Back to top
Home / Knox Platform for Enterprise / Knox Service Plugin / References / STIG 9 /

STIG 9 COPE compliance

Last updated July 26th, 2023

This section provides high-level instructions to set up and configure STIG policies on a fully managed device with a work profile using VMware Workspace ONE UEM console. For detailed information on configuring STIG policies using VMware Workspace ONE UEM console, see VMware AirWatch v9.x MDM STIG.

To reference a video describing STIG compliance for fully managed devices with a work profile, go to: STIG compliance for fully managed devices with a work profile.

For information on how to configure VMware Workspace One, see VMware Workspace One and Knox Platform for Enterprise - User Guide

VMware Workspace ONE UEM does not currently provide native support for all STIG policies necessary for compliance. IT admins can use KSP from within Workspace ONE to ensure compliance with STIG policies.

Currently, you can create a Personal space — also known as Personal profile in Android Enterprise — on fully managed device with a work profile using VMware Workspace ONE UEM, but cannot use KSP to apply additional policies to the Personal space. This results in an inability to use KSP to enforce STIG compliance for Personal space policies.

To apply STIG compliance policies:

  1. Set the fully managed device with a work profile mode on your UEM console.

  2. Implement the fully managed device with a work profile method of AE deployment on your devices.

  3. Add KSP as an app in DO and PO.

  4. Create new DO and PO profiles with appropriate policy restrictions.

  5. In your UEM console, go to Devices > Profiles & Resources > Profiles. The Profiles page opens.

  6. On this page, click Add > Add profile. The select platform to start page opens.

  7. On this page, double-click Android. The Add a New Android Profile page opens to show a left navigation menu of items you can configure for your device profile.

  8. Edit the STIG compliance policies using the items on the left navigation menu. edit the Save your changes.

  9. From the UEM console home page, go to Devices > Device Settings > Android > Android EMM Registration > fully managed device enrollments list, set the value to Corporate Owned Personally Enabled.

  10. Enable audit logging as follows:

    1. From the UEM console home page, go to Devices > Device Settings > Android > Intelligent Hub Settings > Samsung Knox settings.

    2. Set the value of the Enable Audit Logging field to Enabled.

    3. Save your changes.

  11. Set additional policies and values using KSP.

  12. Deploy KSP policy changes to a fully managed device with a work profile.

Settings for STIG compliance

The policies, values, and configuration options described in the tables below are supported by KSP and designed to work within your unique UEM environment.

Primary profile (DO)

Policy Group Policy Rule Available Options Applicable Configuration Items
Knox Bluetooth Allow these profiles HSP, HFP, PBAP, A2DP, AVRCP, SPP, NAP, BNEP, HID, BPP, DUN, SAP HFP, HSP, SPP
Knox Wi-Fi Allow connections to an unsecured hotspot Select OR Unselect Unselect
Knox application Disable system applications Configure
  • Add all non-AO-approved system app packages
  • Add all system app packages that are identified as having non-DoD-approved characteristics
  • Add all preinstalled public cloud backup system apps
Knox audit log Enable audit log Select OR Unselect Select
Knox banner Show banner text Configure Add DoD-mandated warning banner text
Knox certificate Enable OCSP check Configure Enable for all apps
Knox certificate Enable revocation check Configure Enable for all apps
Knox encryption Enable encryption of external storage devices Select OR Unselect Select
Knox password constraints Maximum number of sequential characters allowed in passwords 0+ 2
Knox password constraints Maximum number of sequential numbers allowed in passwords 0+ 2
Knox restrictions Add items to USB host mode exception list APP, AUD, CDC, COM, CON, CSC, HID, HUB, MAS, MIS, PER, PHY, PRI, STI, VEN, VID, WIR HID
Knox restrictions Enable CC mode Select OR Unselect Select

Managed Profile (PO)

Policy Group Policy Rule Available Options Applicable Configuration Items
Knox RCP Allow moving applications from Personal space to Managed Workspace Select OR Unselect Unselect
Knox RCP Allow moving files from Managed Workspace to Personal space Select OR Unselect Unselect
Knox RCP Allow sharing data from the Managed Workspace clipboard to the Personal space Select OR Unselect Unselect
Knox RCP Allow syncing Managed Workspace calendar to Personal space Select OR Unselect Unselect
Knox RCP Allow syncing Managed Workspace contacts to Personal space Select OR Unselect Unselect
Knox application Disable system applications Configure
  • Add all non-AO-approved system app packages
  • Add all system app packages that are identified as having non-DoD-approved characteristics
  • Add all preinstalled public cloud backup system apps
Knox certificate OCSP check Configure Enable for all apps
Knox certificate revocation check Configure Enable for all apps
Knox restrictions Disallow share via list Select OR Unselect Select
Knox restrictions allow auto-fill Select OR Unselect Unselect
Knox restrictions allow google accounts auto sync Select OR Unselect Unselect

On this page

Is this page helpful?