STIGQter: STIG Summary: Samsung Android 11 with Knox 3.x Legacy Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:

Samsung Android Work Environment must be configured to not allow backup of all applications, configuration data to remote systems (account management backup). - Disable Data Sync

DISA Rule

SV-231030r608683_rule

Vulnerability Number

V-231030

Group Title

PP-MDF-301230

Rule Version

KNOX-11-007600

Severity

CAT II

CCI(s)

• CCI-002338 - The organization restricts or prohibits the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information.

Weight

10

Fix Recommendation

Configure Samsung Android Work Environment to disable backup to remote systems (including commercial clouds) (account management backup).

On the management tool:
1. In the Work Environment Account section, set "Account Addition Denylist" to "Denylist all" for Samsung accounts and Google accounts.
2. In the Work Environment, do not approve any app that uses accounts for data backup/sync.

Check Contents

Review Samsung Android configuration settings to determine if the capability to back up to a remote system has been disabled.

This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.

On the management tool:
1. In the Work Environment Account section, verify that "Account Addition Denylist" is set to "Denylist all" for Samsung accounts and Google accounts.
2. In the Work Environment, verify that no app that uses accounts for data backup/sync is approved.

For COPE: On the Samsung Android device:
1. Open Settings >> Work profile >> Accounts.
2. Verify that accounts are grayed out, or an account cannot be added.

For COBO: On the Samsung Android device:
1. Open Settings >> Accounts and backup >> Manage accounts
2. Verify that accounts are grayed out, or an account cannot be added.

If on the management tool "Account Addition Denylist" is not set to "Denylist all" for Samsung accounts and Google accounts, or on the Samsung Android device an account can be added, this is a finding.

Vulnerability Number

V-231030

Documentable

False

Rule Version

KNOX-11-007600

Severity Override Guidance

Review Samsung Android configuration settings to determine if the capability to back up to a remote system has been disabled.

This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.

On the management tool:
1. In the Work Environment Account section, verify that "Account Addition Denylist" is set to "Denylist all" for Samsung accounts and Google accounts.
2. In the Work Environment, verify that no app that uses accounts for data backup/sync is approved.

For COPE: On the Samsung Android device:
1. Open Settings >> Work profile >> Accounts.
2. Verify that accounts are grayed out, or an account cannot be added.

For COBO: On the Samsung Android device:
1. Open Settings >> Accounts and backup >> Manage accounts
2. Verify that accounts are grayed out, or an account cannot be added.

If on the management tool "Account Addition Denylist" is not set to "Denylist all" for Samsung accounts and Google accounts, or on the Samsung Android device an account can be added, this is a finding.

Check Content Reference

M

Target Key

5248

Comments