STIGQter STIGQter: STIG Summary: Samsung OS 9 with Knox 3.x COBO Use Case KPE(AE) Deployment Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Apr 2020:

Samsung Android must be configured to enable encryption for data at rest on removable storage media or alternately, the use of removable storage media must be disabled.

DISA Rule

SV-103003r1_rule

Vulnerability Number

V-92915

Group Title

PP-MDF-301140

Rule Version

KNOX-09-000980

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure Samsung Android to disallow mount of physical storage media or enable Knox external storage encryption.

If the mobile device does not support removable media, this guidance is not applicable.

Do one of the following:
- Method #1: Disallow mounting of physical storage media.
- Method #2: Enable external storage encryption.

****

Method #1: On the MDM console, for the device, in the "Android user restrictions" group, select "disallow mount physical media".

****

Method #2: On the MDM console, for the device, in the "Knox encryption" group, select "enable external storage encryption".

Check Contents

Review device configuration settings to confirm that mounting of physical storage media is disallowed or Knox external storage encryption is enabled.

If the mobile device does not support removable media, this procedure is not applicable and is not a finding.

This procedure is performed on both the MDM Administration console and the Samsung Android device.

Confirm if Method #1 or Method #2 is used at the Samsung device site and follow the appropriate procedure.

****

Method #1: On the MDM console, for the device, in the "Android user restrictions" group, verify that "disallow mount physical media" is selected.

On the Samsung Android device, verify that a MicroSD card cannot be mounted.

If on the MDM console "disallow mount physical media" is not selected, or a MicroSD card can be mounted by the Samsung Android device, this is a finding.

****

Method #2: On the MDM console, for the device, in the "Knox encryption" group, verify that "enable external storage encryption" is selected.

On the Samsung Android device, verify that a MicroSD card must be encrypted before use.

If on the MDM console "enable external storage encryption" is not selected, or a MicroSD card can be used on the Samsung Android device without first being encrypted, this is a finding.

Vulnerability Number

V-92915

Documentable

False

Rule Version

KNOX-09-000980

Severity Override Guidance

Review device configuration settings to confirm that mounting of physical storage media is disallowed or Knox external storage encryption is enabled.

If the mobile device does not support removable media, this procedure is not applicable and is not a finding.

This procedure is performed on both the MDM Administration console and the Samsung Android device.

Confirm if Method #1 or Method #2 is used at the Samsung device site and follow the appropriate procedure.

****

Method #1: On the MDM console, for the device, in the "Android user restrictions" group, verify that "disallow mount physical media" is selected.

On the Samsung Android device, verify that a MicroSD card cannot be mounted.

If on the MDM console "disallow mount physical media" is not selected, or a MicroSD card can be mounted by the Samsung Android device, this is a finding.

****

Method #2: On the MDM console, for the device, in the "Knox encryption" group, verify that "enable external storage encryption" is selected.

On the Samsung Android device, verify that a MicroSD card must be encrypted before use.

If on the MDM console "enable external storage encryption" is not selected, or a MicroSD card can be used on the Samsung Android device without first being encrypted, this is a finding.

Check Content Reference

M

Target Key

3495

Comments