Check: KNOX-09-000360
Samsung OS 9 with Knox 3.x COBO Use Case KPE(AE) Deployment STIG:
KNOX-09-000360
(in versions v1 r4 through v1 r1)
Title
Any accessory that provides wired networking capabilities to a Samsung Android device must not be connected to a DoD network (for example: DeX Station [LAN port], USB to Ethernet adapter, etc.). (Cat II impact)
Discussion
If a Samsung Android device uses an accessory that provides wired networking capabilities, and that accessory is connected to a DoD network, then the Samsung Android device would also be connected to the DoD network. Samsung Android devices most likely have a number of personal apps installed that may include malware or have high-risk behaviors (for example, offloading data from the phone to third-party servers outside the United States). In addition, smartphones do not generally meet security requirements for computer devices to connect directly to DoD networks. Note: Samsung DeX mode (with input devices) will not work unless the "USB host mode exception list" is configured (see requirement KNOX-09-000750 for more information). SFR ID: FMT_MOF_EXT.1.2 #47
Check Content
Review accessories that provide wired networking capabilities to Samsung Android devices at the site and verify that the accessories are not connected to a DoD network. If accessories that provide wired networking capabilities to Samsung Android devices are connected to DoD networks, this is a finding. Note: Connections to a site's guest network that provides Internet-only access can be used. Note: This setting cannot be managed by the MDM administrator and is a User-Based Enforcement (UBE) requirement.
Fix Text
When using an accessory that provides wired networking capabilities to a Samsung Android device, do not connect the accessory to a DoD network. Note: This setting cannot be managed by the MDM administrator and is a UBE requirement.
Additional Identifiers
Rule ID: SV-217668r388482_rule
Vulnerability ID: V-217668
Group Title: PP-MDF-992000
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
CCI-000370 |
The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components. |