STIG 10 COPE compliance
Last updated July 26th, 2023
The following are settings for STIG 10 COPE compliance.
The STIG 10 policies, values, and configuration options described in the tables below are supported by KSP and designed to work within your unique UEM environment.
| Policy Group | Policy Rule | Options | Settings | Severity | API List | API Values | COPE Work Environment Policy Paths |
|---|---|---|---|---|---|---|---|
| Password Requirements | Minimum password length | 0+ | 6 | II |
BasePasswordPolicy
setPasswordMinimumLength |
6 (preferred, minimum) |
NA |
| Password Requirements | Minimum password quality | Unspecified, Something, Numeric, Numeric (Complex), Alphabetic, Alphanumeric, Complex | Numeric(Complex) | II |
BasePasswordPolicy
setPasswordQuality PasswordPolicy setMaximumNumericSequenceLength |
PASSWORD_QUALITY_NUMERIC_COMPLEX (preferred) PASSWORD_QUALITY_NUMERIC (minimum) |
NA |
| Password Requirements | Maximum time to screen lock | 0 minutes | 15 minutes | II |
BasePasswordPolicy
setMaximumTimeToLock |
900000 ms (minimum) | NA |
| Password Requirements | Maximum password failures until local wipe | 0+ | 10 | II |
BasePasswordPolicy
setMaximumFailedPasswordsToWipe |
10 (minimum) | NA |
| Restrictions | Installs from unknown sources | Allow/Disallow | Disallow | II |
RestrictionPolicy
SetAllowNonMarketApps |
FALSE | NA |
| Restrictions | Trust agents | Allow/Disallow | Disallow | II |
BasePasswordPolicy
setKeyguardDisabledFeatures (Disable trust agent) |
KEYGUARD_DISABLE_TRUST_AGENTS | NA |
| Restrictions | Face | Allow/Disallow | Disallow | II |
PasswordPolicy
setBiometricAuthenticationEnabled |
BIOMETRIC_AUTHENTICATION_FACE
FALSE |
NA |
| Restrictions | Debugging features | Allow/Disallow | Disallow | II |
RestrictionPolicy
allowDeveloperMode |
FALSE | NA |
| Restrictions | USB file transfer | Allow/Disallow | Disallow | II |
RestrictionPolicy
setUsbMediaPlayerAvailability |
FALSE | NA |
| Wi-Fi | Unsecured hotspot | Allow/Disallow | Disallow | II |
WiFiPolicy
allowOpenWifi |
FALSE | NA |
| Multiuse | Multi-user mode | Allow/Disallow | Disallow | II |
MultiUserManage
allowMultipleUsers |
FALSE | NA |
| Restrictions | CC mode | Enable/Disable | Enable | II |
AdvancedRestrictionPolicy
setCCMode |
TRUE | NA |
|
Policy
Management |
SD Card | Enable/Disable | Disable | I |
RestrictionPolicy
setSdCardState |
FALSE | NA |
| Encryption | External storage encryption | Enable/Disable | Enable | I |
DeviceSecurityPolicy
setExternalStorageEncryption |
TRUE | NA |
| Application | System app disable list | core apps list | List non AO approved system app packages | II |
ApplicationPolicy
setDisableApplication |
Package Name | NA |
|
KPE Audit
Log |
Audit Log | Enable/Disable | Enable | II |
AuditLog
enableAuditLog |
(0) UEM must provide the means to read the log in their console |
1. Work profile policies
2. Enable work profile policies [enable] 3. Audit log 4. Enable Audit Log [enable] 5. Log Path [configure] |
| Restrictions | USB host mode exception list | APP AUD CDC COM CON CSCHID HUB MAS MIS PER PHY PRI STI VEN VID WIR | HID | II |
RestrictionPolicy
setUsbExceptionList |
USBInterface.HID.getValue | NA |
| Restrictions | USB Host Storage | Enable/Disable | Disable | II |
RestrictionPolicy
allowUsbHostStorage (must be toggled off/on for USB exception list to take effect) |
TRUE | NA |
| Restrictions | Bluetooth | Allow/Disallow | Allow/Disallow | III |
RestrictionPolicy
allowBluetooth |
FALSE | NA |
| Bluetooth | Bluetooth UUID Allow list and Block list |
A2DP_ADVAUDIODIST_UUID
A2DP_AUDIOSINK_UUID A2DP_AUDIOSOURCE_UUID AVRCP_CONTROLLER_UUI AVRCP_TARGET_UUID BNEP_UUID BPP_UUID DUN_UUID FTP_UUID HFP_AG_UUID HFP_UUID HSP_AG_UUID HSP_UUID NAP_UUID OBEXOBJECTPUSH_UUID PANU_UUID PBAP_PSE_UUID PBAP_UUID SAP_UUID SPP_UUID |
III |
BluetoothPolicy
addBluetoothUUIDsToWhiteList BluetoothPolicy addBluetoothUUIDsToBlackList |
(*) Wildcard String | NA | |
|
Use
Agreement |
User Agreement | User Agreement | DoD-mandated warning banner text in User Agreement | II |
Put the DoD Warning Banner Text
in the User Agreement |
0 | NA |
| Banner | Banner Text | Configure | DoD-mandated warning banner text | III |
BootBanner
enableRebootBanner |
TRUE | NA |
| Restrictions | Date Time Change | Enable/Disable | Disable | II |
DateTimePolicy
setDateTimeChangeEnabled |
FALSE | NA |
| Restrictions | Outgoing Beam | Allow/Disallow | Disallow | II |
RestrictionPolicy
allowAndroidBeam |
FALSE | NA |
| Restrictions | Share Via List | Allow/Disallow | Disallow | II |
RestrictionPolicy
allowShareList |
FALSE |
1. Work profile policies
2. Enable work profile policies [enable] 3. Restrictions in work profiles 4. Enable work profile restriction controls [enable] 5. Allow share via option [disable] |
| Restrictions | Backup Service | Allow/Disallow | Disallow | II |
RestrictionPolicy
setBackup |
FALSE | NA |
| RCP | Move File to Personal | Allow/Disallow | Disallow | II |
RCPPolicy
AllowMoveFilesToOwner |
FALSE | NA |
| RCP | Sync Calendar to Personal | Allow/Disallow | Disallow | II |
RCPPolicy
setAllowChangeDataSyncPolicy |
CALENDAR, EXPORT,
FALSE |
NA |
| Account | Account Addition Blacklist | Blocklist | "Blocklist all" for Work email app, Samsung accounts, and Google accounts | II |
DeviceAccountPolicy
addAccountsToAdditionBlackList |
Account Types (Work Email App. Google Accounts, Samsung Accounts)
(*) Wildcard String |
Step 1
1. Work profile policies
2. Enable work profile policies [enable] 3. Device Account Policy 4. Enable Device Account policy controls [enable] 5. Enable Device Account policies (Configure profiles below) [enable] Step 2 1. Device Account Policy Configurations 2. Device Account Policy Configuration 3. Add Account Type to Addition Allow or Block list [choose types] 4. Add Accounts to Addition Allow list or Block list [configure "*"] |
| Application | System App Disable List | Core App List | List non AO approved system app packages | II |
ApplicationPolicy
setDisableApplication |
Package Name |
1. Work profile policies
2. Enable work profile policies [enable] 3. Application management policies 4. Enable application management controls [enable] 5. Disable application without user interaction [comma separated pkg list] |
| Restrictions | Revocation Check | Enable/Disable | Enable | II |
CertificatePolicy
enableRevocationCheck |
(*) Wildcard String
TRUE |
1. Work profile policies
2. Enable work profile policies [enable] 3. Certificate management policies 4. Enable certificate management controls [enable] 5. Certificate revocation 6. Enable revocation check [enable] |
| Restrictions |
OCSP Check
(With Revocation Check Fallback) |
Enable/Disable | Enable | II |
CertificatePolicy
enableOcspCheck |
(*) Wildcard String
TRUE |
1. Work profile policies
2. Enable work profile policies [enable] 3. Certificate management policies 4. Enable certificate management controls [enable] 5. Certificate revocation 6. Enable OCSP check before CRL [enable] |
|
Policy
Management |
Certificates | Configure | Include DoD certificates in work profile | II |
CertificateProvisioning
installCertificateToKeystore |
TYPE_CERTIFICATE/TYPE_PKCS12, Certificate, Alias, Decryption Password
KEYSTORE_DEFAULT/KEYSTORE_FOR_WIFI/KEYSTORE_FOR_VPN_AND_APPS
|
1. Work profile policies
2. Enable work profile policies [enable] 3. Certificate management policies 4. Enable certificate management controls [enable] 5. Install certificate in keystore(s) silently [configure] |
| Certificates | Certificates | Configure | Include DoD certificates in work profile | II |
CertificatePolicy
allowUserRemoveCertificates |
FALSE |
1. Work profile policies
2. Enable work profile policies [enable] 3. Certificate management policies 4. Enable certificate management controls [enable] 5. Block user from removing certificate [enable] |
| Applications | List of approved apps listed in managed Google Play | List of Apps | List only approved work apps | II |
ApplicationPolicy
addAppPackageNameToWhiteList ApplicationPolicy addAppPackageNameToBlackList |
Package name
(*) Wildcard String |
1. Work profile policies
2. Enable work profile policies [enable] 3. Application management policies 4. Enable application management controls 5. Enable Allow list or Block list by package name [configure comma separated pkg name or "*"] |
| Applications | List of approved apps listed in managed Google Play | List of Apps | List only approved work apps | II |
ApplicationPolicy addAppSignatureToWhiteList ApplicationPolicy addAppSignatureToBlackList |
Package Signature (*) Wildcard String |
1. Work profile policies
2. Enable work profile policies [enable] 3. Application management policies 4. Enable application management controls 5. Enable Allow list or Block list by signature used [configure comma separated pkg list or "*"] |
| RCP | Show detailed notifications | Allow/Disallow | Disallow | II |
RCPPolicy
allowMoveFilesToOwner |
NOTIFICATIONS,
SANITIZE_DATA FALSE |
1. Work profile policies
2. Enable work profile policies [enable] 3. RCP Policy 4. Enable RCP Policy Controls [enable] 5. Allow moving files from work profile to personal space [enable] |
| RCP | Sharing clipboard to personal | Allow/Disallow | Disallow | II |
RCPPolicy
allowShareClipboardDataToOwner |
FALSE |
1. Work profile policies
2. Enable work profile policies [enable] 3. RCP Policy 4. Enable RCP Policy Controls [enable] 5. Enable Sharing of Clipboard Data to Owner [enable] |
Is this page helpful?