TickYouOff
Sign in
Back
🔒

Samsung Android 15 with Knox 3.x STIG Compliance

Medium 17 items · 2 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist converts the DISA Samsung Android 15 with Knox 3.x STIG into a practical configuration and deployment task list for IT and security teams. It’s aimed at enterprise administrators and DoD mobile service providers responsible for enrolling, securing, and maintaining corporate-owned Samsung devices under AE management.

Source: https://ncp.nist.gov/checklist/1258

Progress
0 / 17
  1. Use Android Enterprise (AE) deployment for all Samsung Android 15 devices — AE is the supported management method; do not rely on legacy Device Admin.
  2. Disable Device Admin (DA) legacy management — Migrate any DA-managed devices to AE to meet STIG scope.
  3. Restrict deployments to COPE and COBO device use cases — Exclude BYOD and CYOD from this STIG scope.
  4. Obtain Authorizing Official (AO) approval for personal app installs — Require AO authorization before allowing user personal apps on COPE devices.
  5. Configure biometric authentication policies — Define allowed biometric methods and documentation requirements.
  6. Allow fingerprint biometric for device and work profile unlock — Fingerprint is approved with AO oversight and Common Criteria review.
  7. Disable facial recognition and trust agents — Other Samsung biometric methods are not approved by this STIG.
  8. Document AO approval for fingerprint use — Record approval and any restrictions for audit purposes.
  9. Enroll corporate devices via Knox Mobile Enrollment (KME) or AE zero-touch — Prefer KME for bulk Samsung deployments; zero-touch is an alternative.
  10. Apply Android Enterprise policies to meet baseline STIG requirements — Use AE policies as the baseline controls mandated by the STIG.
  11. Use Knox policies to augment AE policies where AE cannot enforce controls — Deploy Knox-only controls only when AE lacks equivalent capability.
  12. Configure Wi‑Fi per Network Infrastructure STIG before allowing network connection — Ensure wireless infrastructure complies with the Network STIG first.
  13. Restrict personal space and work profile data per STIG supplemental docs — Follow Section 6.2 of the STIG Supplemental for personal space config.
  14. Verify device Common Criteria evaluation status for biometric methods — Confirm fingerprint evaluation status during platform reviews.
  15. Maintain enrollment, policy, and compliance documentation for each device — Keep records for audits and incident response.
  16. Report STIG comments or change requests to DISA at [email protected] — Send proposed revisions to DISA for coordination and updates.
  17. Ensure ongoing compliance with DoDI 8500.01 and review STIG updates regularly — Monitor updates and revalidate settings when the STIG revises.
Sign in to save
📝 My Notes