Checklist Summary:

The Samsung Android OS 11 with Knox 3.x Security Technical Implementation Guide (STIG) provides the technical security policies, requirements, and implementation details for applying security concepts to Samsung Android 11 with Knox devices. In October 2021, DISA plans to release updates to all current Samsung Android STIGs, which will ban the use of Android legacy deployments due to end of support by Google for legacy mobile device manager (MDM) management. In addition, the Samsung Android 12 STIG (expected to be released in late 2021) will include only Android Enterprise (AE) deployment. All Samsung phones that can support AE, which are currently deployed using legacy management APIs, should be upgraded to AE as soon as possible, and Samsung phones that cannot support AE should be replaced before October 2021. The scope of this STIG covers only the Corporate Owned Personally Enabled (COPE) and Corporate Owned Business Only (COBO)1 use cases. The Bring Your Own Device (BYOD) and Choose Your Own Device (CYOD)2 use cases are not in scope for this STIG. In addition, the STIG supports two different Knox Platform for Enterprise (KPE) device deployment modes: Legacy and AE. Note: It is expected that a future Samsung Android STIG will require all DoD deployments to use AE deployments only. It is recommended that DoD mobile service providers support AE deployments to the maximum extent possible now. This STIG assumes that for the COPE use case, the technology used for data separation between work apps and data as well as personal apps and data has been certified by the National Information Assurance Partnership (NIAP) as compliant with the data separation requirements of the Protection Profile for Mobile Device Fundamentals (MDF)3. The configuration requirements and controls implemented by this STIG allow unrestricted user activity in downloading and installing personal apps and data (music, photos, etc.) with Authorizing Official (AO) approval and within any restrictions imposed by the AO for the COPE use case. See the STIG Supplemental document (Section 8, Configuration of the Personal Environment), for more information. This STIG assumes that if a DoD Wi-Fi network allows a Samsung mobile device to connect to the network, the Wi-Fi network complies with the Network Infrastructure STIG; for example, wireless access points and bridges must not be connected directly to the enclave network. With AO approval, this STIG allows fingerprint biometric authentication for device unlock and work profile/workspace unlock. The fingerprint biometric method has successfully passed a Common Criteria evaluation using the Protection Profile for MDF v3.1 for the previous versionof the Samsung platform (Android 10) and will be reviewed again during the Samsung Android 11 Common Criteria evaluation. Other Samsung-supported biometric methods are not approved, including facial recognition and trust agents. Knox Mobile Enrollment (KME) enables large-scale Samsung Android device deployments so organizations can mobilize their employees with ease. KME allows DoD mobile service providers to deploy corporate-owned devices in bulk without having to manually set up each device. It is recommended that DoD mobile service providers consider deploying all Samsung devices via KME to improve enterprise management, control, and enrollment of DoD-owned Samsung devices. See the STIG Supplemental document (Section 5.2.2, Knox Mobile Enrollment) for more information. Samsung Android devices are also compatible with AE zero-touch service, which offers similar functionality to Samsung’s KME.

Checklist Role:

• Operating System

Known Issues:

Not provided.

Target Audience:

Parties within the DoD and Federal Government’s computing environments can obtain the applicable STIG from the Cyber Exchange website at https://cyber.mil/. This site contains the latest copies of STIGs, SRGs, and other related security information. Those without a Common Access Card (CAC) that has DoD Certificates can obtain the STIG from https://public.cyber.mil/.

Target Operational Environment:

• Managed
• Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

DoD Instruction (DoDI) 8500.01

Comments/Warnings/Miscellaneous:

Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. DISA will coordinate all change requests with the relevant DoD organizations before inclusion in this document. Approved changes will be made in accordance with the DISA maintenance release schedule.

Disclaimer:

Not provided.

Product Support:

Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. DISA will coordinate all change requests with the relevant DoD organizations before inclusion in this document. Approved changes will be made in accordance with the DISA maintenance release schedule.

Point of Contact:

disa.stig_spt@mail.mil

Sponsor:

Not provided.

Licensing:

Not provided.

Change History:

updated status to FINAL - 1/26/2021

Dependency/Requirements:

URL	Description

References:

Reference URL	Description

NIST checklist record last modified on 01/26/2021