Menu

STIG compliance for COBO devices using UEM and KSP

NOTE—This guide provides a high-level description of the process to set up and configure STIG policies on COBO devices using the UEM console and KSP. For detailed information on configuring STIG policies using your UEM, see your UEM's help documentation.

To apply STIG compliance policies to COBO devices do as follows:

  1. Set up COBO mode on your UEM console.
  2. Implement COBO method of AE deployment on your devices.
  3. Add KSP as an app in primary profile (DO).
  4. Create new DO profiles with appropriate policy restrictions as described in the Configure policies section of the KSP Admin Guide.
  5. In your UEM console, navigate to the Device Profiles page.
  6. NOTE—The navigation method and path you need to follow to open the Device Profiles page differs for each UEM. For example, the path for Microsoft Intune is as follows: Devices > Profiles & ResourcesProfiles. Refer to your UEM console's help documentation for detailed information about your UEM's UI.
  7. On this page, click Add > Add profile. The select platform to start page opens.
  8. On this page, double-click Android. The Add a New Android Profile page opens to show a left navigation menu of items you can configure for your device profile.
  9. Using the items on the left navigation menu, edit the STIG compliance policies for COBO devices. Save your changes.
  10. Enable audit logging as follows: 
    1. From the UEM console home page, go to DevicesDevice Settings > AndroidIntelligent Hub Settings > Samsung Knox settings.
    2. Set the value of the Enable Audit Logging field to Enabled.
    3. Save your changes.
  11. Set additional policies and values using KSP. For information on the values you must set using KSP, see KSP settings for STIG compliance.
  12. Deploy these changes to your devices.

Settings for STIG compliance

Policy Group Policy Rule Available Options Applicable Configuration Items Supported by KSP
Android user restrictions Block autofill Select OR Unselect Select ü
Knox Bluetooth Allow these profiles HSP, HFP, PBAP, A2DP, AVRCP, SPP, NAP, BNEP, HID, BPP, DUN, SAP HFP, HSP, SPP ü
Knox Wi-Fi Allow connections to an unsecured hotspot Select OR Unselect Unselect ü
Knox application Allow installation of application from the installation whitelist Configure Add each AO-approved package ü
Knox application Disable system applications Configure
  • Add all non-AO-approved system app packages
  • Add all system app packages that are identified as having non-DoD-approved characteristics
  • Add all preinstalled public cloud backup system apps
ü
Knox audit log Enable audit log Select OR Unselect Select ü
Knox banner Show banner text Configure Add DoD-mandated warning banner text ü
Knox certificate Enable OCSP check Configure Enable for all apps ü
Knox certificate Enable revocation check Configure Enable for all apps ü
Knox encryption Enable encryption of external storage devices Select OR Unselect Select ü
Knox password constraints Maximum number of sequential characters allowed in passwords 0+ 2 ü
Knox password constraints Maximum number of sequential numbers allowed in passwords 0+ 2 ü
Knox restrictions Block functionality of the share via list Select OR Unselect Select ü
Knox restrictions Add items to USB host mode exception list APP, AUD, CDC, COM, CON, CSC, HID, HUB, MAS, MIS, PER, PHY, PRI, STI, VEN, VID, WIR HID ü
Knox restrictions Allow auto-fill Select OR Unselect Unselect ü
Knox restrictions Allow automatic sync of Google Accounts data Select OR Unselect Unselect ü
Knox restrictions Enable CC mode Select OR Unselect Select ü