Samsung Android 12 with Knox 3.x COBO STIG Version Comparison

There are 1 differences between versions v1 r1 (Dec. 15, 2021) (the "left" version) and v1 r2 (July 27, 2022) (the "right" version).

Check KNOX-12-110090 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

Samsung Android must be configured to enable disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including screen-lock policy that will lock the display after a period of inactivity - Disable trust agents.

Check Content

Review the configuration to determine if the Samsung Android devices are disabling Trust Agents. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device restrictions, verify that "Trust Agents" are set to "Disable". On "Disable". -On the Samsung Android device: 1. Open Settings >> Biometrics and security >> Other security settings >> Trust agents. 2. Verify that all listed Trust Agents are disabled and cannot be enabled. If a Trust Agent is not disabled in the list, verify for that Trust Agent, all of its listed Trustlets are disabled and cannot be enabled. If on the management tool "Trust Agents" are not set to "Disable", or on the Samsung Android device a "Trust Agent" or "Trustlet" can be enabled, this is a finding. finding. Note: If the management tool has been correctly configured but a Trust Agent is still enabled, configure the "List of approved apps listed in managed Google Play" to disable it; refer to KNOX-12-110190. Exception: Trust Agents may be used if the AO allows a screen lock timeout after four hours (or more) of inactivity. This may be applicable to tactical use case.

Discussion

Trust agents allow The screen lock timeout must be set to a user value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to unlock a mobile device without entering a passcode when the mobile device is, for example, connected through loss, theft, etc. Such devices are much more likely to be a user-selected Bluetooth device or in a user-selected location. This technology would allow unauthorized users to have an unlocked state when acquired by an adversary, thus granting immediate access to the DoD sensitive data on if compromised. By not permitting the use mobile device. The maximum timeout period of 15 minutes non-password authentication mechanisms, this risk is mitigated - as has been selected users are forced to use passcodes that meet DoD passcode requirements SFR balance functionality and security; shorter timeout periods may be appropriate depending on the risks posed to the mobile device. SFR ID: FMT_SMF_EXT.1.1 #2a #22, FIA_UAU.5.1

Fix

Configure the Samsung Android devices to disable Trust Agents. On the management tool, in the device restrictions, set "Trust Agents" to "Disable".