The Samsung KNOX for Android container must have the Account Whitelist configured.

From Samsung Android OS 6 (with KNOX 2.x) Security Technical Implementation Guide

Part of PP-MDF-991000

Associated with: CCI-000366

SV-84325r1_rule The Samsung KNOX for Android container must have the Account Whitelist configured.

Vulnerability discussion

Whitelisting of authorized email accounts (POP3, IMAP, EAS) prevents a user from configuring a personal email account that could be used to forward sensitive DoD data to unauthorized recipients.SFR ID: FMT_SMF_EXT.1.1 #45

Check content

This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Account whitelist" setting in the "Container Accounts" rule. 2. Verify the whitelist only contains DoD-approved email domains (for example, mail.mil). Note: Proper configuration of Account blacklist is required for this configuration to function correctly. On the Samsung KNOX for Android device: 1. Open the KNOX Container. 2. Open "Settings". 3. Select "Accounts". 4. Select "Add account". 5. Select "Email" (and repeat for Microsoft Exchange ActiveSync) and attempt to add an email account with a DoD-approved domain. 6. Verify the email account can be added. 7. Attempt to add an email account with a domain not approved by DoD. 8. Verify that the email account cannot be added. If the "Account whitelist" is not properly configured, or if the user is able to successfully configure the email account with a domain not approved by DoD, or if the user is not able to install the DoD-approved email account, this is a finding.

Fix text

Configure the mobile operating system to add DoD-approved email domains to the account whitelist. On the MDM Administration Console, add all DoD-approved email domains to the "Account whitelist" setting in the "Container Accounts" rule. Note: Recommended to add .*@mail.mil.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer