The mobile operating system must prevent a user from installing unapproved applications.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
KNOX-12-002400	KNOX-12-002400	KNOX-12-002400_rule		High

Description
The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. Preventing a user from installing unapproved applications mitigates this risk.

Description

The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. Preventing a user from installing unapproved applications mitigates this risk.

STIG	Date
Samsung Knox Android 1.0 STIG	2013-05-03

Details

Check Text ( C-KNOX-12-002400_chk )
This check procedure is identical to the one provided for KNOX-12-002300 (SRG-OS-000090-MOS-000060). It need not be repeated if results have been acquired from that check procedure. This check procedure is performed using an MDM tool. Check that the appropriate setting is configured on the MDM server. For example, on the Fixmo Sentinel Administration Console: 1. Ask the MDM administrator to display the "Enforce Signature Blacklisting" checkbox in the "Android Knox Restrictions" rule. 2. Verify the checkbox is selected. If the "Enforce Signature Blacklisting" checkbox is not selected, this is a finding. NOTE: Selecting the "Enforce Signature Blacklisting" checkbox activates the Knox Android application quarantine capability.

Check Text ( C-KNOX-12-002400_chk )

This check procedure is identical to the one provided for KNOX-12-002300 (SRG-OS-000090-MOS-000060). It need not be repeated if results have been acquired from that check procedure.

This check procedure is performed using an MDM tool.

Check that the appropriate setting is configured on the MDM server.

For example, on the Fixmo Sentinel Administration Console:
1. Ask the MDM administrator to display the "Enforce Signature Blacklisting" checkbox in the "Android Knox Restrictions" rule.
2. Verify the checkbox is selected.

If the "Enforce Signature Blacklisting" checkbox is not selected, this is a finding.

NOTE: Selecting the "Enforce Signature Blacklisting" checkbox activates the Knox Android application quarantine capability.

Fix Text (F-KNOX-12-002400_fix)
Configure the mobile operating system to prevent a user from installing unapproved applications. For example, on the Fixmo Sentinel Administration Console, check the "Enforce Signature Blacklisting" in the "Android Knox Restrictions" rule.