STIGQter STIGQter: STIG Summary: Samsung Android 11 with Knox 3.x Legacy Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:

The Samsung Android Work Environment must be configured to prevent users from adding personal email accounts to the work email app.

DISA Rule

SV-231037r608683_rule

Vulnerability Number

V-231037

Group Title

PP-MDF-991000

Rule Version

KNOX-11-017400

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the Samsung Android Work Environment to prevent users from adding personal email accounts to the work email app.

Refer to the management tool documentation to determine how to provision users’ work email accounts for the work email app.

On the management tool:
1. In the Work Environment Account section, set "Account Addition Denylist" to "Denylist all" for: Work email app.
2. Provision the user's email account on their behalf.

Check Contents

Review Samsung Android Work Environment configuration settings to determine if users are prevented from adding personal email accounts to the work email app.

This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.

On the management tool:
1. In the Work Environment Account section, set "Account Addition Denylist" to "Denylist all" for: Work email app.
2. Provision the user's email account on their behalf.

For COPE: On the Samsung Android device:
1. Open Settings >> Work profile >> Accounts.
2. Verify that no account can be added.
3. Verify that the user's work email app has been provisioned with the work email account.

For COBO: On the Samsung Android device:
1. Open Settings >> Accounts and backup >> Manage accounts.
2. Verify that no account can be added.
3. Verify that the user's work email app has been provisioned with the work email account.

If on the management tool "Account Addition Denylist" is not set to "Denylist all" for the Work email app, or on the Samsung Android device an account can be added, this is a finding.

Vulnerability Number

V-231037

Documentable

False

Rule Version

KNOX-11-017400

Severity Override Guidance

Review Samsung Android Work Environment configuration settings to determine if users are prevented from adding personal email accounts to the work email app.

This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.

On the management tool:
1. In the Work Environment Account section, set "Account Addition Denylist" to "Denylist all" for: Work email app.
2. Provision the user's email account on their behalf.

For COPE: On the Samsung Android device:
1. Open Settings >> Work profile >> Accounts.
2. Verify that no account can be added.
3. Verify that the user's work email app has been provisioned with the work email account.

For COBO: On the Samsung Android device:
1. Open Settings >> Accounts and backup >> Manage accounts.
2. Verify that no account can be added.
3. Verify that the user's work email app has been provisioned with the work email account.

If on the management tool "Account Addition Denylist" is not set to "Denylist all" for the Work email app, or on the Samsung Android device an account can be added, this is a finding.

Check Content Reference

M

Target Key

5248

Comments