TickYouOff
Sign in
Back
🔒

Zebra Android 13 STIG Checklist

Medium 18 items · 2 hours
testuser's avatar
testuser Published 4 weeks ago
Security

This checklist translates the Zebra Android 13 STIG into clear, actionable steps for securing corporate-owned Zebra handheld devices (COBO/COPE). It’s designed for IT administrators, security teams, and device managers to configure devices, enforce policies, and verify compliance with DISA guidance.

Source: https://ncp.nist.gov/checklist/1269

Progress
0 / 18
  1. Enroll device in enterprise mobility management (EMM/MDM) — Use an approved EMM that supports Zebra Android 13 and required security controls.
  2. Apply latest OS security patches and vendor firmware updates — Install Android security patches and Zebra firmware; verify build and patch levels.
  3. Enable verified boot / device attestation — Activate verified boot or attestation to protect boot integrity where supported.
  4. Enable full-disk or file-based encryption — Ensure encryption is hardware-backed and keys are protected by device keystore.
  5. Enforce strong lock screen and authentication — Require strong PIN/password or approved biometric; prevent simple patterns.
  6. Set minimum PIN length to 8 characters — Configure policy to require at least an 8-character PIN for device unlock.
  7. Configure device wipe or lock after repeated failed attempts — Set automatic lock or factory wipe after a defined failed attempt threshold.
  8. Configure screen lock timeout and auto-lock — Set short idle timeout (e.g., 1-5 minutes) and require reauthentication on wake.
  9. Disable USB debugging and developer options — Turn off ADB and developer features to prevent device tampering.
  10. Disable unknown sources and block sideloading — Prevent installation from unknown sources or disable sideloading via policy.
  11. Restrict app installs to managed app store via EMM — Allow only approved enterprise apps and revoke installation rights for unmanaged apps.
  12. Configure enterprise Wi‑Fi with WPA2/WPA3 Enterprise (EAP) — Use certificate or EAP-based authentication and trusted CAs for Wi‑Fi access.
  13. Require VPN for remote or untrusted network access — Enforce device-level VPN for access to sensitive resources off-network.
  14. Enable SELinux enforcing mode and verify device integrity — Confirm SELinux is enforcing and run integrity checks or attestation tools.
  15. Disable or restrict Bluetooth, NFC, and external ports when not needed — Limit wireless interfaces and external port access via policy when unused.
  16. Configure remote wipe, lock, and geolocation capabilities in EMM — Ensure EMM can lock, locate, and wipe lost or compromised devices.
  17. Audit logs and run vulnerability scans to verify STIG compliance — Collect device logs, review settings against STIG, and run regular scans.
  18. Document approved exceptions and obtain authorizing official (AO) approval for CUI risks — Record any deviations with justification and AO approval for storing CUI in apps.
Sign in to save
📝 My Notes