STIG 9 compliance for COBO devices using UEM and KSP

NOTE—This guide provides a high-level description of the process to set up and configure STIG policies on COBO devices using the UEM console and KSP. For detailed information on configuring STIG policies using your UEM, see your UEM's help documentation.

To reference a video describing STIG compliance for a fully managed device, go to: STIG compliance for a fully managed device.

To apply STIG compliance policies to COBO devices do as follows:

  1. Set up COBO mode on your UEM console.
  2. Implement COBO method of AE deployment on your devices.
  3. Add KSP as an app in primary profile (DO).
  4. Create new DO profiles with appropriate policy restrictions as described in the Configure policies section of the KSP Admin Guide.
  5. In your UEM console, navigate to the Device Profiles page.
  6. NOTE—The navigation method and path you need to follow to open the Device Profiles page differs for each UEM. For example, the path for Microsoft Intune is as follows: Devices > Profiles & ResourcesProfiles. Refer to your UEM console's help documentation for detailed information about your UEM's UI.
  7. On this page, click Add > Add profile. The select platform to start page opens.
  8. On this page, double-click Android. The Add a New Android Profile page opens to show a left navigation menu of items you can configure for your device profile.
  9. Using the items on the left navigation menu, edit the STIG compliance policies for COBO devices. Save your changes.
  10. Enable audit logging as follows: 
    1. From the UEM console home page, go to DevicesDevice Settings > AndroidIntelligent Hub Settings > Samsung Knox settings.
    2. Set the value of the Enable Audit Logging field to Enabled.
    3. Save your changes.
  11. Set additional policies and values using KSP. For information on the values you must set using KSP, see KSP settings for STIG compliance.
  12. Deploy these changes to your devices.

Settings for STIG compliance

NOTE—The policies, values, and configurations described in the table below are supported by KSP and designed to work within your unique UEM environment.
Policy Group Policy Rule Available Options Applicable Configuration Items
Android user restrictions Block autofill Select OR Unselect Select
Knox Bluetooth Allow these profiles HSP, HFP, PBAP, A2DP, AVRCP, SPP, NAP, BNEP, HID, BPP, DUN, SAP HFP, HSP, SPP
Knox Wi-Fi Allow connections to an unsecured hotspot Select OR Unselect Unselect
Knox application Allow the installation of an application from the allow list Configure Add each AO-approved package
Knox application Disable system applications Configure
  • Add all non-AO-approved system app packages
  • Add all system app packages that are identified as having non-DoD-approved characteristics
  • Add all preinstalled public cloud backup system apps
Knox audit log Enable audit log Select OR Unselect Select
Knox banner Show banner text Configure Add DoD-mandated warning banner text
Knox certificate Enable OCSP check Configure Enable for all apps
Knox certificate Enable revocation check Configure Enable for all apps
Knox encryption Enable encryption of external storage devices Select OR Unselect Select
Knox password constraints Maximum number of sequential characters allowed in passwords 0+ 2
Knox password constraints Maximum number of sequential numbers allowed in passwords 0+ 2
Knox restrictions Block functionality of the share via list Select OR Unselect Select
Knox restrictions Add items to USB host mode exception list APP, AUD, CDC, COM, CON, CSC, HID, HUB, MAS, MIS, PER, PHY, PRI, STI, VEN, VID, WIR HID
Knox restrictions Allow auto-fill Select OR Unselect Unselect
Knox restrictions Allow automatic sync of Google Accounts data Select OR Unselect Unselect
Knox restrictions Enable CC mode Select OR Unselect Select