fingerprint, iris, face, voice, or hybrid authentication factor) unless the mechanism is DoD approved.\n\nOn the MDM console, deselect the \"Face\" check box in the \"Android Password Restrictions\" rule.",
"iacontrols": null,
"id": "V-80211",
"ruleID": "SV-94915r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including biometric fingerprint, iris, face, voice, and hybrid authentication factor: Disable Face Recognition.\n\nNote: This requirement is Not Applicable (NA) if the non-Password Authentication Factor mechanism is included in the products Common Criteria evaluation (fingerprint and iris scan are allowed).",
"version": "KNOX-08-011000"
},
"V-80213": {
"checkid": "C-79885r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device is enforcing disabled automatic completion of browser text input. \n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Allow Auto-Fill\" check box in the \"Browser Restrictions\" rule. \n2. Verify the check box is not set.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Launch the browser application.\n2. Select the application's setting menu.\n3. Select \"Auto fill profile\".\n4. Select \"Auto fill profile\" and attempt to create a profile.\n5. Select \"Privacy\" from the setting menu.\n6. Attempt to enable \"Save sign-in info\".\n\nIf the MDM console \"Allow Auto-Fill\" check box is set or on the Samsung Android 8 with Knox device, the user is able to successfully create a profile or enable \"Save sign-in info\", this is a finding.",
"description": "The auto-fill functionality in the web browser allows the user to complete a form that contains sensitive information, such as personally identifiable information (PII), without previous knowledge of the information. By allowing the use of auto-fill functionality, an adversary who learns a user's Samsung Android 8 with Knox device password, or who otherwise is able to unlock the device, may be able to further breach other systems by relying on the auto-fill feature to provide information unknown to the adversary. By disabling the auto-fill functionality, the risk of an adversary gaining further information about the device's user or compromising other systems is significantly mitigated.\n\nSFR ID: FMT_SMF_EXT.1.1 #47",
"fixid": "F-87019r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to enforce disabled automatic completion of browser text input. \n\nOn the MDM console, deselect the \"Allow Auto-Fill\" check box in the \"Browser Restrictions\" rule.",
"iacontrols": null,
"id": "V-80213",
"ruleID": "SV-94917r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must implement the management setting: Disable automatic completion of browser text input.",
"version": "KNOX-08-012700"
},
"V-80215": {
"checkid": "C-79887r1_chk",
"checktext": "Note: This requirement is only applicable for tablet devices.\n\nReview documentation on Samsung Android 8 with Knox and inspect the configuration on Samsung Android 8 with Knox to disable multi-user modes.\n\nThis validation procedure is performed on the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Allow multi-user mode\" check box in the \"Android Restrictions\" rule. \n2. Verify the check box is not selected.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Open the device settings.\n2. Attempt to add a user in the \"User\" setting.\n3. Verify that the \"User\" setting is not available.\n\nIf the MDM console \"Allow multi-user mode\" check box is selected or on the Samsung Android 8 with Knox device, the user is able to add a user, this is a finding.",
"description": "Multi-user mode allows multiple users to share a mobile device by providing a degree of separation between user data. To date, no mobile device with multi-user mode features meets DoD requirements for access control, data separation, and non-repudiation for user accounts. In addition, the MDFPP does not include design requirements for multi-user account services. Disabling multi-user mode mitigates the risk of not meeting DoD multi-user account security policies.\n\nSFR ID: FMT_SMF_EXT.1.1 #47b",
"fixid": "F-87021r1_fix",
"fixtext": "Note: This requirement is only applicable for tablet devices.\n\nConfigure the Samsung Android 8 with Knox to disable multi-user modes.\n\nOn the MDM console, deselect the \"Allow multi-user mode\" setting in the \"Android MultiUser\" rule.",
"iacontrols": null,
"id": "V-80215",
"ruleID": "SV-94919r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must be configured to disable multi-user modes.",
"version": "KNOX-08-013000"
},
"V-80217": {
"checkid": "C-79889r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the device disables automatic transfer of diagnostic data to an external server other than an MDM service with which the device has enrolled.\n\nDisabling automatic transfer of diagnostic data to an external device on Samsung Android 8 with Knox involves three steps: \n1. Disable Google Crash report.\n2. Disable Report diagnostic information. \n3. Disable Google Usage and diagnostics. \n\nThis validation procedure covers the first of these steps. This validation procedure is performed on the MDM Administration Console only.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Allow Google Crash Report\" check box in the \"Android Restrictions\" rule. \n2. Verify the setting is not selected.\n\nIf the MDM console \"Allow Google Crash Report\" check box is selected, this is a finding.",
"description": "Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real-world field behavior and improve the product based on that information. Unfortunately, it can also reveal information about what DoD users are doing with the systems and what causes them to fail. An adversary embedded within the software development team or elsewhere could use the information acquired to breach Samsung Android 8 with Knox security. Disabling automatic transfer of such information mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1#47a",
"fixid": "F-87023r1_fix",
"fixtext": "Configure the Samsung Android 8 with Knox to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.\n\nConfigure the mobile operating system to disable Google Crash Report.\n\nOn the MDM console, deselect the \"Allow Google Crash Report\" check box in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-80217",
"ruleID": "SV-94921r1_rule",
"severity": "low",
"title": "Samsung Android 8 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Google Crash Report.",
"version": "KNOX-08-013200"
},
"V-80219": {
"checkid": "C-79891r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the device disables automatic transfer of diagnostic data to an external server other than an MDM service with which the device has enrolled.\n\nDisabling automatic transfer of diagnostic data to an external device on Samsung Android 8 with Knox involves three steps: \n1. Disable Google Crash report.\n2. Disable Report diagnostic info. \n3. Disable Google Usage and diagnostics. \n\nThis validation procedure covers the second of these steps. This validation procedure is performed on the Samsung Android 8 with Knox only.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Open the device settings.\n2. Select \"General management\".\n3. Verify the \"Report diagnostic info\" setting is off.\n\nIf the Samsung Android 8 with Knox device \"Report diagnostic information\" setting is enabled, this is a finding.\n\nNote: This setting cannot be managed by the MDM Administrator and is a User Based Enforcement (UBE) requirement.",
"description": "Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real-world field behavior and improve the product based on that information. Unfortunately, it can also reveal information about what DoD users are doing with the systems and what causes them to fail. An adversary embedded within the software development team or elsewhere could use the information acquired to breach Samsung Android 8 with Knox security. Disabling automatic transfer of such information mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1#47a",
"fixid": "F-87025r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.\n\nConfigure the mobile operating system to disable Report diagnostic information.\n1. Open the device settings.\n2. Select \"General management\".\n3. Uncheck the \"Report diagnostic info\" setting.",
"iacontrols": null,
"id": "V-80219",
"ruleID": "SV-94923r1_rule",
"severity": "low",
"title": "Samsung Android 8 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Report Diagnostic Info.",
"version": "KNOX-08-013300"
},
"V-80221": {
"checkid": "C-79893r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the device disables automatic transfer of diagnostic data to an external server other than an MDM service with which the device has enrolled.\n\nDisabling automatic transfer of diagnostic data to an external device on Samsung Android 8 with Knox involves three steps: \n1. Disable Google Crash report.\n2. Disable Report diagnostic info. \n3. Disable Google Usage and diagnostics. \n\nThis validation procedure covers the third of these steps. This validation procedure is performed on the Samsung Android 8 with Knox only.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Open the device settings.\n2. Select \"Google\".\n3. Select \"Usage & diagnostics\" in the overflow menu.\n4. Verify the setting is off.\n\nIf the Samsung Android 8 with Knox \"Usage & diagnostics\" setting is enabled, this is a finding.\n\nNote: This setting cannot be managed by the MDM Administrator and is a User Based Enforcement (UBE) requirement.",
"description": "Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real-world field behavior and improve the product based on that information. Unfortunately, it can also reveal information about what DoD users are doing with the systems and what causes them to fail. An adversary embedded within the software development team or elsewhere could use the information acquired to breach Samsung Android 8 with Knox security. Disabling automatic transfer of such information mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1#47a",
"fixid": "F-87027r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.\n\nConfigure the mobile operating system to disable Report diagnostic info.\n1. Open the device settings.\n2. Select \"Google\".\n3. Select \"Usage & diagnostics\" in the overflow menu.\n4. Uncheck the setting.",
"iacontrols": null,
"id": "V-80221",
"ruleID": "SV-94925r1_rule",
"severity": "low",
"title": "Samsung Android 8 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Google Usage and diagnostics.",
"version": "KNOX-08-013500"
},
"V-80223": {
"checkid": "C-79895r1_chk",
"checktext": "Review documentation on Samsung Android 8 with Knox and inspect the configuration on Samsung Android 8 with Knox to disable all Bluetooth profiles except for HSP, HFP, and SPP. \n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Allowed Bluetooth Profiles\" settings in the \"Android Bluetooth\" rule. \n2. Verify the only profiles selected are HSP, HFP, and SPP.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Attempt to pair a Bluetooth peripheral that uses profiles other than HSP, HFP, and SPP (e.g., a Bluetooth keyboard).\n2. Verify the Bluetooth peripheral does not pair with the Samsung Knox for Android device.\n\nIf the MDM console \"Allowed Bluetooth Profiles\" is set to profiles other than HSP, HFP, and SPP or the Samsung Android 8 with Knox device is able to pair with a Bluetooth keyboard, this is a finding.\n\nNote: Disabling the Bluetooth radio will satisfy this requirement.",
"description": "Some Bluetooth profiles provide the capability for remote transfer of sensitive DoD data without encryption or otherwise do not meet DoD IT security policies and therefore should be disabled.\n\nSFR ID: FMT_SMF_EXT.1.1 #18h",
"fixid": "F-87029r1_fix",
"fixtext": "Configure the Samsung Android 8 with Knox to disable all Bluetooth profiles except for HSP, HFP, and SPP.\n\nOn the MDM console, ensure that all options are deselected except HFP, HSP, and SPP in the \"Allowed Bluetooth Profiles\" setting in the \"Android Bluetooth\" rule.",
"iacontrols": null,
"id": "V-80223",
"ruleID": "SV-94927r1_rule",
"severity": "low",
"title": "Samsung Android 8 with Knox must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (HandsFree Profile), and SPP (Serial Port Profile).",
"version": "KNOX-08-013900"
},
"V-80225": {
"checkid": "C-79897r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device is configured to disallow new admin installations. \n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Prevent New Admin Install\" check box in the \"Android Advanced Restrictions\" rule. \n2. Verify the check box is selected.\n\nNote: With some MDM consoles, this policy is automatically configured when the user enrolls with the MDM.\n\nNote: Android Device Manager must first be disabled on the device in order to successfully apply this policy. This can only be done manually on the device by selecting \"Lock screen and security\", \"Other security settings\", and \"Device admin apps\" and then disabling Android Device Manager.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Attempt to install an application that requires admin permissions.\n2. Verify the application is blocked from being installed.\n\nIf the MDM console \"Prevent New Admin Install\" check box is not selected or on the Samsung Android 8 with Knox device, the user is able to install another application requiring admin permissions on the device, this is a finding.",
"description": "An application with Administrator permissions (e.g., MDM agent) is allowed to configure policies on the device. If a user is allowed to install another MDM agent on the device, this will allow another MDM Administrator (assuming it has the proper Knox licenses) the ability to configure potentially conflicting policies on the device that may not meet DoD security requirements. Although an MDM cannot disable another MDM's policies or remove another MDM from the device, there is the potential of creating policies that could conflict with enterprise policies. Therefore, other applications requesting Administrator permissions should be blocked from installation.\n\nSFR ID: FMT_SMF_EXT.1.1 #47",
"fixid": "F-87031r1_fix",
"fixtext": "Configure the Samsung Android 8 with Knox to disallow new admin installations. \n\nOn the MDM console, select the \"Prevent New Admin Install\" check box in the \"Android Advanced Restrictions\" rule.",
"iacontrols": null,
"id": "V-80225",
"ruleID": "SV-94929r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must implement the management setting: Disable Allow New Admin Install.",
"version": "KNOX-08-014100"
},
"V-80227": {
"checkid": "C-79899r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device is configured to Disable Admin Remove.\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Allow Admin Remove\" check box in the \"Android Restrictions\" rule. \n2. Verify the check box is not selected.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Open the device settings.\n2. Select \"Lock screen and security\".\n3. Select \"Other security settings\".\n4. Select \"Device admin apps\".\n5. Verify the enterprise MDM agent is on and cannot be turned off.\n\nIf the MDM console \"Allow Admin Remove\" check box is selected or on the Samsung Android 8 with Knox device, \"Device Administrators\" cannot be turned off, this is a finding.",
"description": "DoD policy requires DoD mobile devices to be managed via a mobile device management service. If Admin Remove is not disabled, the mobile device user can remove the Administrator (MDM) from the device.\n\nSFR ID: FMT_SMF_EXT.1.1 #47",
"fixid": "F-87033r1_fix",
"fixtext": "Configure the Samsung Android 8 with Knox to Disable Admin Remove.\n\nOn the MDM console, deselect the \"Allow Admin Remove\" check box in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-80227",
"ruleID": "SV-94931r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must implement the management setting: Disable Admin Remove.",
"version": "KNOX-08-014200"
},
"V-80229": {
"checkid": "C-79901r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device is configured to disable S Voice. \n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Allow S Voice\" check box in the \"Android Restrictions\" rule. \n2. Verify the check box is not selected.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Open the device settings.\n2. Select \"Applications\".\n3. Verify the S Voice application cannot be selected.\n\nIf the MDM console \"Allow S Voice\" check box is selected or on the Samsung Android 8 with Knox device, the S Voice application can be launched, this is a finding.",
"description": "On Samsung Android 8 with Knox devices, users may be able to access the device's contact database or calendar to obtain phone numbers and other information using a human voice even when the mobile device is locked. Often this information is personally identifiable information (PII), which is considered sensitive. It could also be used by an adversary to profile the user or engage in social engineering to obtain further information from other unsuspecting users. Disabling access to the contact database and calendar in these situations mitigates the risk of this attack. The Authorizing Official (AO) may waive this requirement with written notice if the operational environment requires this capability.\n\nSFR ID: FMT_SMF_EXT.1.1 #47",
"fixid": "F-87035r1_fix",
"fixtext": "Configure the Samsung Android 8 with Knox to disable S Voice.\n\nOn the MDM console, deselect the \"Allow S Voice\" check box in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-80229",
"ruleID": "SV-94933r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must implement the management setting: Disable S Voice.",
"version": "KNOX-08-014700"
},
"V-80231": {
"checkid": "C-79903r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device has a USB mass storage mode and whether it has been disabled.\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Disable USB Media Player\" check box in the \"Android Restrictions\" rule. \n2. Verify the \"Disable USB Media Player\" check box is selected. \n\nNote: Disabling USB Media Player will also disable USB MTP, USB mass storage, and USB vendor protocol (Smart Switch, KIES).\n\nOn the Samsung Android 8 with Knox device, connect the device to a PC USB connection.\n\nNote: Do not use a DoD network-managed PC for this test!\n\nOn the PC:\nVerify the device is not shown in the PC finder.\n\nIf the MDM console \"Disable USB Media Player\" is not set to disable USB mass storage mode or with the Samsung Android 8 with Knox device, it is shown as a USB mass storage device on the PC, this is a finding.",
"description": "USB mass storage mode enables the transfer of data and software from one device to another. This software can include malware. When USB mass storage is enabled on a mobile device, it becomes a potential vector for malware and unauthorized data exfiltration. Prohibiting USB mass storage mode mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #39a",
"fixid": "F-87037r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to disable USB mass storage mode.\n\nOn the MDM console, select the \"Disable USB Media Player\" check box in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-80231",
"ruleID": "SV-94935r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must be configured to disable USB mass storage mode.",
"version": "KNOX-08-015000"
},
"V-80233": {
"checkid": "C-79905r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device is enforcing CC mode. \n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"CC Mode State\" settings in the \"Android Advanced Restrictions\" rule. \n2. Verify the value is \"Enabled\".\n3. Verify all the prerequisites have been met.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Open the device settings.\n2. Select \"About Device\".\n3. Select \"Software info\". (Note: On some devices, this step is not needed.)\n4. Verify the value of \"Security software version\" does not display \"Disabled\".\n\nIf the MDM console \"CC Mode State\" is not set to \"Enabled\" with all prerequisites met or on the Samsung Android 8 with Knox device, \"Security software version\" displays \"Disabled\", this is a finding.",
"description": "CC mode implements several security controls required by the Mobile Device Functional Protection Profile (MDFPP). If CC mode is not implemented, DoD data is more at risk of being compromised, and the mobile device is more at risk of being compromised if lost or stolen. In addition., if CC Mode is not implemented, the device will not be operating in the NIAP-certified compliant CC mode of operation. \n\nCC mode implements the following controls:\n- Enables the OpenSSL FIPS crypto library;\n- Sets the password failure settings to wipe the device to \"5\" (5 failed consecutive attempts will wipe the device); and\n- Disables ODIN mode (download mode).\n\nSFR ID: FMT_SMF_EXT.1.1 #47",
"fixid": "F-87039r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to enforce CC mode.\n\nOn the MDM console, enable the \"Enable CC mode\" setting in the \"Android Advanced Restrictions\" rule.\n\nNote: Before applying CC policy, the CC mode state will be \"Ready\". Once policy is applied, the state will change to \"Enabled\" even if the device does not meet all the prerequisites. \n\nTo be fully CC compliant, the Administrator must ensure all prerequisites are met.\n\nIf the device is tampered with, a self-test failed, or some other error has occurred, the state will change to \"Disabled\". \n\nNote: To fully enable CC mode, the prerequisites below should be satisfied:\n1. Enable Device Encryption.\n2. Enable Secure Startup.\n3. Enable SD Card Encryption.\n4. Set maximum Password Attempts before Wipe.\n5. Enable Certificate Revocation.\n6. Disable Password History.\n7. Disable Face Recognition.\n8. Set password \"Alphanumeric\".",
"iacontrols": null,
"id": "V-80233",
"ruleID": "SV-94937r2_rule",
"severity": "high",
"title": "Samsung Android 8 with Knox must implement the management setting: Enable CC mode.",
"version": "KNOX-08-015300"
},
"V-80235": {
"checkid": "C-79907r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device is configured to disable manual date and time changes.\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Date Time Changes Enabled\" check box in the \"Android Date Time\" rule. \n2. Verify the check box is not selected.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Open the device settings.\n2. Select \"General management\".\n3. Select \"Date and time\".\n4. Verify \"Automatic date and time\" is on.\n5. Verify a user cannot turn off \"Automatic date and time\".\n\nIf the MDM console \"Date Time Changes Enabled\" is set or on the Samsung Android 8 with Knox device, \"Automatic date and time\" is not set or the user is able to turn off this option, this is a finding.",
"description": "Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. \n\nPeriodically synchronizing internal clocks with an authoritative time source is needed in order to correctly correlate the timing of events that occur across the enterprise. The three authoritative time sources for Samsung Android 8 with Knox are an authoritative time server that is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network (NIPRNet or SIPRNet), or the Global Positioning System (GPS), or the wireless carrier.\n\nTime stamps generated by the audit system in Samsung Android 8 with Knox must include both date and time. The time may be expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.\n\nSFR ID: FMT_SMF_EXT.1.1 #47",
"fixid": "F-87041r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to disable manual date and time changes.\n\nOn the MDM console, deselect the \"Date Time Changes Enabled\" check box in the \"Android Date Time\" rule.",
"iacontrols": null,
"id": "V-80235",
"ruleID": "SV-94939r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must implement the management setting: Disable Manual Date Time Changes.",
"version": "KNOX-08-015500"
},
"V-80237": {
"checkid": "C-79909r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device is configured to disable USB host modes.\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \u201cUSB exception list\u201d setting in the \u201cAndroid Restrictions\u201d rule.\n2. Verify only the HID USB class is selected.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Connect a Micro USB to USB OTG adapter to the device.\n2. Connect a USB thumb drive to the adapter.\n3. Verify the device cannot access the USB thumb drive.\n\nIf the MDM console \u201cUSB exception list\u201d setting has non-HID USB classes selected or on the Samsung Android 8 with Knox device, the user is able to access the USB thumb drive from the device, this is a finding.",
"description": "The USB host mode feature allows select USB devices to connect to the device (e.g., USB flash drives, USB mouse, USB keyboard) using a micro USB to USB adapter cable. A user can copy sensitive DoD information to external USB storage unencrypted, resulting in compromise of DoD data. Disabling this feature mitigates the risk of compromising sensitive DoD data. \n\nNote: The USB HID host must be whitelisted in order to use the DeX Station.\n\nSFR ID: FMT_SMF_EXT.1.1 #47",
"fixid": "F-87043r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to disable USB host modes.\n\nOn the MDM console, select the HID USB class in the \u201cUSB host mode exception list\u201d setting in the \u201cAndroid Restrictions\u201d rule.",
"iacontrols": null,
"id": "V-80237",
"ruleID": "SV-94941r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must implement the management setting: USB host mode whitelist.",
"version": "KNOX-08-015700"
},
"V-80239": {
"checkid": "C-79911r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device is enforcing disabling of \"Share Via List\".\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM administrator to display the \"Allow Share Via List\" check box in the \"Android Restrictions\" rule. \n2. Verify the check box is not selected.\n\nOn the Samsung Android 8 with Knox device, attempt to share via list.\n\nIf the MDM console \"Allow Share Via List\" is selected or on the Samsung Android 8 with Knox device, the user is able to successfully share via list, this is a finding.",
"description": "The \"Share Via List\" feature allows the transfer of data between nearby Samsung devices via Android Beam, Wi-Fi Direct, Link Sharing, and Share to Device. If sharing were enabled, sensitive DoD data could be compromised.\n\nSFR ID: FMT_SMF_EXT.1.1 #47",
"fixid": "F-87045r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to enforce disabling \"Share Via List\".\n\nOn the MDM console, deselect the \"Allow Share Via List\" check box in the \"Android Restrictions\" rule. \n\nNote: Disabling \"Share Via List\" will also disable functionality such as \"Gallery Sharing\" and \"Direct Sharing\".",
"iacontrols": null,
"id": "V-80239",
"ruleID": "SV-94943r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must implement the management setting: Configure disable Share Via List.",
"version": "KNOX-08-015950"
},
"V-80241": {
"checkid": "C-79913r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device is enforcing disabling of Android Beam.\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM administrator to display the \"Allow Android Beam\" check box in the \"Android Restrictions\" rule. \n2. Verify the check box is not selected.\n\nOn the Samsung Android 8 with Knox device, open a picture, contact, or webpage and put it back to back with an unlocked Android Beam-enabled device. Verify Android Beam cannot be started.\n\nIf the MDM console \"Allow Android Beam\" is selected or on the Samsung Android 8 with Knox device, the user is able to successfully start Android Beam, this is a finding.",
"description": "Android Beam allows transfer of data through NFC and Bluetooth by touching two unlocked devices together. If it were enabled, sensitive DoD data could be transmitted.\n\nSFR ID: FMT_SMF_EXT.1.1 #47",
"fixid": "F-87047r1_fix",
"fixtext": "Configure the Samsung Android 8 with Knox to enforce disabling \"Android Beam\".\n\nOn the MDM console, deselect the \"Allow Android Beam\" check box in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-80241",
"ruleID": "SV-94945r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must implement the management setting: Disable Android Beam.",
"version": "KNOX-08-016000"
},
"V-80243": {
"checkid": "C-79915r1_chk",
"checktext": "If the feature is not present as described on a specific device model, this requirement is Not Applicable (NA).\n\nReview documentation on the Samsung Android 8 with Knox and inspect the configuration on the Samsung Android 8 with Knox to disable upload of DoD contact information.\n\nThis validation procedure is performed on the Samsung Android 8 with Knox device only.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Open the \"Phone\" app.\n2. Open the \"Settings\" via the overflow menu.\n3. Open \"Caller ID and spam protection\".\n4. Verify that \"Share name and phone number\" is \"Off\".\n5. Open the device settings.\n6. Select \"Apps\".\n7. Verify no smart call and caller ID applications in the list are set to upload contact information.\n\nIf the Samsung Android 8 with Knox device \"Share name and phone number\" is not set to \"Off\" or an application is set to upload contact information, this is a finding.\n\nNote: This setting cannot be managed by the MDM Administrator and is a User Based Enforcement (UBE) requirement.",
"description": "Caller ID and spam protection apps let a user know who is calling even when the number is not on the user's contact list by using an online service to do the lookup. Users can also upload their and their contacts' names and numbers into an online service.\n\nThis could allow potentially DoD sensitive data, such as names and telephone numbers, to be compromised.\n\nSFR ID: FMT_SMF_EXT.1.1 #47",
"fixid": "F-87049r1_fix",
"fixtext": "If the feature is not present as described on a specific device model, this requirement is Not Applicable (NA).\n\nConfigure Samsung Android 8 with Knox to disable upload of DoD contact information.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Open the \"Phone\" app.\n2. Open the \"Settings\" via the overflow menu.\n3. Open \"Caller ID and spam protection\".\n4. Verify that \"Share name and phone number\" is \"Off\".\n5. Open the device settings.\n6. Select \"Apps\".\n7. Verify no smart call and caller ID applications in the list are set to upload contact information.\n\nNote: On the Samsung Android 8 with Knox device, Smart Call is disabled by default.",
"iacontrols": null,
"id": "V-80243",
"ruleID": "SV-94947r1_rule",
"severity": "low",
"title": "Samsung Android 8 with Knox must be configured to: Disable upload of DoD contact information.",
"version": "KNOX-08-016500"
},
"V-80245": {
"checkid": "C-79917r1_chk",
"checktext": "Verify Wi-Fi Sharing is disabled or alternately, the \"Wi-Fi Tethering/Mobile Hotspot\" control is disabled.\n\nDetermine if the Authorizing Official (AO) has approved Wi-Fi Tethering/Mobile Hotspot use. Written approval must be presented for verification of AO approval.\n\nIf there is no written AO approval for Wi-Fi Tethering/Mobile Hotspot use, do the following:\nOn the MDM console, verify the \"Wi-Fi Tethering/Mobile Hotspot\" control is disabled in the \"WiFi Policy\" rule.\n\nIf the AO has approved Wi-Fi Tethering/Mobile Hotspot use, do the following:\nOn a sample of site Samsung devices, go to Settings >> Connections >> Mobile Hotspot and Tethering >> Mobile Hotspot and verify \"Wi-Fi Sharing\" is turned off.\n\nNote: This setting cannot be managed by the MDM Administrator and is a User Based Enforcement (UBE) requirement.\n\nIf the AO has not approved Wi-Fi Tethering/Mobile Hotspot use and on the MDM console the \"Wi-Fi Tethering/Mobile Hotspot\" control is not disabled in the \"WiFi Policy\" rule, this is a finding.\n\nIf the AO has approved Wi-Fi Tethering/Mobile Hotspot use and the \"Wi-Fi Sharing\" setting on a Samsung device is turned on, this is a finding.",
"description": "Wi-Fi Tethering allows a device to act as an Access Point, sharing its data connection with other wirelessly connected devices. Previously the device could only share its mobile (cellular) data connection. On the Device menus, this is referred to as \"Mobile Hotspot\". The new feature is an optional configuration of Wi-Fi Tethering/Mobile Hotspot, which allows the device to share its Wi-Fi connection with other wirelessly connected devices instead of its mobile (cellular) connection.\n\nWi-Fi sharing grants the \"other\" device access to a corporate Wi-Fi network and may possibly bypass the network access control mechanisms. This risk can be partially mitigated by requiring the use of a pre-shared key for personal hotspots.\n\nSFR ID: FMT_SMF_EXT.1.1 #47",
"fixid": "F-87051r1_fix",
"fixtext": "Disable Wi-Fi Sharing using one of the following methods:\n\n1. If the AO has not approved hotspot tethering for site Samsung devices, on the MDM console, select the \"Disable Wi-Fi Tethering/Mobile Hotspot\"\" check box in the \"WiFi Policy\" rule.\n\n2. If the AO has approved hotspot tethering for site Samsung devices, on the Samsung device, go to Settings >> Connections >> Mobile Hotspot and Tethering >> Mobile hotspot. Turn off \"Wi-Fi Sharing\" if it is enabled. \n\nNote: Mobile Hotspot must be enabled in order to enable Wi-Fi Sharing. Wi-Fi Sharing is disabled by default.",
"iacontrols": null,
"id": "V-80245",
"ruleID": "SV-94949r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox for Android must implement the management setting: Disable Samsung Wi-Fi Sharing.",
"version": "KNOX-08-016800"
},
"V-80247": {
"checkid": "C-79919r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the capability to back up to a remote system has been disabled. \n\nThis validation procedure is performed on the MDM Administration Console and the Samsung device:\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Allow Google Accounts Auto Sync\" check box in the \"Android Restrictions\" rule. \n2. Verify the check box is not selected.\n3. View the \"application disable list\".\n4. Verify the list contains all pre-installed cloud backup applications.\n\nOn the Samsung Android 8 with Knox device:\n1. Attempt to launch a cloud backup application located on the device.\n2. Verify the application will not launch.\n\nIf the MDM console \"Allow Google Accounts Auto Sync\" check box is selected or on the Samsung Android 8 with Knox device, the user can enable \"Back up my data\", this is a finding.\n\nIf the \"Application disable list\" configuration in the MDM console does not contain all pre-installed public cloud backup applications or if the user is able to successfully launch an application on this list, this is a finding.",
"description": "Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the Samsung Android 8 with Knox. Where the remote backup involves a cloud-based solution, the backup capability is often used to synchronize data across multiple devices. In this case, DoD devices may synchronize DoD sensitive information to a user's personal device or other unauthorized computers that are vulnerable to breach. Disallowing remote backup mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #40",
"fixid": "F-87053r1_fix",
"fixtext": "Configure the Samsung Android 8 with Knox to disable backup to remote systems (including commercial clouds).\n\nOn the MDM console, do the following: \n1. Deselect the \"Allow Google Accounts Auto Sync\" check box in the \"Android Restrictions\" rule.\n2. List all pre-installed public cloud backup applications in the application disable list.",
"iacontrols": null,
"id": "V-80247",
"ruleID": "SV-94951r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must be configured to not allow backup of [all applications, configuration data] to remote systems: Disable Allow Google Accounts Auto Sync.",
"version": "KNOX-08-017100"
},
"V-80249": {
"checkid": "C-79921r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the capability to back up to a locally connected system has been disabled. \n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Disable USB Media Player\" check box in the \"Android Restrictions\" rule. \n2. Verify the \"Disable USB Media Player\" check box is selected. \n\nNote: Disabling USB Media Player will also disable USB MTP, USB mass storage, and USB vendor protocol (Smart Switch, KIES).\n\nOn the Samsung Android 8 with Knox device, connect the device to a PC USB connection.\n\nNote: Do not use a DoD network-managed PC for this test!\n\nOn the PC:\n1. Install and launch Samsung Smart Switch (Note: Samsung KIES for older devices) on the PC.\n2. Verify the device does not connect with the Samsung Smart Switch program.\n\nIf the MDM console \"Disable USB Media Player\" is not set to \"Disabled\" or on the Samsung Android 8 with Knox device, it connects with the Samsung Smart Switch or KIES program, this is a finding.",
"description": "Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed up to an external system (either locally connected or cloud based), many if not all of these mechanisms are no longer present. This leaves the backed-up data vulnerable to attack. Disabling backup to external systems mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #40",
"fixid": "F-87055r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to disable backup to locally connected systems.\n\nOn the MDM console, select the \"Disable USB Media Player\" check box in the \"Android Restrictions\" rule.\n\nNote: Disabling USB Media Player will also disable USB MTP, USB mass storage, and USB vendor protocol (Smart Switch, KIES).",
"iacontrols": null,
"id": "V-80249",
"ruleID": "SV-94953r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must be configured to not allow backup of [all applications, configuration data] to locally connected systems.",
"version": "KNOX-08-017300"
},
"V-80251": {
"checkid": "C-79923r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the capability to back up to a remote system has been disabled. \n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Allow Google Backup\" check box in the \"Android Restrictions\" rule. \n2. Verify the check box is not selected.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Open the device settings.\n2. Select \"Accounts\".\n3. Select \"Backup and restore\".\n4. Verify \"Back up my data\" is disabled and cannot be enabled.\n\nIf the MDM console \"Allow Google Backup\" check box is selected or on the Samsung Android 8 with Knox device, the user can enable \"Back up my data\", this is a finding.",
"description": "Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the Samsung Android 8 with Knox. Where the remote backup involves a cloud-based solution, the backup capability is often used to synchronize data across multiple devices. In this case, DoD devices may synchronize DoD sensitive information to a user's personal device or other unauthorized computers that are vulnerable to breach. Disallowing remote backup mitigates this risk. Google Backup is a device-wide control and, if enabled, will back up both personal and Knox data to personal Google cloud storage accounts.\n\nSFR ID: FMT_SMF_EXT.1.1 #40",
"fixid": "F-87057r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to disable backup to remote systems (including commercial clouds).\n\nOn the MDM console, deselect the \"Allow Google Backup\" check box in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-80251",
"ruleID": "SV-94955r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must be configured to not allow backup of [all applications, configuration data] to remote systems: Deselect Allow Google Backup.",
"version": "KNOX-08-017400"
},
"V-80253": {
"checkid": "C-79925r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine whether a developer mode is enabled.\n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Allow Developer Mode\" check box in the \"Android Restrictions\" rule. \n2. Verify the check box is not selected.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Open the device settings.\n2. Select \"Developer options\". (**)\n3. Attempt to enable \"Developer options\".\n\nIf the MDM console \"Allow Developer Mode\" check box is selected or on the Samsung Android 8 with Knox device, \"Developer options\" can be enabled by the user, this is a finding.\n\nNote: The \"Developer Modes\" configuration setting may not be available in older MDM consoles. Disabling USB Debugging and Mock Locations also disables Developer modes on the mobile device.\n\n(**) \"Developer options\" is initially hidden to users. To unhide this menu item:\n1. Open the device settings.\n2. Select \"About device\".\n3. Select \"Software info\". (Note: On some devices, this step is not needed.)\n4. Rapidly tap on \"Build number\" multiple times until the device displays the Developer Options menu item.",
"description": "Developer modes expose features of the Samsung Android 8 with Knox that are not available during standard operation. An adversary may leverage a vulnerability inherent in a developer mode to compromise the confidentiality, integrity, and availability of DoD sensitive information. Disabling developer modes mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #26",
"fixid": "F-87059r1_fix",
"fixtext": "Configure the Samsung Android 8 with Knox to disable developer modes.\n\nOn the MDM console, deselect the \"Allow Developer Mode\" check box in the \"Android Restrictions\" rule.",
"iacontrols": null,
"id": "V-80253",
"ruleID": "SV-94957r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must be configured to disable developer modes.",
"version": "KNOX-08-017900"
},
"V-80255": {
"checkid": "C-79927r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device has enabled authentication of personal hotspot connections to the device using a pre-shared key. \n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device. \n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Allow Unsecured Hotspot\" check box in the \"WiFi Policy\" rule. \n2. Verify the check box is not selected.\n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Open the device settings.\n2. Select \"Connections\".\n3. Select \"Mobile Hotspot and Tethering\".\n4. Select \"Mobile hotspot\".\n5. Select \"Configure Mobile hotspot\" more options.\n6. Verify the user cannot save the configuration with security set to \"Open\".\n\nIf the MDM console \"Allow Unsecured Hotspot\" check box is selected or the Samsung Android 8 with Knox device can be configured as a Mobile Hotspot with Open Security, this is a finding.",
"description": "If no authentication is required to establish personal hotspot connections, an adversary may be able to use that device to perform attacks on other devices or networks without detection. A sophisticated adversary may also be able to exploit unknown system vulnerabilities to access information and computing resources on the device. Requiring authentication to establish personal hotspot connections mitigates this risk.\n\nApplication note: If hotspot functionality is permitted, it must be authenticated via a pre-shared key. There is no requirement to enable hotspot functionality.\n\nSFR ID: FMT_SMF_EXT.1.1 #41a",
"fixid": "F-87061r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to enable authentication of personal hotspot connections to the device using a pre-shared key.\n\nOn the MDM console, deselect the \"Allow Unsecured Hotspot\" check box in the \"WiFi Policy\" rule.",
"iacontrols": null,
"id": "V-80255",
"ruleID": "SV-94959r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must be configured to enable authentication of personal hotspot connections to the device using a pre-shared key.",
"version": "KNOX-08-018100"
},
"V-80257": {
"checkid": "C-79929r1_chk",
"checktext": "Review configuration settings to confirm the most recently released version of Samsung Android is installed.\n\nThis validation procedure is performed on both the MDM console and the Samsung Android 8 with Knox device. \n\nIn the MDM management console, review the version of Samsung Android installed on a sample of managed devices. This procedure will vary depending on the MDM product. See the notes below to determine the latest available OS version.\n\nOn the Samsung device:\n1. Open the \"Settings\".\n2. Tap \"About phone\" and then \"Software information\" to see the version number of the installed Android OS.\n3. Tap \"Software update\" and \"Check for updates\" to determine if an OS update is available.\n4. Verify the following message is shown on the screen: \"Current software is up to date\".\n\nIf the installed version of Android OS on any reviewed Samsung devices is not the latest released by the wireless carrier, this is a finding.\n\nNote: Some wireless carriers list the version of the latest Android OS release by mobile device model online:\nATT: https://www.att.com/devicehowto/dsm.html#!/popular/make/Samsung\nT-Mobile: https://support.t-mobile.com/docs/DOC-34510\nVerizon Wireless: https://www.verizonwireless.com/support/software-updates/\n\nGoogle's Android OS patch website: https://source.android.com/security/bulletin/ \nSamsung's Android OS patch web site: https://security.samsungmobile.com/securityUpdate.smsb",
"description": "Required security features are not available in earlier OS versions. In addition, there may be known vulnerabilities in earlier versions.\n\nSFR ID: FMT_SMF_EXT.1.1 #47",
"fixid": "F-87063r1_fix",
"fixtext": "Install the latest released version of Samsung Android OS on all managed Samsung devices. \n\nNote: In most cases, OS updates are released by the wireless carrier (for example, Sprint, T-Mobile, Verizon Wireless, and ATT).",
"iacontrols": null,
"id": "V-80257",
"ruleID": "SV-94961r1_rule",
"severity": "high",
"title": "The Samsung Android 8 with Knox device must have the latest available Samsung Android operating system (OS) installed.",
"version": "KNOX-08-018450"
},
"V-80259": {
"checkid": "C-79931r1_chk",
"checktext": "If the mobile device does not support removable media, this requirement is Not Applicable (NA). \n\nReview Samsung Android 8 with Knox configuration settings to determine if data in the mobile device's removable storage media is encrypted. \n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Storage Encryption\" setting in the \"Android Security\" rule. \n2. Verify the \"SD Card Encryption\" setting is enabled. \n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Open the device settings.\n2. Select \"Lock screen and security\".\n3. Insert a MicroSD card into the device.\n4. If the MicroSD card is not already encrypted, select \"Encrypt SD card\". Verify \"The security policy restricts use of SD cards that are not encrypted\" is displayed.\n5. If the MicroSD card is encrypted, verify \"Decrypt SD card\" is displayed and cannot be selected.\n\nIf the specified encryption settings are not set to the appropriate values, this is a finding.",
"description": "Samsung Android 8 with Knox must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read removable media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running.\n\nSFR ID: FMT_SMF_EXT.1.1 #21, #47f",
"fixid": "F-87065r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to enable information at rest protection for removable media.\n\nOn the MDM console, enable the \"External Storage Encryption\" setting in the \"Android Security\" rule.",
"iacontrols": null,
"id": "V-80259",
"ruleID": "SV-94963r1_rule",
"severity": "high",
"title": "Samsung Android 8 with Knox must be configured to enable encryption for information at rest on removable storage media or alternately, the use of removable storage media must be disabled.",
"version": "KNOX-08-018500"
},
"V-80261": {
"checkid": "C-79933r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device is configured to enable a Certificate Revocation Status (CRL) Check. \n\nThis validation procedure is performed on the MDM Administration Console only.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the package list in the \"Certificate Revocation Check (CRL)\" settings in the \"Android Certificate\" rule.\n2. Verify the string is \"*\" (asterisk).\n3. Ask the MDM Administrator to display the enable check box in the \"Certificate Revocation Check (CRL)\" settings in the \"Android Certificate\" rule. \n4. Verify the check box is selected.\n\nIf the MDM console \"Certificate Revocation Check (CRL)\" settings are not enabled for all packages, this is a finding.",
"description": "A CRL allows a certificate issuer to revoke a certificate for any reason, including improperly issued certificates and compromise of the private keys. Checking the revocation status of the certificate mitigates the risk associated with using a compromised certificate.\n\nSFR ID: FMT_SMF_EXT.1.1 #47",
"fixid": "F-87067r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to enable a Certificate Revocation Status (CRL) Check.\n\nOn the MDM console, do the following:\n1. Enter the string \"*\" (asterisk) in the package list in the \"Certificate Revocation Check (CRL)\" settings in the \"Android Certificate\" rule.\n2. Select the enable check box in the \"Certificate Revocation Check (CRL)\" settings in the \"Android Certificate\" rule.",
"iacontrols": null,
"id": "V-80261",
"ruleID": "SV-94965r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must implement the management setting: Enable Certificate Revocation Status (CRL) Check.",
"version": "KNOX-08-019100"
},
"V-80263": {
"checkid": "C-79935r1_chk",
"checktext": "Review Samsung Android 8 with Knox configuration settings to determine if the mobile device has the DoD root and intermediate PKI certificates installed. \n\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nThe current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://iase.disa.mil/pki-pke (for NIPRNet) or \nhttp://iase.rel.disa.smil.mil/pki-pke/function_pages/tools.html (for SIPRNet).\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the list of server authentication certificates in the \"Android Certificate\" rule. \n2. Verify the DoD root and intermediate PKI certificates are present. \n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Open the device settings.\n2. Select \"Lock screen and security\".\n3. Select \"Other security settings\".\n4. Select \"View security certificates\".\n5. Review Certificate Authorities listed under the \"System\" and \"User\" tabs.\n6. Verify the presence of the DoD root and intermediate certificates.\n\nIf the MDM console \"Android Certificate\" does not have the DoD root and intermediate PKI certificates present or on the Samsung Android 8 with Knox device, \"View security certificates\" does not have the DoD root and intermediate PKI certificates present, this is a finding.",
"description": "DoD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the root and intermediate certificates are not available, an adversary could falsely sign a certificate in such a way that it could not be detected. Providing access to the DoD root and intermediate PKI certificates greatly diminishes the risk of this attack.\n\nSFR ID: FMT_SMF_EXT.1.1 #47",
"fixid": "F-87069r1_fix",
"fixtext": "Configure Samsung Android 8 with Knox to install DoD root and intermediate certificates.\n\nOn the MDM console, add the PEM encoded representations of the DoD root and intermediate certificates to the certificate whitelist in the \"Android Certificate\" rule.\n\nThe current DoD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://iase.disa.mil/pki-pke (for NIPRNet) or \nhttp://iase.rel.disa.smil.mil/pki-pke/function_pages/tools.html (for SIPRNet).",
"iacontrols": null,
"id": "V-80263",
"ruleID": "SV-94967r1_rule",
"severity": "medium",
"title": "Samsung Android 8 with Knox must implement the management setting: Install DoD root and intermediate PKI certificates on the device.",
"version": "KNOX-08-019400"
},
"V-80265": {
"checkid": "C-79937r1_chk",
"checktext": "The DoD warning banner can be displayed by either of the following methods (required text is found in the Vulnerability Discussion):\n\n1. By placing the DoD warning banner text in the user agreement signed by each Samsung device user (preferred method) \n2. By configuring the required banner text on the MDM console and pushing the security policy with the banner to each managed device\n\nDetermine which method is used at the Samsung device site and follow the appropriate validation procedure below.\n\nValidation Procedure for Method #1:\nReview the signed user agreements for several Samsung device users and verify the agreement includes the required DoD warning banner text.\n\nValidation Procedure for Method #2:\nThis validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.\n\nOn the MDM console, do the following:\n1. Ask the MDM Administrator to display the \"Banner Text\" field in the \"DoD Banner\" settings in the \"Android Security\" rule. \n2. Verify the correct DoD-specified warning text is displayed in the Banner Text field or the field is blank.\n3. Ask the MDM Administrator to display the enable check box in the \"DoD Banner\" settings in the \"Android Security\" rule.\n4. Verify the check box is selected. \n\nOn the Samsung Android 8 with Knox device, do the following:\n1. Reboot the device.\n2. Verify the device displays the DoD banner.\n3. Verify the DoD banner is set to one of the authorized messages.\n\nIf for Method #1, the required warning banner text is not on all signed user agreements reviewed, this is a finding.\n\nIf for Method #2, the MDM console \"DoD Banner\" enable check box is not selected, or the \"Banner Text\" is not set to the appropriate designated wording, or the Samsung Android 8 with Knox device does not display a warning banner with the appropriate designated wording when rebooted, this is a finding.",
"description": "The Samsung Android 8 with Knox is required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Required banners help ensure that DoD can audit and monitor the activities of mobile device users without legal restriction.\n\nSystem use notification messages can be displayed when individuals first access or unlock the mobile device. The banner must be implemented as a \"click-through\" banner at device unlock (to the extent permitted by the operating system). A \"click-through\" banner prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating \"OK.\"\n\nThe approved DoD text must be used exactly as required in the KS referenced in DoDI 8500.01. For devices accommodating banners of 1300 characters, the banner text is: \n\nYou are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. \nBy using this IS (which includes any device attached to this IS), you consent to the following conditions: \n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. \n-At any time, the USG may inspect and seize data stored on this IS. \n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. \n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. \n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\n\nFor devices with severe character limitations, the banner text is: \n\nI've read & consent to terms in IS user agreem't.\n\nThe Administrator must configure the banner text exactly as written without any changes.\n\nSFR ID: FMT_SMF_EXT.1.1 #36",
"fixid": "F-87071r1_fix",
"fixtext": "Configure the DoD warning banner by either of the following methods (required text is found in the Vulnerability Discussion):\n\n1. Place the DoD warning banner text in the user agreement signed by each Samsung device user.\n2. Configure Samsung Android 8 with Knox to display the DoD-mandated warning banner text.\n\nOn the MDM console, do the following:\n1. Enter the correct text in the \"Banner Text\" field in the \"DoD Banner\" settings in the \"Android Security\" rule.\n2. Select the \"Enable\" check box in the \"DoD Banner\" settings in the \"Android Security\" rule. \n\nNote: If enabled without configuring the \"Banner Text\", the device will display a default text that matches the required DoD banner.\n\nNote: On some MDM vendor consoles, the logon banner automatically is displayed upon reboot while the device is MDM enrolled. On these consoles, this control is not configurable through the MDM server or on the device.",
"iacontrols": null,
"id": "V-80265",
"ruleID": "SV-94969r1_rule",
"severity": "low",
"title": "Samsung Android 8 with Knox must be configured to display the DoD advisory warning message at start-up or each time the user unlocks the device.",
"version": "KNOX-08-020400"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-80161": "true",
"V-80163": "true",
"V-80165": "true",
"V-80167": "true",
"V-80169": "true",
"V-80171": "true",
"V-80173": "true",
"V-80175": "true",
"V-80177": "true",
"V-80179": "true",
"V-80181": "true",
"V-80183": "true",
"V-80185": "true",
"V-80187": "true",
"V-80189": "true",
"V-80191": "true",
"V-80193": "true",
"V-80195": "true",
"V-80197": "true",
"V-80199": "true",
"V-80201": "true",
"V-80203": "true",
"V-80205": "true",
"V-80207": "true",
"V-80209": "true",
"V-80211": "true",
"V-80213": "true",
"V-80215": "true",
"V-80217": "true",
"V-80219": "true",
"V-80221": "true",
"V-80223": "true",
"V-80225": "true",
"V-80227": "true",
"V-80229": "true",
"V-80231": "true",
"V-80233": "true",
"V-80235": "true",
"V-80237": "true",
"V-80239": "true",
"V-80241": "true",
"V-80243": "true",
"V-80245": "true",
"V-80247": "true",
"V-80249": "true",
"V-80251": "true",
"V-80253": "true",
"V-80255": "true",
"V-80257": "true",
"V-80259": "true",
"V-80261": "true",
"V-80263": "true",
"V-80265": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-80161": "true",
"V-80163": "true",
"V-80165": "true",
"V-80167": "true",
"V-80169": "true",
"V-80171": "true",
"V-80173": "true",
"V-80175": "true",
"V-80177": "true",
"V-80179": "true",
"V-80181": "true",
"V-80183": "true",
"V-80185": "true",
"V-80187": "true",
"V-80189": "true",
"V-80191": "true",
"V-80193": "true",
"V-80195": "true",
"V-80197": "true",
"V-80199": "true",
"V-80201": "true",
"V-80203": "true",
"V-80205": "true",
"V-80207": "true",
"V-80209": "true",
"V-80211": "true",
"V-80213": "true",
"V-80215": "true",
"V-80217": "true",
"V-80219": "true",
"V-80221": "true",
"V-80223": "true",
"V-80225": "true",
"V-80227": "true",
"V-80229": "true",
"V-80231": "true",
"V-80233": "true",
"V-80235": "true",
"V-80237": "true",
"V-80239": "true",
"V-80241": "true",
"V-80243": "true",
"V-80245": "true",
"V-80247": "true",
"V-80249": "true",
"V-80251": "true",
"V-80253": "true",
"V-80255": "true",
"V-80257": "true",
"V-80259": "true",
"V-80261": "true",
"V-80263": "true",
"V-80265": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-80161": "true",
"V-80163": "true",
"V-80165": "true",
"V-80167": "true",
"V-80169": "true",
"V-80171": "true",
"V-80173": "true",
"V-80175": "true",
"V-80177": "true",
"V-80179": "true",
"V-80181": "true",
"V-80183": "true",
"V-80185": "true",
"V-80187": "true",
"V-80189": "true",
"V-80191": "true",
"V-80193": "true",
"V-80195": "true",
"V-80197": "true",
"V-80199": "true",
"V-80201": "true",
"V-80203": "true",
"V-80205": "true",
"V-80207": "true",
"V-80209": "true",
"V-80211": "true",
"V-80213": "true",
"V-80215": "true",
"V-80217": "true",
"V-80219": "true",
"V-80221": "true",
"V-80223": "true",
"V-80225": "true",
"V-80227": "true",
"V-80229": "true",
"V-80231": "true",
"V-80233": "true",
"V-80235": "true",
"V-80237": "true",
"V-80239": "true",
"V-80241": "true",
"V-80243": "true",
"V-80245": "true",
"V-80247": "true",
"V-80249": "true",
"V-80251": "true",
"V-80253": "true",
"V-80255": "true",
"V-80257": "true",
"V-80259": "true",
"V-80261": "true",
"V-80263": "true",
"V-80265": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-80161": "true",
"V-80163": "true",
"V-80165": "true",
"V-80167": "true",
"V-80169": "true",
"V-80171": "true",
"V-80173": "true",
"V-80175": "true",
"V-80177": "true",
"V-80179": "true",
"V-80181": "true",
"V-80183": "true",
"V-80185": "true",
"V-80187": "true",
"V-80189": "true",
"V-80191": "true",
"V-80193": "true",
"V-80195": "true",
"V-80197": "true",
"V-80199": "true",
"V-80201": "true",
"V-80203": "true",
"V-80205": "true",
"V-80207": "true",
"V-80209": "true",
"V-80211": "true",
"V-80213": "true",
"V-80215": "true",
"V-80217": "true",
"V-80219": "true",
"V-80221": "true",
"V-80223": "true",
"V-80225": "true",
"V-80227": "true",
"V-80229": "true",
"V-80231": "true",
"V-80233": "true",
"V-80235": "true",
"V-80237": "true",
"V-80239": "true",
"V-80241": "true",
"V-80243": "true",
"V-80245": "true",
"V-80247": "true",
"V-80249": "true",
"V-80251": "true",
"V-80253": "true",
"V-80255": "true",
"V-80257": "true",
"V-80259": "true",
"V-80261": "true",
"V-80263": "true",
"V-80265": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-80161": "true",
"V-80163": "true",
"V-80165": "true",
"V-80167": "true",
"V-80169": "true",
"V-80171": "true",
"V-80173": "true",
"V-80175": "true",
"V-80177": "true",
"V-80179": "true",
"V-80181": "true",
"V-80183": "true",
"V-80185": "true",
"V-80187": "true",
"V-80189": "true",
"V-80191": "true",
"V-80193": "true",
"V-80195": "true",
"V-80197": "true",
"V-80199": "true",
"V-80201": "true",
"V-80203": "true",
"V-80205": "true",
"V-80207": "true",
"V-80209": "true",
"V-80211": "true",
"V-80213": "true",
"V-80215": "true",
"V-80217": "true",
"V-80219": "true",
"V-80221": "true",
"V-80223": "true",
"V-80225": "true",
"V-80227": "true",
"V-80229": "true",
"V-80231": "true",
"V-80233": "true",
"V-80235": "true",
"V-80237": "true",
"V-80239": "true",
"V-80241": "true",
"V-80243": "true",
"V-80245": "true",
"V-80247": "true",
"V-80249": "true",
"V-80251": "true",
"V-80253": "true",
"V-80255": "true",
"V-80257": "true",
"V-80259": "true",
"V-80261": "true",
"V-80263": "true",
"V-80265": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-80161": "true",
"V-80163": "true",
"V-80165": "true",
"V-80167": "true",
"V-80169": "true",
"V-80171": "true",
"V-80173": "true",
"V-80175": "true",
"V-80177": "true",
"V-80179": "true",
"V-80181": "true",
"V-80183": "true",
"V-80185": "true",
"V-80187": "true",
"V-80189": "true",
"V-80191": "true",
"V-80193": "true",
"V-80195": "true",
"V-80197": "true",
"V-80199": "true",
"V-80201": "true",
"V-80203": "true",
"V-80205": "true",
"V-80207": "true",
"V-80209": "true",
"V-80211": "true",
"V-80213": "true",
"V-80215": "true",
"V-80217": "true",
"V-80219": "true",
"V-80221": "true",
"V-80223": "true",
"V-80225": "true",
"V-80227": "true",
"V-80229": "true",
"V-80231": "true",
"V-80233": "true",
"V-80235": "true",
"V-80237": "true",
"V-80239": "true",
"V-80241": "true",
"V-80243": "true",
"V-80245": "true",
"V-80247": "true",
"V-80249": "true",
"V-80251": "true",
"V-80253": "true",
"V-80255": "true",
"V-80257": "true",
"V-80259": "true",
"V-80261": "true",
"V-80263": "true",
"V-80265": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-80161": "true",
"V-80163": "true",
"V-80165": "true",
"V-80167": "true",
"V-80169": "true",
"V-80171": "true",
"V-80173": "true",
"V-80175": "true",
"V-80177": "true",
"V-80179": "true",
"V-80181": "true",
"V-80183": "true",
"V-80185": "true",
"V-80187": "true",
"V-80189": "true",
"V-80191": "true",
"V-80193": "true",
"V-80195": "true",
"V-80197": "true",
"V-80199": "true",
"V-80201": "true",
"V-80203": "true",
"V-80205": "true",
"V-80207": "true",
"V-80209": "true",
"V-80211": "true",
"V-80213": "true",
"V-80215": "true",
"V-80217": "true",
"V-80219": "true",
"V-80221": "true",
"V-80223": "true",
"V-80225": "true",
"V-80227": "true",
"V-80229": "true",
"V-80231": "true",
"V-80233": "true",
"V-80235": "true",
"V-80237": "true",
"V-80239": "true",
"V-80241": "true",
"V-80243": "true",
"V-80245": "true",
"V-80247": "true",
"V-80249": "true",
"V-80251": "true",
"V-80253": "true",
"V-80255": "true",
"V-80257": "true",
"V-80259": "true",
"V-80261": "true",
"V-80263": "true",
"V-80265": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-80161": "true",
"V-80163": "true",
"V-80165": "true",
"V-80167": "true",
"V-80169": "true",
"V-80171": "true",
"V-80173": "true",
"V-80175": "true",
"V-80177": "true",
"V-80179": "true",
"V-80181": "true",
"V-80183": "true",
"V-80185": "true",
"V-80187": "true",
"V-80189": "true",
"V-80191": "true",
"V-80193": "true",
"V-80195": "true",
"V-80197": "true",
"V-80199": "true",
"V-80201": "true",
"V-80203": "true",
"V-80205": "true",
"V-80207": "true",
"V-80209": "true",
"V-80211": "true",
"V-80213": "true",
"V-80215": "true",
"V-80217": "true",
"V-80219": "true",
"V-80221": "true",
"V-80223": "true",
"V-80225": "true",
"V-80227": "true",
"V-80229": "true",
"V-80231": "true",
"V-80233": "true",
"V-80235": "true",
"V-80237": "true",
"V-80239": "true",
"V-80241": "true",
"V-80243": "true",
"V-80245": "true",
"V-80247": "true",
"V-80249": "true",
"V-80251": "true",
"V-80253": "true",
"V-80255": "true",
"V-80257": "true",
"V-80259": "true",
"V-80261": "true",
"V-80263": "true",
"V-80265": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-80161": "true",
"V-80163": "true",
"V-80165": "true",
"V-80167": "true",
"V-80169": "true",
"V-80171": "true",
"V-80173": "true",
"V-80175": "true",
"V-80177": "true",
"V-80179": "true",
"V-80181": "true",
"V-80183": "true",
"V-80185": "true",
"V-80187": "true",
"V-80189": "true",
"V-80191": "true",
"V-80193": "true",
"V-80195": "true",
"V-80197": "true",
"V-80199": "true",
"V-80201": "true",
"V-80203": "true",
"V-80205": "true",
"V-80207": "true",
"V-80209": "true",
"V-80211": "true",
"V-80213": "true",
"V-80215": "true",
"V-80217": "true",
"V-80219": "true",
"V-80221": "true",
"V-80223": "true",
"V-80225": "true",
"V-80227": "true",
"V-80229": "true",
"V-80231": "true",
"V-80233": "true",
"V-80235": "true",
"V-80237": "true",
"V-80239": "true",
"V-80241": "true",
"V-80243": "true",
"V-80245": "true",
"V-80247": "true",
"V-80249": "true",
"V-80251": "true",
"V-80253": "true",
"V-80255": "true",
"V-80257": "true",
"V-80259": "true",
"V-80261": "true",
"V-80263": "true",
"V-80265": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "samsung_android_os_8_with_knox_3.x_cobo_use_case",
"title": "Samsung Android OS 8 with Knox 3.x COBO Use Case Security Technical Implementation Guide",
"version": "1"
}
}