Check: KNOX-09-000135
Samsung Android OS 9 with Knox 3.x COPE Use Case KPE(Legacy) Deployment STIG:
KNOX-09-000135
(in versions v1 r5 through v1 r1)
Title
Samsung Android must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [DoD-approved commercial app repository, MDM server, mobile application store]: - disallow unknown app installation sources. (Cat II impact)
Discussion
Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DoD data accessible by these unauthorized/malicious applications. SFR ID: FMT_SMF_EXT.1.1 #8a
Check Content
Review device configuration settings to confirm that installation from unauthorized application repositories is disallowed. This procedure is performed on both the MDM Administration console and the Samsung Android device. On the MDM console, for the device, in the "Knox restrictions" group, verify that "allow install unknown sources" is not selected. On the Samsung Android device, do the following: 1. Open Settings. 2. Tap "Apps". 3. Tap the Overflow menu (three vertical dots). 4. Tap "Special Access". 5. Tap "Install unknown apps". 6. Tap a listed app. 7. Verify that "Allow from this source" cannot be enabled. If on the MDM console "allow install unknown source" is selected, or on the Samsung Android device the user can enable "allow from this source" for an app, this is a finding.
Fix Text
Configure Samsung Android to disallow installation from unauthorized application repositories. On the MDM console, for the device, in the "Knox restrictions" group, unselect "allow install unknown sources".
Additional Identifiers
Rule ID: SV-217798r617471_rule
Vulnerability ID: V-217798
Group Title: PP-MDF-301080
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
CCI-001806 |
The organization defines methods to be employed to enforce the software installation policies. |