Title

Google Android Pie must be configured to disable trust agents. Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the products Common Criteria evaluation. (Cat II impact)

Discussion

Trust agents allow a user to unlock a mobile device without entering a passcode when the mobile device is, for example, connected to a user-selected Bluetooth device or in a user-selected location. This technology would allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of non-password authentication mechanisms, users are forced to use passcodes that meet DoD passcode requirements. SFR ID: FMT_SMF_EXT.1.1 #23, FIA_UAU.5.1

Check Content

Review device configuration settings to confirm that trust agents are disabled. This procedure is performed on both the MDM Administration console and the Google Android Pie device. On the MDM console: 1. Open restrictions section. 2. Set "Disable trust agents" to on. On the Google Android Pie device: 1. Open Settings. 2. Tap "Security & location". 3. Tap "Advanced". 4. Tap "Trust agents". 5. Verify that all listed trust agents are disabled and cannot be enabled. If on the MDM console "disable trust agents" is not selected, or on the Android Pie device a trust agent can be enabled, this is a finding.

Fix Text

Configure Google Android Pie to disable trust agents. On the MDM console: 1. Open Lock screen restrictions section. 2. Set "Disable trust agents" to on.

Additional Identifiers

Rule ID: SV-106429r1_rule

Vulnerability ID: V-97325

Group Title: PP-MDF-301150

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.