STIGQter: STIG Summary: Samsung OS 9 with Knox 3.x COBO Use Case KPE(AE) Deployment Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Apr 2020:

Samsung Android must be configured to prevent users from adding personal email accounts to the work email app.

DISA Rule

SV-102945r1_rule

Vulnerability Number

V-92857

Group Title

PP-MDF-991000

Rule Version

KNOX-09-000010

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure Samsung Android to prevent users from adding personal email accounts to the work email app.

On the MDM console, for the device, do the following:
1. In the "Android account" group, configure "account management" to "disable for the work email app".
2. Provision the user's email account for the work email app.

Refer to the MDM documentation to determine how to provision users' work email accounts for the work email app.

Check Contents

Review device configuration settings to confirm that users are prevented from adding personal email accounts to the work email app.

This procedure is performed on both the MDM Administration console and the Samsung Android device.

On the MDM console, for the device, do the following:
1. In the "Android account" group, verify that "account management" is configured to "disable for the work email app".
2. Provision the user's email account for the work email app.

On the Samsung Android device, do the following:
1. Open Settings.
2. Tap "Accounts and backup".
3. Tap "Accounts".
4. Tap "Add account".
5. Verify that an account for the work email app cannot be added.

If on the MDM console "account management" is not disabled for the work email app, or on the Samsung Android device the user can add an account for the work email app, this is a finding.

Vulnerability Number

V-92857

Documentable

False

Rule Version

KNOX-09-000010

Severity Override Guidance

Review device configuration settings to confirm that users are prevented from adding personal email accounts to the work email app.

This procedure is performed on both the MDM Administration console and the Samsung Android device.

On the MDM console, for the device, do the following:
1. In the "Android account" group, verify that "account management" is configured to "disable for the work email app".
2. Provision the user's email account for the work email app.

On the Samsung Android device, do the following:
1. Open Settings.
2. Tap "Accounts and backup".
3. Tap "Accounts".
4. Tap "Add account".
5. Verify that an account for the work email app cannot be added.

If on the MDM console "account management" is not disabled for the work email app, or on the Samsung Android device the user can add an account for the work email app, this is a finding.

Check Content Reference

M

Target Key

3495

Comments