Title

LG Android 6.x must implement the management setting: Disable content sharing (for Work Profile). This requirement is only valid for activation type COPE#2. (Cat II impact)

Discussion

Allowing movement of files between the container and personal side will result in both personal data and sensitive DoD data being placed in the same space. This can potentially result in DoD data being transmitted to non-authorized recipients via personal email accounts or social applications, or transmission of malicious files to DoD accounts. Disabling this feature mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #45

Check Content

This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow content sharing from work profile to personal space (Work Profile only)" settings. 2. Verify that the setting is not checked. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Launch badged "Contacts" app. 2. Choose one of the contacts to share. 3. Select the menu. 4. Choose a "Share". 5. Verify that the message "No application to perform this action" is displayed. If on the MDM console "Allow content sharing from work profile to personal space (Work Profile only)" is enabled or on the LG Android device a contact in the Work Profile can be shared, this is a finding.

Fix Text

Configure the mobile operating system to disable cross-profile sharing. On the MDM Administration Console, set the "Allow Cross-Profile Sharing (for Work Profile)" to disable.

Additional Identifiers

Rule ID: SV-81395r2_rule

Vulnerability ID: V-66905

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.