STIGQter: STIG Summary: Samsung Android OS 9 with Knox 3.x COBO Use Case KPE(Legacy) Deployment Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 24 Jul 2020: STIGQter: STIG Summary: Samsung Android OS 9 with Knox 3.x COBO Use Case KPE(Legacy) Deployment Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 24 Jul 2020:SV-103041r1_rule
V-92953
PP-MDF-991000
KNOX-09-000015
CAT II
10
Configure Samsung Android to prevent users from adding personal email accounts to the work email app.
Do one of the following:
- Method #1: Allow users to only add DoD-approved email accounts to the work email app.
- Method #2: Disallow users from adding any email accounts to the work email app and provision the users' email account on their behalf.
****
Method #1: On the MDM console, for the device, in the "Knox account" group, add all DoD-approved email domains to the account addition whitelist.
Refer to the MDM documentation to determine if an account addition blacklist is also required to be configured when enforcing an account addition whitelist.
****
Method #2: On the MDM console, for the device, do the following:
1. In the "Knox account" group, blacklist all email domains in the account addition blacklist.
2. Provision the user's email account for the work email app.
Refer to the MDM documentation to determine how to provision users' work email accounts for the work email app.
Review device configuration settings to confirm that users are prevented from adding personal email accounts to the work email app.
This procedure is performed on both the MDM Administrator console and the Samsung Android device.
Confirm if Method #1 or Method #2 is used at the Samsung device site and follow the appropriate procedure.
****
Method #1: On the MDM console, for the device, in the "Knox account" group, verify that the account addition whitelist only includes DoD-approved email domains.
Refer to the MDM documentation to determine if the account addition blacklist is also required to be configured when enforcing an account addition whitelist.
On the Samsung Android device, do the following:
1. Open Settings.
2. Tap "Accounts and backup".
3. Tap "Add account".
4. Tap the account type for the work email app.
5. Verify that an account with a DoD-approved email domain can be added.
6. Verify that an account without a DoD-approved email domain cannot be added.
If on the MDM console the account addition whitelist includes domains that are not DoD-approved email domains, or on the Samsung Android device the user is able to add an account without a DoD-approved email domain, this is a finding.
****
Method #2: On the MDM console, for the device, do the following:
1. In the "Knox account" group, verify that all email domains are blacklisted in the account addition blacklist.
2. Verify that the user's email account for the work email app has been provisioned.
Refer to the MDM documentation to determine how to verify that a user's work email account is provisioned for the work email app.
On the Samsung Android device, do the following:
1. Open Settings.
2. Tap "Accounts and backup".
3. Tap "Accounts".
4. Tap "Add account".
5. Verify that no accounts can be added.
If on the MDM console the account addition blacklist is not set to blacklist all email domains, or on the Samsung Android device the user is able to add an account, this is a finding.
V-92953
False
KNOX-09-000015
Review device configuration settings to confirm that users are prevented from adding personal email accounts to the work email app.
This procedure is performed on both the MDM Administrator console and the Samsung Android device.
Confirm if Method #1 or Method #2 is used at the Samsung device site and follow the appropriate procedure.
****
Method #1: On the MDM console, for the device, in the "Knox account" group, verify that the account addition whitelist only includes DoD-approved email domains.
Refer to the MDM documentation to determine if the account addition blacklist is also required to be configured when enforcing an account addition whitelist.
On the Samsung Android device, do the following:
1. Open Settings.
2. Tap "Accounts and backup".
3. Tap "Add account".
4. Tap the account type for the work email app.
5. Verify that an account with a DoD-approved email domain can be added.
6. Verify that an account without a DoD-approved email domain cannot be added.
If on the MDM console the account addition whitelist includes domains that are not DoD-approved email domains, or on the Samsung Android device the user is able to add an account without a DoD-approved email domain, this is a finding.
****
Method #2: On the MDM console, for the device, do the following:
1. In the "Knox account" group, verify that all email domains are blacklisted in the account addition blacklist.
2. Verify that the user's email account for the work email app has been provisioned.
Refer to the MDM documentation to determine how to verify that a user's work email account is provisioned for the work email app.
On the Samsung Android device, do the following:
1. Open Settings.
2. Tap "Accounts and backup".
3. Tap "Accounts".
4. Tap "Add account".
5. Verify that no accounts can be added.
If on the MDM console the account addition blacklist is not set to blacklist all email domains, or on the Samsung Android device the user is able to add an account, this is a finding.
M
3497