Check: GOOG-09-009200
Google Android 9.x STIG:
GOOG-09-009200
(in versions v2 r1 through v1 r1)
Title
The Google Android Pie Work Profile must be configured to prevent users from adding personal email accounts to the work email app. (Cat II impact)
Discussion
If the user is able to add a personal email account (POP3, IMAP, EAS) to the work email app, it could be used to forward sensitive DoD data to unauthorized recipients. Restricting email account addition to the administrator or restricting email account addition to whitelisted accounts mitigates this vulnerability. SFR ID: FMT_SMF_EXT.1.1 #47
Check Content
Review the Google Android Pie Work Profile configuration settings to confirm that users are prevented from adding personal email accounts to the work email app. This procedure is performed on both the MDM Administrator console and the Google Android Pie device. On the MDM console: 1. Open the User restrictions setting. 2. Verify that "Disallow add accounts" is set to on. On the Google Android Pie device, do the following: 1. Open Settings. 2. Tap "Accounts". 3. Verify that "Add account" is grayed out under the Work section. If on the MDM console the restriction to "Disallow add accounts" is not set or on the Google Android Pie device the user is able to add an account, this is a finding.
Fix Text
Configure Google Android Pie Work Profile to prevent users from adding personal email accounts to the work email app. On the MDM console, for the Work Profile, do the following: 1. Open the User restrictions setting. 2. Set "Disallow modify accounts" to on. Refer to the MDM documentation to determine how to provision users' work email accounts for the work email app.
Additional Identifiers
Rule ID: SV-106457r1_rule
Vulnerability ID: V-97353
Group Title: PP-MDF-991000
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |