Back to top
Home / Knox Platform for Enterprise / Knox Service Plugin / References / STIG 11 /

STIG 11 COPE compliance

Last updated July 26th, 2023

Settings for STIG 11 COPE compliance

The STIG 11 policies, values, and configuration options described in the tables below are supported by KSP and designed to work within your unique UEM environment.

If there is an asterisk (*) below AE in the Vendor column, it means:

  • There is a KPE alternative policy that may be used for compliance if your management tool doesn’t implement the AE policy.

  • If your management tool also doesn’t implement the KPE policy, then KSP should be used to provide full coverage.

  • KSP implements all STIG-listed KPE policies, and all the listed alternatives to AE policies.

  • For information on how to find and configure these policies in KSP, see KSP references.

Vendor

Policy Group

Policy Rule

Options

Settings

Related Requirement

Comment

AE

Device Password Requirements

Minimum password length

0+

6

KNOX-11-000100

setPasswordMinimumLength

AE

Device Password Requirements

Minimum password quality

Unspecified, Something, Numeric, Numeric(Complex), Alphabetic, Alphanumeric, Complex

Numeric

KNOX-11-000100, KNOX-11-000500, KNOX-11-000700

setPasswordQuality

PASSWORD_QUALITY_NUMERIC (minimum)

KPE

Device Password Requirements

Maximum sequential numbers

0+

2

KNOX-11-000300

This policy is not applicable if the password quality is set to Numeric (complex), or better.

PasswordPolicy setMaximumNumericSequenceLength

AE

Device Password Requirements

Max time to screen lock

0 minutes

15 minutes

KNOX-11-000500

setMaximumTimeToLock

AE

Device Password Requirements

Max password failures fo local wipe

0+

10

KNOX-11-000700

setMaximumFailedPasswordsForWipe

AE

*

Device Restrictions

Installs from unknown sources globally

Allow/ Disallow

Disallow

KNOX-11-001300

addUserRestriction

DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY

AE

Device Restrictions

Trust agents

Disable/Enable

Disable

KNOX-11-003900

setKeyguardDisabledFeatures

KEYGUARD_DISABLE_TRUST_AGENTS

AE

*

Device Restrictions

Face

Disable/Enable

Disable

KNOX-11-004100

setKeyguardDisabledFeatures

KEYGUARD_DISABLE_FACE

AE

*

Device Restrictions

Debugging features

Allow/

Disallow

Disallow

KNOX-11-005100

addUserRestriction

DISALLOW_DEBUGGING_FEATURES

AE

*

Device Restrictions

USB file transfer

Allow/

Disallow

Disallow

KNOX-11-006500, KNOX-11-006900

addUserRestriction

DISALLOW_USB_FILE_TRANSFER

KPE

Device Wi-Fi

Unsecured hotspot

Allow/

Disallow

Disallow

KNOX-11-008100

allowOpenWifiAp

KPE

Device Restrictions

CC mode

Enable/

Disable

Enable

KNOX-11-013900, KNOX-11-020100

setCCMode

AE

_

Device Restrictions

Mount physical media

Allow/Disallow

Disallow

KNOX-11-003500

Disable SD Cards.

addUserRestriction

DISALLOW_MOUNT_PHYSICAL_MEDIA

KPE

Device Restrictions

USB host mode exception list

APP, AUD, CDC, COM, CON, CSC, HID, HUB, MAS, MIS, PER, PHY, PRI, STI, VEN, VID, WIR

HID

KNOX-11-020900

setUsbExceptionList

allowUsbHostStorage (must be toggled off/on for USB exception list to take effect)

KPE

Device Bluetooth

Bluetooth UUID allowlist

A2DP,

AVRCP,

BNEP,

BPP,

DUN,

FTP,

HFP,

HSP,

NAP,

OBEXOBJECTPUSH,

PANU,

PBAP,

SAP,

SPP

HFP,

HSP,

SPP,

A2DP,

AVRCP,

PBAP

KNOX-11-002300

addBluetoothUUIDsToWhiteList

addBluetoothUUIDsToBlackList

activateBluetoothUUIDRestriction

N/A

User Agreement

User Agreement

Include DoD-mandated warning banner text in User Agreement

KNOX-11-006300

Put the DoD Warning banner text in the User Agreement

Alternative: AE* setDeviceOwnerLockScreenInfo

AE

*

Device Restrictions

Config Date Time

Allow/

Disallow

Disallow

KNOX-11-020500

addUserRestriction

DISALLOW_CONFIG_DATE_TIME

AE

Device Enrollment Configuration

Default device enrollment

Full managed, Work profile for company-owned devices

Work profile for company-owned devices

KNOX-11-009200, KNOX-11-017900, KNOX-11-018500

KPE

Work profile Restrictions

Share Via List

Allow/

Disallow

Disallow

KNOX-11-021300

allowShareList

KPE

Work profile RCP

Move files to personal

Allow/

Disallow

Disallow

KNOX-11-008900

allowMoveFilesToOwner

KPE

Work profile RCP

Sync calendar to personal

Allow/

Disallow

Disallow

KNOX-11-009300

setAllowChangeDataSyncPolicy

CALENDAR, EXPORT, FALSE

AE

Work profile Restrictions

Autofill services

Allow/

Disallow

Disallow

KNOX-11-019700

addUserRestriction

DISALLOW_AUTOFILL

AE

*

Work profile Restrictions

Account management

Account types, Enable/

Disable

Disable for: Work email app, Samsung Accounts, Google Accounts, and each AO-approved App that uses accounts for data backup/sync.

KNOX-11-007500, KNOX-11-017300

setAccountManagementDisabled

KPE

Work profile Restrictions

Revocation check OR OCSP check

Enable/

Disable

Enable

KNOX-11-022500

enableRevocationCheck

enableOcspCheck

AE

*

Work profile Policy Management

Certificates

Configure

Include DoD certificates in work profile

KNOX-11-022900

installCaCert

AE

*

Work profile Restrictions

Config credentials

Allow/

Disallow

Disallow

KNOX-11-023100

addUserRestriction

DISALLOW_CONFIG_CREDENTIALS

AE

*

Work profile Restrictions

List of approved apps listed in managed Google Play

List of apps

List only approved work apps in managed Google Play

KNOX-11-001700, KNOX-11-001900

Configure managed Google Play with approved work apps

AE

*

Work profile Restrictions

Unredacted Notifications

Allow/

Disallow

Disallow

KNOX-11-002700

setKeyguardDisabledFeatures

KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS

AE

*

Work profile Restriction

Cross profile copy/paste

Allow/

Disallow

Disallow

KNOX-11-009100

addUserRestriction

DISALLOW_CROSS_PROFILE_COPY_PASTE

AE

*

Work profile Restrictions

Security logging

Enable/

Disable

Enable

KNOX-11-018300

setSecurityLoggingEnabled (MDM must also provide means to read the Log in the console)

On this page

Is this page helpful?