STIG 11 Knox Service Plugin reference

Device Password Requirements

Minimum password length

COPE: Use MDM native capability

COBO:

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Password policy

4. Enable password policy controls with KSP [enable]

5. Password Restrictions

6. Minimum Password Length [6]

Device Password Requirements

Minimum password quality

COPE: Use MDM native capability

COBO:

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Password policy

4. Enable password policy controls with KSP [enable]

5. Password Quality [numeric]"

Device Password Requirements

Maximum sequential numbers

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Password policy

4. Enable password policy controls with KSP [enable]

5. Password Restrictions

6. Maximum Character Sequence Length [2]

Device Password Requirements

Max time to screen lock

COPE: Use MDM native capability

COBO:

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Password policy

4. Enable password policy controls with KSP [enable]

5. Allowed Time for User Activity before Device Locks [900000]

Device Password Requirements

Max password failures for local wipe

COPE: Use MDM native capability

COBO:

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Password policy

4. Enable password policy controls with KSP [enable]

5. Maximum Failed Password Attempt to Wipe Data [10]

Device Restrictions

Installs from unknown sources

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Restrictions

4. Enable device restriction controls [enable]

5. Allow installation of Non-Google Play Apps [disable]

Device Restrictions

Trust agents

Use MDM native capability

Device Restrictions

Face

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Password policy

4. Enable password policy controls with KSP [enable]

5. Biometric authentication

6. Enable Face recognition [disable]

Device Restrictions

Debugging features

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Restrictions

4. Enable device restriction controls [enable]

5. Allow developer mode [disable]

Device Restrictions

USB file transfer

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Restrictions

4. Enable device restriction controls [enable]

5. Allow USB media player [disable]

Device Wi-Fi

Unsecured hotspot

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Controls

4. Wi-Fi Policy

5. Enable Wi-Fi policy controls [enable]

6. Allow open Wi-Fi connection [disable]

Device Restrictions

CC mode

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Advanced Restriction policies

4. Enable advanced restriction controls [enable]

5. Enable Common Criteria (CC) mode [enable]

Device Restrictions

Mount physical media

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Restrictions

4. Enable device restriction controls [enable]

5. Allow SD card access [disable]

Device Restrictions

USB host mode exception list

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Restrictions

4. Enable device restriction controls [enable]

5. Setup USB exception list [Human Interface Device]

Device Bluetooth

Bluetooth UUID allowlist

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Controls

4. Bluetooth Policy

5. Enable bluetooth policy controls [enable]

6. Whitelist Bluetooth Service by UUID [configure]

User Agreement

User Agreement

Put the DoD Warning banner text in the User Agreement

Alternative:

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Controls

4. Boot banner

5. Enable banner on device reboot [enable]

Device Restrictions

Config Date Time

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Date Time Change

4. Enable Date Time Policy controls [enable]

5. Allow Date Time change [disable]

Device Enrollment Configuration

Default device enrollment

Use MDM native capability

Device Restrictions

Share Via List

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Restrictions

4. Enable application management controls [enable]

5. Allow Share Via option [disable]

Device Restrictions

Autofill services

Use MDM native capability

Device Restrictions

Account management

Step 1

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Account Policy

4. Enable Device Account Policy Controls [enable]

5. Enable Device Account policies (Configure profiles below) [enable]

Step 2

1. Device Account Policy Configurations

2. Device Account Policy Configuration

3. Add Account Type to Addition Blacklist [choose types]

4. Add Accounts to Addition Blacklist [configure ""*""]

Device Restrictions

Revocation check

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Certificate management policies

4. Enable certificate management controls [enable]

5. Certificate revocation

6. Enable revocation check [Enable for all apps]

Device Restrictions

OR OCSP check

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Certificate management policies

4. Enable certificate management controls [enable]

5. Certificate revocation

6. Enable OCSP check before CRL [enable]

Device Policy Management

Certificates

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Certificate management policies

4. Enable certificate management controls [enable]

5. Install Certificate in keystore(s) silently [configure]

Device Restrictions

Config credentials

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Certificate management policies

4. Enable certificate management controls [enable]

5. Block User from removing Certificate [enable]

Device Restrictions

List of approved apps listed in managed Google Play

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Application management policies

4. Enable application management controls [enable]

5. Application Whitelist by Pkg Name [configure comma separated package list]

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Application management policies

4. Enable application management controls [enable]

5. Application Blacklist by Pkg Name [configure ""*""]

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Application management policies

4. Enable application management controls [enable]

5. Application Whitelist by Signature used [configure comma separated package hash list]

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Application management policies

4. Enable application management controls [enable]

5. Application Blacklist by Signature used [configure ""*""]

Device Restrictions

Unredacted Notifications

Use MDM native capability

Device Restrictions

Security logging

Use KPE Audit logging feature.

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Audit Log

4. Enable Audit Log [enable]

5. Log Path [configure]

Device Restrictions

Outgoing beam

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Restrictions

4. Enable device restriction controls [enable]

5. Allow Android Beam on device [disable]

Device Restrictions

Backup service

1. Device-wide policies (Device Owner)

2. Enable device-wide policies [enable]

3. Device Restrictions

4. Enable device restriction controls [enable]

5. Allow backup on Google Serve [disable]

Work profile Restrictions

Share Via List

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. Restrictions in work profile

4. Enable work profile restriction controls [enable]

5. Allow Share Via option [disable]

Work profile RCP

Move file to personal

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. RCP Policy

4. Enable RCP Policy Controls [enable]

5. Allow moving files from work profile to personal space [enable]

Work profile RCP

Sync calendar to personal

Step 1

1. RCP Data Sync profile Configurations

2. Add setting

3. Set Select Application to Data Sync [calendar]

4. Set Data Sync Property [export data]

5. Enable user to data sync on selective applications [enable]

Step 2

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. RCP Policy

4. Enable RCP Policy Controls [enable]

5. Enable RCP data sync policy [enable]

Work profile Restrictions

Autofill services

Use MDM native capability

Work profile Restrictions

Account management

Step 1

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. Device Account Policy

4. Enable Device Account Policy Controls [enable]

5. Enable Device Account policies (Configure profiles below) [enable]

Step 2

1. Device Account Policy Configurations

2. Device Account Policy Configuration

3. Add Account Type to Addition Blacklist [choose types]

4. Add Accounts to Addition Blacklist [configure "*"]

Work profile Restrictions

Revocation check

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. Certificate management policies

4. Enable certificate management controls [enable]

5. Certificate revocation

6. Enable revocation check [Enable for all apps]

Work profile Restrictions

OR OCSP check

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. Certificate management policies

4. Enable certificate management controls [enable]

5. Certificate revocation

6. Enable OCSP check before CRL [enable]

Work profile Policy Management

Certificates

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. Certificate management policies

4. Enable certificate management controls [enable]

5. Install Certificate in keystore(s) silently [configure]

Work profile Restrictions

Config credentials

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. Certificate management policies

4. Enable certificate management controls [enable]

5. Block User from removing Certificate [enable]

Work profile Restrictions

List of approved apps listed in managed Google Play

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. Application management policies

4. Enable application management controls [enable]

5. Application Whitelist by Pkg Name [configure comma separated package list]

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. Application management policies

4. Enable application management controls [enable]

5. Application Blacklist by Pkg Name [configure "*"]

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. Application management policies

4. Enable application management controls [enable]

5. Application Whitelist by Signature used [configure comma separated package hash list]

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. Application management policies

4. Enable application management controls [enable]

5. Application Blacklist by Signature used [configure "*"]

Work profile Restrictions

Unredacted Notifications

Step 1

1. RCP Data Sync profile Configurations

2. Add setting

3. Set Select Application to Data Sync [notifications]

4. Set Data Sync Property [sanitize data]

5. Enable user to data sync on selective applications [enable]

Step 2

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. RCP Policy

4. Enable RCP Policy Controls [enable]

5. Enable RCP data sync policy [enable]

Work profile RCP

Cross profile copy/paste

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. RCP Policy

4. Enable RCP Policy Controls [enable]

5. Enable Sharing of Clipboard Data to Owner [enable]

Work profile Audit Log

Security logging

Use the KPE Audit logging feature.

1. Work profile policies (Profile Owner)

2. Enable work profile policies [enable]

3. Audit Log

4. Enable Audit Log [enable]

5. Log Path [configure]

Separated Apps

Location

1. Separated Apps policies

2. Enable Separated Apps [enable]

3. Allow Listing Policies

4. Set Location [inside o outside]

Separated Apps

App List

1. Separated Apps policies

2. Enable Separated Apps [enable]

3. Allow Listing Policies

4. Configure List of Apps to Separate [list of packages]