An error occurred:

Samsung Android OS 14 with Knox 3.x COPE STIG Version Comparison

Samsung Android OS 14 with Knox 3.x COPE Security Technical Implementation Guide

Comparison

There are 9 differences between versions v2 r1 (July 24, 2024) (the "left" version) and v2 r3 (Oct. 1, 2025) (the "right" version).

Check KNOX-14-011000 was added to the benchmark in the "right" version.

This check's original form is available here.

Text Differences

Title

Samsung Android 14 must disable the ability of the user to wipe the device.

Check Content

Review configuration settings to confirm that the user is unable to perform a factory reset and the admin has the ability to inject a recovery account on the device to unlock Factory Reset Protection (FRP). This check procedure is performed on the device management tool and the Samsung Android 14 device. On the MDM console: Verify factory reset configuration: COBO and COPE: 1. Open user restrictions. 2. Verify that "Disallow Factory Reset" is enabled. Verify factory reset protection policy configuration: 1. From the Android Enterprise policy management, go to the Factory Reset Protection section. 2. Verify that "Factory Reset Protection" is set to "Allow/Enabled". 3. Verify that the correct Google Account ID(s) is/are listed as allowed to unlock the FRP. On the managed Samsung Android 14 device, verify factory reset configuration: COBO and COPE: 1. Open Settings >> General management >> Reset. 2. Tap the "Factory data reset" option. 3. Verify that the "Action not allowed" pop-up appears and the factory data reset does not proceed. If the Android device user is able to perform a factory reset or the admin cannot unlock the Android phone after an FRP event, this is a finding.

Discussion

This feature must be disabled to comply with DOD electronic records retention requirements for mobile devices. Otherwise, mobile device users could wipe the device, which would violate DOD policy. SFR ID: FMT_MOF_EXT.1.2 #47

Fix

Configure the Samsung Android 14 device to disable the ability of the user to wipe the Android device. Enable the admin to inject a recovery account on the device so they can unlock FRP. On the MDM console: Disallow factory reset: COBO and COPE: 1. Open user restrictions. 2. Enable "Disallow Factory Reset". Set factory reset protection policy: COBO and COPE: 1. Select Device owner management >> Set factory reset protection. 2. From the "Accounts" section, go to Add Account >> Enter recovery account and press "Ok". 3. From the "Enabled" section, select "Enabled" to enable factory reset protection policy. 4. Press "Save" to confirm all changes. API: addUserRestriction, DISALLOW_FACTORY_RESET and setFactoryResetProtectionPolicy