Back to top

STIG 11 Knox Service Plugin reference

Last updated July 26th, 2023

The following sections allow you to find and configure the STIG 11 policies in KSP:

Paths to STIG 11 policies in KSP

The following table shows the paths you need to follow in the KSP section of your UEM to configure the STIG 11 policies.

Use this table in conjunction with the following:

Policy Group

Policy Rule

KSP Policy Mapping

Device Password Requirements

Minimum password length

COPE: Use MDM native capability

COBO:

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Password policy

4. Enable password policy controls with KSP [enable]

5. Password Restrictions

6. Minimum Password Length [6]

Device Password Requirements

Minimum password quality

COPE: Use MDM native capability

COBO:

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Password policy

4. Enable password policy controls with KSP [enable]

5. Password Quality [numeric]"

Device Password Requirements

Maximum sequential numbers

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Password policy

4. Enable password policy controls with KSP [enable]

5. Password Restrictions

6. Maximum Character Sequence Length [2]

Device Password Requirements

Max time to screen lock

COPE: Use MDM native capability

COBO:

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Password policy

4. Enable password policy controls with KSP [enable]

5. Allowed Time for User Activity before Device Locks [900000]

Device Password Requirements

Max password failures for local wipe

COPE: Use MDM native capability

COBO:

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Password policy

4. Enable password policy controls with KSP [enable]

5. Maximum Failed Password Attempt to Wipe Data [10]

Device Restrictions

Installs from unknown sources

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Restrictions

4. Enable device restriction controls [enable]

5. Allow installation of Non-Google Play Apps [disable]

Device Restrictions

Trust agents

Use MDM native capability

Device Restrictions

Face

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Password policy

4. Enable password policy controls with KSP [enable]

5. Biometric authentication

6. Enable Face recognition [disable]

Device Restrictions

Debugging features

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Restrictions

4. Enable device restriction controls [enable]

5. Allow developer mode [disable]

Device Restrictions

USB file transfer

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Restrictions

4. Enable device restriction controls [enable]

5. Allow USB media player [disable]

Device Wi-Fi

Unsecured hotspot

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Controls

4. Wi-Fi Policy

5. Enable Wi-Fi policy controls [enable]

6. Allow open Wi-Fi connection [disable]

Device Restrictions

CC mode

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Advanced Restriction policies

4. Enable advanced restriction controls [enable]

5. Enable Common Criteria (CC) mode [enable]

Device Restrictions

Mount physical media

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Restrictions

4. Enable device restriction controls [enable]

5. Allow SD card access [disable]

Device Restrictions

USB host mode exception list

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Restrictions

4. Enable device restriction controls [enable]

5. Setup USB exception list [Human Interface Device]

Device Bluetooth

Bluetooth UUID allowlist

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Controls

4. Bluetooth Policy

5. Enable bluetooth policy controls [enable]

6. Whitelist Bluetooth Service by UUID [configure]

User Agreement

User Agreement

Put the DoD Warning banner text in the User Agreement

Alternative:

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Controls

4. Boot banner

5. Enable banner on device reboot [enable]

Device Restrictions

Config Date Time

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Date Time Change

4. Enable Date Time Policy controls [enable]

5. Allow Date Time change [disable]

Device Enrollment Configuration

Default device enrollment

Use MDM native capability

Device Restrictions

Share Via List

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Restrictions

4. Enable application management controls [enable]

5. Allow Share Via option [disable]

Device Restrictions

Autofill services

Use MDM native capability

Device Restrictions

Account management

Step 1

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Account Policy

4. Enable Device Account Policy Controls [enable]

5. Enable Device Account policies (Configure profiles below) [enable]

Step 2

1. Device Account Policy Configurations

2. Device Account Policy Configuration

3. Add Account Type to Addition Blacklist [choose types]

4. Add Accounts to Addition Blacklist [configure ""*""]

Device Restrictions

Revocation check

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Certificate management policies

4. Enable certificate management controls [enable]

5. Certificate revocation

6. Enable revocation check [Enable for all apps]

Device Restrictions

OR OCSP check

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Certificate management policies

4. Enable certificate management controls [enable]

5. Certificate revocation

6. Enable OCSP check before CRL [enable]

Device Policy Management

Certificates

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Certificate management policies

4. Enable certificate management controls [enable]

5. Install Certificate in keystore(s) silently [configure]

Device Restrictions

Config credentials

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Certificate management policies

4. Enable certificate management controls [enable]

5. Block User from removing Certificate [enable]

Device Restrictions

List of approved apps listed in managed Google Play

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Application management policies

4. Enable application management controls [enable]

5. Application Whitelist by Pkg Name [configure comma separated package list]

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Application management policies

4. Enable application management controls [enable]

5. Application Blacklist by Pkg Name [configure ""*""]

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Application management policies

4. Enable application management controls [enable]

5. Application Whitelist by Signature used [configure comma separated package hash list]

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Application management policies

4. Enable application management controls [enable]

5. Application Blacklist by Signature used [configure ""*""]

Device Restrictions

Unredacted Notifications

Use MDM native capability

Device Restrictions

Security logging

Use KPE Audit logging feature.

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Audit Log

4. Enable Audit Log [enable]

5. Log Path [configure]

Device Restrictions

Outgoing beam

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Restrictions

4. Enable device restriction controls [enable]

5. Allow Android Beam on device [disable]

Device Restrictions

Backup service

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Restrictions

4. Enable device restriction controls [enable]

5. Allow backup on Google Serve [disable]

Work profile Restrictions

Share Via List

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. Restrictions in work profile

4. Enable work profile restriction controls [enable]

5. Allow Share Via option [disable]

Work profile RCP

Move file to personal

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. RCP Policy

4. Enable RCP Policy Controls [enable]

5. Allow moving files from work profile to personal space [enable]

Work profile RCP

Sync calendar to personal

Step 1

1. RCP Data Sync profile Configurations

2. Add setting

3. Set Select Application to Data Sync [calendar]

4. Set Data Sync Property [export data]

5. Enable user to data sync on selective applications [enable]

Step 2

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. RCP Policy

4. Enable RCP Policy Controls [enable]

5. Enable RCP data sync policy [enable]

Work profile Restrictions

Autofill services

Use MDM native capability

Work profile Restrictions

Account management

Step 1

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. Device Account Policy

4. Enable Device Account Policy Controls [enable]

5. Enable Device Account policies (Configure profiles below) [enable]

Step 2

1. Device Account Policy Configurations

2. Device Account Policy Configuration

3. Add Account Type to Addition Blacklist [choose types]

4. Add Accounts to Addition Blacklist [configure "*"]

Work profile Restrictions

Revocation check

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. Certificate management policies

4. Enable certificate management controls [enable]

5. Certificate revocation

6. Enable revocation check [Enable for all apps]

Work profile Restrictions

OR OCSP check

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. Certificate management policies

4. Enable certificate management controls [enable]

5. Certificate revocation

6. Enable OCSP check before CRL [enable]

Work profile Policy Management

Certificates

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. Certificate management policies

4. Enable certificate management controls [enable]

5. Install Certificate in keystore(s) silently [configure]

Work profile Restrictions

Config credentials

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. Certificate management policies

4. Enable certificate management controls [enable]

5. Block User from removing Certificate [enable]

Work profile Restrictions

List of approved apps listed in managed Google Play

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. Application management policies

4. Enable application management controls [enable]

5. Application Whitelist by Pkg Name [configure comma separated package list]

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. Application management policies

4. Enable application management controls [enable]

5. Application Blacklist by Pkg Name [configure "*"]

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. Application management policies

4. Enable application management controls [enable]

5. Application Whitelist by Signature used [configure comma separated package hash list]

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. Application management policies

4. Enable application management controls [enable]

5. Application Blacklist by Signature used [configure "*"]

Work profile Restrictions

Unredacted Notifications

Step 1

1. RCP Data Sync profile Configurations

2. Add setting

3. Set Select Application to Data Sync [notifications]

4. Set Data Sync Property [sanitize data]

5. Enable user to data sync on selective applications [enable]

Step 2

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. RCP Policy

4. Enable RCP Policy Controls [enable]

5. Enable RCP data sync policy [enable]

Work profile RCP

Cross profile copy/paste

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. RCP Policy

4. Enable RCP Policy Controls [enable]

5. Enable Sharing of Clipboard Data to Owner [enable]

Work profile Audit Log

Security logging

Use the KPE Audit logging feature.

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. Audit Log

4. Enable Audit Log [enable]

5. Log Path [configure]

Paths to Separated Apps policies

To implement the Knox Separated Apps feature, use the policies listed in the STIG 11 COBO compliance table in conjunction with the paths in this table.

Policy Group

Policy Rule

KSP Policy Mapping

Separated Apps

Location

1. Separated Apps policies

2. Enable Separated Apps [enable]

3. Allow Listing Policies

4. Set Location [inside o outside]

Separated Apps

App List

1. Separated Apps policies

2. Enable Separated Apps [enable]

3. Allow Listing Policies

4. Configure List of Apps to Separate [list of packages]

Is this page helpful?