SV-103849r1_rule
V-93763
PP-MDF-301260
KNOX-09-000240
CAT II
10
Configure the Samsung Android Workspace to enable the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes.
On the MDM console, for the Workspace, in the "Knox RCP" group, do the following:
1. Unselect "allow move applications to workspace".
2. Unselect "allow move files to personal".
3. Unselect "allow sharing clipboard to personal".
4. Unselect "sync calendar to personal".
5. Unselect "sync contact to personal".
Note: The "allow move files to workspace" option may be selected if there is a DoD mission need for this feature.
Review the Samsung Android Workspace configuration settings to confirm that the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes has been enabled.
This procedure is performed on both the MDM Administration console and the Samsung Android device.
On the MDM console, for the Workspace, in the "Knox RCP" group, do the following:
1. Verify that "allow move applications to workspace" is not selected.
2. Verify that "allow move files to personal" is not selected.
3. Verify that "allow sharing clipboard to personal" is not selected.
4. Verify that "sync calendar to personal" is not selected.
5. Verify that "sync contact to personal" is not selected.
On the Samsung Android device, do the following:
1. Swipe up to access the App screen.
2. Tap the "Workspace" tab.
3. Open the "My Files" app.
4. Find a file and select it with a long tap.
5. From the Overflow menu (three vertical dots), tap "Move to Personal".
6. Verify that the message "Security policy restricts this action" is displayed.
7. Navigate back to the "Workspace" App screen and, using any Workspace app, copy text to the clipboard.
8. Navigate to the "Personal" App screen and, using a Personal app, verify that the clipboard text cannot be pasted.
9. Open Settings.
10. Tap "Workspace".
11. Verify that "Install apps" is disabled and cannot be tapped.
12. Tap "Notifications and data".
13. Verify that "Export calendar to Personal" is disabled and cannot be enabled.
This is a finding if, on the MDM console:
- "allow move applications to workspace" is selected;
- "allow move files to personal" is selected;
- "allow sharing clipboard to personal" is selected;
- "sync calendar to personal" is enabled is selected; or
- "sync contact to personal" is selected.
This is a finding if, on the Samsung Android device:
- "Move to Personal" file is not blocked;
- Clipboard text can be pasted to Personal app;
- "Install apps" is enabled or can be tapped; or
- "Export calendar to Personal" is enabled or can be enabled.
V-93763
False
KNOX-09-000240
Review the Samsung Android Workspace configuration settings to confirm that the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes has been enabled.
This procedure is performed on both the MDM Administration console and the Samsung Android device.
On the MDM console, for the Workspace, in the "Knox RCP" group, do the following:
1. Verify that "allow move applications to workspace" is not selected.
2. Verify that "allow move files to personal" is not selected.
3. Verify that "allow sharing clipboard to personal" is not selected.
4. Verify that "sync calendar to personal" is not selected.
5. Verify that "sync contact to personal" is not selected.
On the Samsung Android device, do the following:
1. Swipe up to access the App screen.
2. Tap the "Workspace" tab.
3. Open the "My Files" app.
4. Find a file and select it with a long tap.
5. From the Overflow menu (three vertical dots), tap "Move to Personal".
6. Verify that the message "Security policy restricts this action" is displayed.
7. Navigate back to the "Workspace" App screen and, using any Workspace app, copy text to the clipboard.
8. Navigate to the "Personal" App screen and, using a Personal app, verify that the clipboard text cannot be pasted.
9. Open Settings.
10. Tap "Workspace".
11. Verify that "Install apps" is disabled and cannot be tapped.
12. Tap "Notifications and data".
13. Verify that "Export calendar to Personal" is disabled and cannot be enabled.
This is a finding if, on the MDM console:
- "allow move applications to workspace" is selected;
- "allow move files to personal" is selected;
- "allow sharing clipboard to personal" is selected;
- "sync calendar to personal" is enabled is selected; or
- "sync contact to personal" is selected.
This is a finding if, on the Samsung Android device:
- "Move to Personal" file is not blocked;
- Clipboard text can be pasted to Personal app;
- "Install apps" is enabled or can be tapped; or
- "Export calendar to Personal" is enabled or can be enabled.
M
3507