Menu

STIG 11 COBO compliance

NOTE—The STIG 11 policies, values, and configuration options described in the tables below are supported by KSP and designed to work within your unique UEM environment.

If there is an asterisk (*) below AE in the Vendor column, it means:

  • There is a KPE alternative policy that may be used for compliance if your management tool doesn’t implement the AE policy.
  • If your management tool also doesn’t implement the KPE policy, then KSP should be used to provide full coverage.
  • KSP implements all STIG-listed KPE policies, and all the listed alternatives to AE policies.
  • For information on how to find and configure these policies in KSP, see KSP references.

To implement the Knox Separated Apps feature, the policies listed in this table must be used in conjunction with the policies listed in the KSP Separated Apps table in the KSP reference.

Vendor

Policy Group

Policy Rule

Options

Settings

Related Requirement

Comment

AE

*

Device Password Requirements

Minimum password length

0+

6

KNOX-11-000100

setPasswordMinimumLength

AE

*

Device Password Requirements

Minimum password quality

Unspecified,

Something,

Numeric,

Numeric(Complex),

Alphabetic,

Alphanumeric,

Complex

Numeric

KNOX-11-000100, KNOX-11-000500, KNOX-11-000700

setPasswordQuality

PASSWORD_QUALITY_NUMERIC (minimum)

KPE

Device Password Requirements

Maximum sequential numbers

0+

2

KNOX-11-000300

This requirement is not applicable if the password quality is set to Numeric (complex), or better.

 

PasswordPolicy setMaximumNumericSequenceLength

AE

*

Device Password Requirements

Max time to screen lock

0 minutes

15 minutes

KNOX-11-000500

setMaximumTimeToLock

AE

*

Device Password Requirements

Max password failures for local wipe

0+

10

KNOX-11-000700

setMaximumFailedPasswordsForWipe

AE

*

Device Restrictions

Installs from unknown sources globally

Allow/

Disallow

Disallow

KNOX-11-001300

addUserRestriction

DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY

AE

*

Device Restrictions

Trust agents

Enable/Disable

Disable

KNOX-11-003900

setKeyguardDisabledFeatures

KEYGUARD_DISABLE_TRUST_AGENTS

AE

*

Device Restrictions

Face

Enable/Disable

Disable

KNOX-11-004100

setKeyguardDisabledFeatures

KEYGUARD_DISABLE_FACE

AE

*

Device Restrictions

Debugging features

Allow/

Disallow

Disallow

KNOX-11-005100

addUserRestriction

DISALLOW_DEBUGGING_FEATURES

AE

*

Device Restrictions

USB file transfer

Allow/

Disallow

Disallow

KNOX-11-006500, KNOX-11-006900

addUserRestriction

DISALLOW_USB_FILE_TRANSFER

KPE

Device Wi-Fi

Unsecured hotspot

Allow/

Disallow

Disallow

KNOX-11-008100

allowOpenWifiAp

KPE

Device Restrictions

CC mode

Enable/

Disable

Enable

KNOX-11-013900, KNOX-11-020100

setCCMode

AE

*

Device Restrictions

Mount physical media

Allow/Disallow

Disallow

KNOX-11-003500

Disable SD Card.

 

addUserRestriction

DISALLOW_MOUNT_PHYSICAL_MEDIA

AE

*

Device Restrictions

Security logging

Enable/

Disable

Enable

KNOX-11-018300

setSecurityLoggingEnabled (MDM must also provide means to read the Log in the console)

KPE

Device Restrictions

USB host mode exception list

APP, AUD, CDC, COM, CON, CSC, HID, HUB, MAS, MIS, PER, PHY, PRI, STI, VEN, VID, WIR

HID

KNOX-11-020900

setUsbExceptionList

 

allowUsbHostStorage (must be toggled off/on for USB exception list to take effect)

KPE

Device Bluetooth

Bluetooth UUID allowlist

A2DP,

AVRCP,

BNEP,

BPP,

DUN,

FTP,

HFP,

HSP,

NAP,

OBEXOBJECTPUSH,

PANU,

PBAP,

SAP,

SPP

HFP,

HSP,

SPP,

A2DP,

AVRCP,

PBAP

KNOX-11-002300

addBluetoothUUIDsToWhiteList

 

addBluetoothUUIDsToBlackList

 

activateBluetoothUUIDRestriction

N/A

User Agreement

User Agreement

 

Include DoD-mandated warning banner text in User Agreement

KNOX-11-006300

Put the DoD Warning banner text in the User Agreement

 

Alternative: AE* setDeviceOwnerLockScreenInfo

AE

*

Device Restrictions

Config Date Time

Allow/

Disallow

Disallow

KNOX-11-020500

addUserRestriction

DISALLOW_CONFIG_DATE_TIME

AE

Device Enrollment Configuration

Default device enrollment

Full managed, Work profile for company-owned devices

Fully managed

KNOX-11-017900, KNOX-11-018500

Enroll device as an Android Enterprise device (DO)

AE

*

Device Restrictions

Outgoing beam

Allow/

Disallow

Disallow

KNOX-11-021700

addUserRestriction

DISALLOW_OUTGOING_BEAM

KPE

Device Restrictions

Share Via List

Allow/

Disallow

Disallow

KNOX-11-021300

allowShareList

AE

*

Device Restrictions

Backup service

Allow/

Disallow

Disallow

KNOX-11-007300

setBackupServiceEnabled

AE

Device Restrictions

Autofill services

Allow/

Disallow

Disallow

KNOX-11-019700

addUserRestriction

DISALLOW_AUTOFILL

AE

*

Device Restrictions

Account management

Account types, Enable/

Disable

Disable for: Work email app, Samsung Accounts, Google Accounts, and each AO-approved App that uses accounts for data backup/sync.

KNOX-11-007500, KNOX-11-017300

setAccountManagementDisabled

KPE

Device Restrictions

Revocation check OR OCSP check

Enable/

Disable

Enable

KNOX-11-022500

enableRevocationCheck

 

enableOcspCheck

AE

*

Device Policy Management

Certificates

Configure

Include DoD certificates in work profile

KNOX-11-022900

installCaCert

AE

*

Device Restrictions

Config credentials

Allow/

Disallow

Disallow

KNOX-11-023100

addUserRestriction

DISALLOW_CONFIG_CREDENTIALS

AE

*

Device Restrictions

List of approved apps listed in managed Google Play

List of apps

List only approved work apps in managed Google Play

KNOX-11-001700, KNOX-11-001900

Configure managed Google Play with approved work apps

AE

Device Restrictions

Unredacted Notifications

Allow/

Disallow

Disallow

KNOX-11-002700

setKeyguardDisabledFeatures

KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS

Share it: