STIG 11 COBO compliance
Last updated July 26th, 2023
The STIG 11 policies, values, and configuration options described in the tables below are supported by KSP and designed to work within your unique UEM environment.
If there is an asterisk (*) below AE in the Vendor column, it means:
-
There is a KPE alternative policy that may be used for compliance if your management tool doesn’t implement the AE policy.
-
If your management tool also doesn’t implement the KPE policy, then KSP should be used to provide full coverage.
-
KSP implements all STIG-listed KPE policies, and all the listed alternatives to AE policies.
-
For information on how to find find and configure these policies in KSP, see KSP references.
To implement the Knox Separated Apps feature, the policies listed in this table must be used in conjunction with the policies listed in the KSP Separated Apps table.
Vendor |
Policy Group |
Policy Rule |
Options |
Settings |
Related Requirement |
Comment |
---|---|---|---|---|---|---|
AE * |
Device Password Requirements |
Minimum password length |
0+ |
6 |
KNOX-11-000100 |
setPasswordMinimumLength |
AE * |
Device Password Requirements |
Minimum password quality |
Unspecified, Something, Numeric, Numeric(Complex), Alphabetic, Alphanumeric, Complex |
Numeric |
KNOX-11-000100, KNOX-11-000500, KNOX-11-000700 |
setPasswordQuality PASSWORD_QUALITY_NUMERIC (minimum) |
KPE |
Device Password Requirements |
Maximum sequential numbers |
0+ |
2 |
KNOX-11-000300 |
This requirement is not applicable if the password quality is set to Numeric (complex), or better.
PasswordPolicy setMaximumNumericSequenceLength |
AE * |
Device Password Requirements |
Max time to screen lock |
0 minutes |
15 minutes |
KNOX-11-000500 |
setMaximumTimeToLock |
AE * |
Device Password Requirements |
Max password failures for local wipe |
0+ |
10 |
KNOX-11-000700 |
setMaximumFailedPasswordsForWipe |
AE * |
Device Restrictions |
Installs from unknown sources globally |
Allow/ Disallow |
Disallow |
KNOX-11-001300 |
addUserRestriction DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY |
AE * |
Device Restrictions |
Trust agents |
Enable/Disable |
Disable |
KNOX-11-003900 |
setKeyguardDisabledFeatures KEYGUARD_DISABLE_TRUST_AGENTS |
AE * |
Device Restrictions |
Face |
Enable/Disable |
Disable |
KNOX-11-004100 |
setKeyguardDisabledFeatures KEYGUARD_DISABLE_FACE |
AE * |
Device Restrictions |
Debugging features |
Allow/ Disallow |
Disallow |
KNOX-11-005100 |
addUserRestriction DISALLOW_DEBUGGING_FEATURES |
AE * |
Device Restrictions |
USB file transfer |
Allow/ Disallow |
Disallow |
KNOX-11-006500, KNOX-11-006900 |
addUserRestriction DISALLOW_USB_FILE_TRANSFER |
KPE |
Device Wi-Fi |
Unsecured hotspot |
Allow/ Disallow |
Disallow |
KNOX-11-008100 |
allowOpenWifiAp |
KPE |
Device Restrictions |
CC mode |
Enable/ Disable |
Enable |
KNOX-11-013900, KNOX-11-020100 |
setCCMode |
AE * |
Device Restrictions |
Mount physical media |
Allow/Disallow |
Disallow |
KNOX-11-003500 |
Disable SD Card.
addUserRestriction DISALLOW_MOUNT_PHYSICAL_MEDIA |
AE _ |
Device Restrictions |
Security logging |
Enable/ Disable |
Enable |
KNOX-11-018300 |
setSecurityLoggingEnabled (MDM must also provide means to read the Log in the console) |
KPE |
Device Restrictions |
USB host mode exception list |
APP, AUD, CDC, COM, CON, CSC, HID, HUB, MAS, MIS, PER, PHY, PRI, STI, VEN, VID, WIR |
HID |
KNOX-11-020900 |
setUsbExceptionList
allowUsbHostStorage (must be toggled off/on for USB exception list to take effect) |
KPE |
Device Bluetooth |
Bluetooth UUID allowlist |
A2DP, AVRCP, BNEP, BPP, DUN, FTP, HFP, HSP, NAP, OBEXOBJECTPUSH, PANU, PBAP, SAP, SPP |
HFP, HSP, SPP, A2DP, AVRCP, PBAP |
KNOX-11-002300 |
addBluetoothUUIDsToWhiteList
addBluetoothUUIDsToBlackList
activateBluetoothUUIDRestriction |
N/A |
User Agreement |
User Agreement |
Include DoD-mandated warning banner text in User Agreement |
KNOX-11-006300 |
Put the DoD Warning banner text in the User Agreement
Alternative: AE* setDeviceOwnerLockScreenInfo |
|
AE * |
Device Restrictions |
Config Date Time |
Allow/ Disallow |
Disallow |
KNOX-11-020500 |
addUserRestriction DISALLOW_CONFIG_DATE_TIME |
AE |
Device Enrollment Configuration |
Default device enrollment |
Full managed, Work profile for company-owned devices |
Fully managed |
KNOX-11-017900, KNOX-11-018500 |
Enroll device as an Android Enterprise device (DO) |
AE * |
Device Restrictions |
Outgoing beam |
Allow/ Disallow |
Disallow |
KNOX-11-021700 |
addUserRestriction DISALLOW_OUTGOING_BEAM |
KPE |
Device Restrictions |
Share Via List |
Allow/ Disallow |
Disallow |
KNOX-11-021300 |
allowShareList |
AE * |
Device Restrictions |
Backup service |
Allow/ Disallow |
Disallow |
KNOX-11-007300 |
setBackupServiceEnabled |
AE |
Device Restrictions |
Autofill services |
Allow/ Disallow |
Disallow |
KNOX-11-019700 |
addUserRestriction DISALLOW_AUTOFILL |
AE * |
Device Restrictions |
Account management |
Account types, Enable/ Disable |
Disable for: Work email app, Samsung Accounts, Google Accounts, and each AO-approved App that uses accounts for data backup/sync. |
KNOX-11-007500, KNOX-11-017300 |
setAccountManagementDisabled |
KPE |
Device Restrictions |
Revocation check OR OCSP check |
Enable/ Disable |
Enable |
KNOX-11-022500 |
enableRevocationCheck
enableOcspCheck |
AE * |
Device Policy Management |
Certificates |
Configure |
Include DoD certificates in work profile |
KNOX-11-022900 |
installCaCert |
AE * |
Device Restrictions |
Config credentials |
Allow/ Disallow |
Disallow |
KNOX-11-023100 |
addUserRestriction DISALLOW_CONFIG_CREDENTIALS |
AE * |
Device Restrictions |
List of approved apps listed in managed Google Play |
List of apps |
List only approved work apps in managed Google Play |
KNOX-11-001700, KNOX-11-001900 |
Configure managed Google Play with approved work apps |
AE |
Device Restrictions |
Unredacted Notifications |
Allow/ Disallow |
Disallow |
KNOX-11-002700 |
setKeyguardDisabledFeatures KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS |
Is this page helpful?