Back to top
Home / Knox Platform for Enterprise / Knox Service Plugin / References / STIG 10 /

STIG 10 COBO compliance

Last updated July 26th, 2023

The following are settings for STIG 10 COBO compliance.

The STIG 10 policies, values, and configuration options described in the tables below are supported by KSP and designed to work within your unique UEM environment.

Policy Group Policy Rule Available Options Settings Severity API List API Values COBO Work Environment Policy Paths
Password Requirements Minimum password length 0+ 6 II BasePasswordPolicy
setPasswordMinimumLength

6 (preferred, minimum)

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Password policy

4. Enable password policy controls with KSP [enable]

5. Password restrictions

6. Minimum password length [6]

Password Requirements Minimum password quality Unspecified, Something, Numeric, Numeric (Complex), Alphabetic, Alphanumeric, Complex Numeric(Complex) II BasePasswordPolicy
setPasswordQuality

PasswordPolicy
setMaximumNumericSequenceLength

PASSWORD_QUALITY_NUMERIC_COMPLEX (preferred)

PASSWORD_QUALITY_NUMERIC (minimum)

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Password policy

4. Enable password policy controls with KSP [enable]

5. Password quality [numeric]

Password Requirements Maximum time to screen lock 0 minutes 15 minutes II BasePasswordPolicy
setMaximumTimeToLock 		900000 ms (minimum)

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Password policy

4. Enable password policy controls with KSP [enable]

5. Allowed time for user inactivity before device locks [900000]

Password Requirements Maximum password failures until local wipe 0+ 10 II BasePasswordPolicy
setMaximumFailedPasswordsToWipe 		10 (minimum)

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Password policy

4. Enable password policy controls with KSP [enable]

5. Maximum failed password attempts to wipe data [10]

Restrictions Installs from unknown sources Allow/Disallow Disallow II RestrictionPolicy
SetAllowNonMarketApps 		FALSE

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device restrictions

4. Enable device restriction controls

5. Allow installation of non-Google Play apps [disable]

Restrictions Trust agents Allow/Disallow Disallow II BasePasswordPolicy
setKeyguardDisabledFeatures
(Disable trust agent) 		KEYGUARD_DISABLE_TRUST_AGENTS

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Password policy

4. Enable password policy controls with KSP [enable]

5. Disable Keyguard feature [Disable Trusted Agents]

Restrictions Face Allow/Disallow Disallow II PasswordPolicy
setBiometricAuthenticationEnabled 		BIOMETRIC_AUTHENTICATION_FACE

FALSE

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Password policy

4. Enable password policy controls with KSP [enable]

5. Biometric authentication

6. Enable face recognition [disable]

Restrictions Debugging features Allow/Disallow Disallow II RestrictionPolicy
allowDeveloperMode 		FALSE

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Restrictions

4. Enable device restriction controls [enable]

5. Allow developer mode [disable]

Restrictions USB file transfer Allow/Disallow Disallow II RestrictionPolicy
setUsbMediaPlayerAvailability 		FALSE

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Restrictions

4. Enable device restriction controls [enable]

5. Allow USB media player [disable]

Wi-Fi Unsecured hotspot Allow/Disallow Disallow II WiFiPolicy
allowOpenWifi 		FALSE

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Controls

4. Wi-Fi Policy

5. Enable Wi-Fi policy controls [disable]

Multiuse Multi-user mode Allow/Disallow Disallow II MultiUserManage
allowMultipleUsers 		FALSE NA
Restrictions CC mode Enable/Disable Enable II AdvancedRestrictionPolicy
setCCMode 		TRUE

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Advanced Restriction policies

4. Enable advanced restriction controls [enable]

5. Enable Common Criteria (CC) mode [enable]

Policy
Management
SD Card Enable/Disable Disable I RestrictionPolicy
setSdCardState 		FALSE

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Restriction

4. Enable device restriction controls [enable]

5. Allow SD card access [disable]

Encryption External storage encryption Enable/Disable Enable I DeviceSecurityPolicy
setExternalStorageEncryption
TRUE

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Restriction

4. Enable device restriction controls [enable]

5. Tethering controls

6. Enforce external storage encryption [enable]

Application System app disable list core apps list List non AO approved system app packages II ApplicationPolicy
setDisableApplication 		Package Name

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Application management policies

4. Enable application management controls [enable]

5. Disable application without user interaction [configure comma separated pkg list]

KPE Audit
Log 		Audit Log Enable/Disable Enable II AuditLog
enableAuditLog 		(0) UEM must provide the means to read the log in their console

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Audit log

4. Enable Audit Log [enable]

5. Log Path [configure]

Restrictions USB host mode exception list APP AUD CDC COM CON CSCHID HUB MAS MIS PER PHY PRI STI VEN VID WIR HID II RestrictionPolicy
setUsbExceptionList 		USBInterface.HID.getValue

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device restrictions

4. Enable device restriction controls [enable]

5. Set USB exception list [Human Interface Device]

Restrictions USB Host Storage Enable/Disable Disable II RestrictionPolicy
allowUsbHostStorage

(must be toggled off/on for USB
exception list to take effect) 		TRUE

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device restrictions

4. Enable device restriction controls [enable]

5. Allow USB host storage [disable]

Restrictions Bluetooth Allow/Disallow Allow/Disallow III RestrictionPolicy
allowBluetooth 		FALSE

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device restrictions

4. Enable device restriction controls [enable]

5. Allow bluetooth [enable/disable]

Bluetooth Bluetooth UUID Whitelist A2DP_ADVAUDIODIST_UUID
A2DP_AUDIOSINK_UUID
A2DP_AUDIOSOURCE_UUID AVRCP_CONTROLLER_UUI AVRCP_TARGET_UUID
BNEP_UUID
BPP_UUID
DUN_UUID
FTP_UUID
HFP_AG_UUID
HFP_UUID
HSP_AG_UUID
HSP_UUID
NAP_UUID OBEXOBJECTPUSH_UUID PANU_UUID
PBAP_PSE_UUID
PBAP_UUID
SAP_UUID
SPP_UUID 		Enable III BluetoothPolicy
addBluetoothUUIDsToWhiteList


(*) wildcard string

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Controls

4. Bluetooth Policy

5. Enable bluetooth policy controls [enable]

6. Whitelist Bluetooth Service by UUID [configure]

Bluetooth Bluetooth UUID Blacklist (*) wildcard string Enable III BluetoothPolicy
addBluetoothUUIDsToBlackList 		(*) wildcard string NA
Banner Banner Text Configure DoD-mandated warning banner text III BootBanner
enableRebootBanner 		TRUE

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Controls

4. Boot banner

5. Enable banner on device reboot [enable]

Restrictions Date Time Change Enable/Disable Disable II DateTimePolicy
setDateTimeChangeEnabled 		FALSE NA
Restrictions Outgoing Beam Allow/Disallow Disallow II RestrictionPolicy
allowAndroidBeam 		FALSE

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Restrictions

4. Enable device restriction controls [enable]

5. Allow Android Beam on device [disable]

Restrictions Share Via List Allow/Disallow Disallow II RestrictionPolicy
allowShareList 		FALSE

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Restrictions

4. Enable application management controls [enable]

5. Allow Share Via option [enable]

Restrictions Backup Service Allow/Disallow Disallow II RestrictionPolicy
setBackup 		FALSE

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Restrictions

4. Enable device restriction controls [enable]

5. Allow backup on Google Server [disable]

RCP Move File to Personal Allow/Disallow Disallow II RCPPolicy
AllowMoveFilesToOwner 		FALSE NA
RCP Sync Calendar to Personal Allow/Disallow Disallow II RCPPolicy
setAllowChangeDataSyncPolicy 		CALENDAR, EXPORT,

FALSE 		NA
Account Account Addition Blacklist Blocklist "Blocklist all" for Work email app, Samsung accounts, and Google accounts II DeviceAccountPolicy
addAccountsToAdditionBlackList 		Account Types (Work Email App. Google Accounts, Samsung Accounts)

(*) wildcard string

Step 1

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Account Policy

4. Enable Device Account Policy Controls [enable]

5. Enable Device Account policies [enable]

Step 2

1. Device Account Policy Configurations

2.. Device Account Policy Configuration

3. Add Account Type to Addition Blacklist [choose types]

4. Add Accounts to Addition Blacklist [configure "*"]

Application System App Disable List Core App List List non AO approved system app packages II ApplicationPolicy
setDisableApplication 		Package Name

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Application management policies

4.Enable application management controls [enable]

5. Disable Application without user interaction [configure comma separated pkg list]

Restrictions Revocation Check Enable/Disable Enable II CertificatePolicy
enableRevocationCheck 		(*) wildcard string

TRUE

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Certificate management policies

4. Enable certificate management controls [enable]

5, Certificate revocation

6. Enable revocation check [Enable for all apps]

Restrictions OCSP Check

(With Revocation Check Fallback) 		Enable/Disable Enable II CertificatePolicy
enableOcspCheck 		(*) wildcard string

TRUE

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Certificate management policies

4. Enable certificate management controls [enable]

5, Certificate revocation

6. Enable OSCP check before CRL [enable]

Policy
Management 		Certificates Configure Include DoD certificates in work profile II CertificateProvisioning
installCertificateToKeystore 		TYPE_CERTIFICATE/TYPE_PKCS12, Certificate, Alias, Decryption Password

KEYSTORE_DEFAULT/KEYSTORE_FOR_WIFI/KEYSTORE_FOR_VPN_AND_APPS

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Certificate management policies

4. Enable certificate management controls [enable]

5. Install Certificate in keystore(s) silently [configure]

Applications List of approved apps listed in managed Google Play List of Apps List only approved work apps II ApplicationPolicy
addAppPackageNameToWhiteList

ApplicationPolicy
addAppPackageNameToBlackList
Package name

(*) wildcard string

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Application management policies

4. Enable application management controls [enable]

5. Application allow or block list by Pkg Name [comma separated list or "*"]

Applications List of approved apps listed in managed Google Play List of Apps List only approved work apps II
ApplicationPolicy
addAppSignatureToWhiteList

ApplicationPolicy
addAppSignatureToBlackList

Package Signature


(*) wildcard string

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Application management policies

4. Enable application management controls [enable]

5. Application allow or block list by Signature used [comma separated list or "*"]

Is this page helpful?