TickYouOff
Sign in
Back
🔒

Samsung Android 15 BYOAD STIG Checklist

Medium 24 items · 2 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist helps IT teams and administrators apply DISA STIG guidance to personally owned Samsung devices running Android 15 in BYOAD scenarios. It provides clear, actionable steps to configure device security, enable data separation, enroll devices, and maintain compliance.

Source: https://ncp.nist.gov/checklist/1284

Progress
0 / 24
  1. Verify device OS is Android 15.0 — Confirm exact build and security patch level before applying STIG settings.
  2. Enroll device in an approved MDM/EMM — Use an enterprise-approved management platform to enforce policies and reporting.
  3. Configure and enable NIAP-certified work profile for data separation — Enable certified work profile to separate CUI and personal data per MDFPP.
  4. Verify work profile isolation between work and personal data — Test that work apps cannot access personal storage and vice versa.
  5. Assign and manage enterprise apps inside the work profile — Deliver apps through the managed store and restrict personal installation.
  6. Configure data sharing and clipboard restrictions for the work profile — Limit copy/paste and data sharing between work and personal profiles.
  7. Enable device encryption — Ensure file-based or full-disk encryption is active for all storage.
  8. Set a strong screen lock (PIN/password with timeout and lockout) — Enforce complexity, auto-lock timeout, and failed-attempt lockout.
  9. Enable biometric authentication with PIN fallback — Allow biometrics only with a secure fallback and enterprise policy control.
  10. Enforce automatic OS and security updates — Configure updates to install automatically or notify users via MDM.
  11. Disable developer options and USB debugging — Prevent device tampering and unauthorized data extraction.
  12. Disable installation from unknown sources; allow only managed/Play Store — Restrict sideloading to reduce malware risk; use managed Play store for apps.
  13. Enable verified boot / secure boot attestation — Verify device integrity at boot to detect tampering or compromised firmware.
  14. Install required enterprise apps and updates from the managed store — Ensure work-related apps are current and delivered via enterprise channels.
  15. Restrict app permissions to least privilege and review periodically — Audit and revoke excessive permissions for work-profile apps.
  16. Configure per-app VPN or enforce enterprise VPN for work traffic — Route work data through approved VPNs for confidentiality and monitoring.
  17. Enable remote wipe, selective wipe for work profile, and device locate — Verify remote actions work from the MDM and test selective wipe behavior.
  18. Configure backup controls for the work profile and disallow CUI export — Prevent backups from exporting controlled data to unmanaged services.
  19. Disable or restrict Bluetooth and NFC when not required — Turn off radios by policy or require user action to reduce attack surface.
  20. Enable and forward audit logs to enterprise logging or SIEM — Collect device events for forensic and compliance purposes.
  21. Perform a STIG compliance scan and remediate findings — Run automated checks against the STIG and address deficiencies.
  22. Document approved exceptions and retain compliance records — Record any deviations with justification, approval, and retention schedule.
  23. Provide BYOAD user training and require policy acknowledgement — Train users on handling CUI, app separation, and device hygiene; capture consent.
  24. Schedule periodic re-checks and firmware update reviews — Plan recurring scans, audits, and update cycles to maintain compliance.
Sign in to save
📝 My Notes