STIG 11 COPE compliance
Last updated July 26th, 2023
Settings for STIG 11 COPE compliance
The STIG 11 policies, values, and configuration options described in the tables below are supported by KSP and designed to work within your unique UEM environment.
If there is an asterisk (*) below AE in the Vendor column, it means:
-
There is a KPE alternative policy that may be used for compliance if your management tool doesn’t implement the AE policy.
-
If your management tool also doesn’t implement the KPE policy, then KSP should be used to provide full coverage.
-
KSP implements all STIG-listed KPE policies, and all the listed alternatives to AE policies.
-
For information on how to find and configure these policies in KSP, see KSP references.
|
Vendor |
Policy Group |
Policy Rule |
Options |
Settings |
Related Requirement |
Comment |
|---|---|---|---|---|---|---|
|
AE |
Device Password Requirements |
Minimum password length |
0+ |
6 |
KNOX-11-000100 |
setPasswordMinimumLength |
|
AE |
Device Password Requirements |
Minimum password quality |
Unspecified, Something, Numeric, Numeric(Complex), Alphabetic, Alphanumeric, Complex |
Numeric |
KNOX-11-000100, KNOX-11-000500, KNOX-11-000700 |
setPasswordQuality PASSWORD_QUALITY_NUMERIC (minimum) |
|
KPE |
Device Password Requirements |
Maximum sequential numbers |
0+ |
2 |
KNOX-11-000300 |
This policy is not applicable if the password quality is set to Numeric (complex), or better.
PasswordPolicy setMaximumNumericSequenceLength |
|
AE |
Device Password Requirements |
Max time to screen lock |
0 minutes |
15 minutes |
KNOX-11-000500 |
setMaximumTimeToLock |
|
AE |
Device Password Requirements |
Max password failures fo local wipe |
0+ |
10 |
KNOX-11-000700 |
setMaximumFailedPasswordsForWipe |
|
AE * |
Device Restrictions |
Installs from unknown sources globally |
Allow/ Disallow |
Disallow |
KNOX-11-001300 |
addUserRestriction DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY |
|
AE |
Device Restrictions |
Trust agents |
Disable/Enable |
Disable |
KNOX-11-003900 |
setKeyguardDisabledFeatures KEYGUARD_DISABLE_TRUST_AGENTS |
|
AE * |
Device Restrictions |
Face |
Disable/Enable |
Disable |
KNOX-11-004100 |
setKeyguardDisabledFeatures KEYGUARD_DISABLE_FACE |
|
AE * |
Device Restrictions |
Debugging features |
Allow/ Disallow |
Disallow |
KNOX-11-005100 |
addUserRestriction DISALLOW_DEBUGGING_FEATURES |
|
AE * |
Device Restrictions |
USB file transfer |
Allow/ Disallow |
Disallow |
KNOX-11-006500, KNOX-11-006900 |
addUserRestriction DISALLOW_USB_FILE_TRANSFER |
|
KPE |
Device Wi-Fi |
Unsecured hotspot |
Allow/ Disallow |
Disallow |
KNOX-11-008100
|
allowOpenWifiAp |
|
KPE |
Device Restrictions |
CC mode |
Enable/ Disable |
Enable |
KNOX-11-013900, KNOX-11-020100 |
setCCMode |
|
AE _ |
Device Restrictions |
Mount physical media |
Allow/Disallow |
Disallow |
KNOX-11-003500 |
Disable SD Cards.
addUserRestriction DISALLOW_MOUNT_PHYSICAL_MEDIA |
|
KPE |
Device Restrictions |
USB host mode exception list |
APP, AUD, CDC, COM, CON, CSC, HID, HUB, MAS, MIS, PER, PHY, PRI, STI, VEN, VID, WIR |
HID |
KNOX-11-020900 |
setUsbExceptionList
allowUsbHostStorage (must be toggled off/on for USB exception list to take effect) |
|
KPE |
Device Bluetooth |
Bluetooth UUID allowlist |
A2DP, AVRCP, BNEP, BPP, DUN, FTP, HFP, HSP, NAP, OBEXOBJECTPUSH, PANU, PBAP, SAP, SPP |
HFP, HSP, SPP, A2DP, AVRCP, PBAP |
KNOX-11-002300 |
addBluetoothUUIDsToWhiteList
addBluetoothUUIDsToBlackList
activateBluetoothUUIDRestriction |
|
N/A |
User Agreement |
User Agreement |
Include DoD-mandated warning banner text in User Agreement |
KNOX-11-006300 |
Put the DoD Warning banner text in the User Agreement
Alternative: AE* setDeviceOwnerLockScreenInfo |
|
|
AE * |
Device Restrictions |
Config Date Time |
Allow/ Disallow |
Disallow |
KNOX-11-020500 |
addUserRestriction DISALLOW_CONFIG_DATE_TIME |
|
AE |
Device Enrollment Configuration |
Default device enrollment |
Full managed, Work profile for company-owned devices |
Work profile for company-owned devices |
KNOX-11-009200, KNOX-11-017900, KNOX-11-018500 |
|
|
KPE |
Work profile Restrictions |
Share Via List |
Allow/ Disallow |
Disallow |
KNOX-11-021300 |
allowShareList |
|
KPE |
Work profile RCP |
Move files to personal |
Allow/ Disallow |
Disallow |
KNOX-11-008900 |
allowMoveFilesToOwner |
|
KPE |
Work profile RCP |
Sync calendar to personal |
Allow/ Disallow |
Disallow |
KNOX-11-009300 |
setAllowChangeDataSyncPolicy CALENDAR, EXPORT, FALSE |
|
AE |
Work profile Restrictions |
Autofill services |
Allow/ Disallow |
Disallow |
KNOX-11-019700 |
addUserRestriction DISALLOW_AUTOFILL |
|
AE * |
Work profile Restrictions |
Account management |
Account types, Enable/ Disable |
Disable for: Work email app, Samsung Accounts, Google Accounts, and each AO-approved App that uses accounts for data backup/sync. |
KNOX-11-007500, KNOX-11-017300 |
setAccountManagementDisabled |
|
KPE |
Work profile Restrictions |
Revocation check OR OCSP check |
Enable/ Disable |
Enable |
KNOX-11-022500 |
enableRevocationCheck
enableOcspCheck |
|
AE * |
Work profile Policy Management |
Certificates |
Configure |
Include DoD certificates in work profile |
KNOX-11-022900 |
installCaCert |
|
AE * |
Work profile Restrictions |
Config credentials |
Allow/ Disallow |
Disallow |
KNOX-11-023100 |
addUserRestriction DISALLOW_CONFIG_CREDENTIALS |
|
AE * |
Work profile Restrictions |
List of approved apps listed in managed Google Play |
List of apps |
List only approved work apps in managed Google Play |
KNOX-11-001700, KNOX-11-001900 |
Configure managed Google Play with approved work apps |
|
AE * |
Work profile Restrictions |
Unredacted Notifications |
Allow/ Disallow |
Disallow |
KNOX-11-002700 |
setKeyguardDisabledFeatures KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS |
|
AE * |
Work profile Restriction |
Cross profile copy/paste |
Allow/ Disallow |
Disallow |
KNOX-11-009100 |
addUserRestriction DISALLOW_CROSS_PROFILE_COPY_PASTE |
|
AE * |
Work profile Restrictions |
Security logging |
Enable/ Disable |
Enable |
KNOX-11-018300 |
setSecurityLoggingEnabled (MDM must also provide means to read the Log in the console) |
On this page
Is this page helpful?