STIGQter: STIG Summary: Samsung Android 11 with Knox 3.x Legacy Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:

Samsung Android must be enrolled as a COPE/COBO device.

DISA Rule

SV-231041r608683_rule

Vulnerability Number

V-231041

Group Title

PP-MDF-991000

Rule Version

KNOX-11-018600

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Enroll the Samsung Android device in a DoD-approved use case by either of the following methods:

Method #1: Legacy managed with Legacy Workspace (COPE)

On the management tool, configure the default enrollment as "Legacy managed with Legacy Workspace".

****

Method #2: Legacy managed (COBO)

On the management tool, configure the default enrollment as "Legacy managed".

****

Refer to the management tool documentation to determine how to configure the device enrollment.

Check Contents

Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure.

This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.

****

Method #1: Legacy managed with Legacy Workspace (COPE)

On the management tool, verify that the default enrollment is set to "Legacy managed with Legacy Workspace".

On the Samsung Android device:
1. Open Settings >> Biometric and security >> Other security settings >> Device admin apps.
2. Verify that the management tool Agent is listed.
3. Go to the app drawer.
4. Verify that a "Personal" and "Workspace" tab are present.

If on the management tool the default enrollment is not set as "Legacy managed with Legacy Workspace", or on the Samsung Android device the "Personal" and "Work" tabs are not present or the management tool Agent is not listed, this is a finding.

****

Method #2: Legacy managed (COBO)

On the management tool, verify that the default enrollment is set as "Legacy managed".

On the Samsung Android device:
1. Open Settings >> Biometric and security >> Other security settings >> Device admin apps.
2. Verify that the management tool Agent is listed.

If on the management tool the default enrollment is not set as "Legacy managed" or the management tool Agent is not listed, this is a finding.

Vulnerability Number

V-231041

Documentable

False

Rule Version

KNOX-11-018600

Severity Override Guidance

Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure.

This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.

****

Method #1: Legacy managed with Legacy Workspace (COPE)

On the management tool, verify that the default enrollment is set to "Legacy managed with Legacy Workspace".

On the Samsung Android device:
1. Open Settings >> Biometric and security >> Other security settings >> Device admin apps.
2. Verify that the management tool Agent is listed.
3. Go to the app drawer.
4. Verify that a "Personal" and "Workspace" tab are present.

If on the management tool the default enrollment is not set as "Legacy managed with Legacy Workspace", or on the Samsung Android device the "Personal" and "Work" tabs are not present or the management tool Agent is not listed, this is a finding.

****

Method #2: Legacy managed (COBO)

On the management tool, verify that the default enrollment is set as "Legacy managed".

On the Samsung Android device:
1. Open Settings >> Biometric and security >> Other security settings >> Device admin apps.
2. Verify that the management tool Agent is listed.

If on the management tool the default enrollment is not set as "Legacy managed" or the management tool Agent is not listed, this is a finding.

Check Content Reference

M

Target Key

5248

Comments