Menu

STIG 10 COPE compliance

Settings for STIG 10 COPE compliance

NOTE—The STIG 10 policies, values, and configuration options described in the tables below are supported by KSP and designed to work within your unique UEM environment.

Please refer to the slider at the bottom of the table to scroll to additional columns on the right.

Policy Group Policy Rule Available Options Settings Severity API List API Values COPE Work Environment Policy Paths
Password Requirements Minimum password length 0+ 6 II BasePasswordPolicy
setPasswordMinimumLength

6 (preferred, minimum)

NA
Password Requirements Minimum password quality Unspecified, Something, Numeric, Numeric (Complex), Alphabetic, Alphanumeric, Complex Numeric(Complex) II BasePasswordPolicy
setPasswordQuality

PasswordPolicy
setMaximumNumericSequenceLength

PASSWORD_QUALITY_NUMERIC_COMPLEX (preferred)

PASSWORD_QUALITY_NUMERIC (minimum)

NA
Password Requirements Maximum time to screen lock 0 minutes 15 minutes II BasePasswordPolicy
setMaximumTimeToLock
900000 ms (minimum) NA
Password Requirements Maximum password failures until local wipe 0+ 10 II BasePasswordPolicy
setMaximumFailedPasswordsToWipe
10 (minimum) NA
Restrictions Installs from unknown sources Allow/Disallow Disallow II RestrictionPolicy
SetAllowNonMarketApps
FALSE NA
Restrictions Trust agents Allow/Disallow Disallow II BasePasswordPolicy
setKeyguardDisabledFeatures
(Disable trust agent)
KEYGUARD_DISABLE_TRUST_AGENTS NA
Restrictions Face Allow/Disallow Disallow II PasswordPolicy
setBiometricAuthenticationEnabled
BIOMETRIC_AUTHENTICATION_FACE

FALSE
NA
Restrictions Debugging features Allow/Disallow Disallow II RestrictionPolicy
allowDeveloperMode
FALSE NA
Restrictions USB file transfer Allow/Disallow Disallow II RestrictionPolicy
setUsbMediaPlayerAvailability
FALSE NA
Wi-Fi Unsecured hotspot Allow/Disallow Disallow II WiFiPolicy
allowOpenWifi
FALSE NA
Multiuser Multi-user mode Allow/Disallow Disallow II MultiUserManager
allowMultipleUsers
FALSE NA
Restrictions CC mode Enable/Disable Enable II AdvancedRestrictionPolicy
setCCMode
TRUE NA
Policy
Management
SD Card Enable/Disable Disable I RestrictionPolicy
setSdCardState
FALSE NA
Encryption External storage encryption Enable/Disable Enable I DeviceSecurityPolicy
setExternalStorageEncryption
TRUE NA
Application System app disable list core apps list List non AO approved system app packages II ApplicationPolicy
setDisableApplication
Package Name NA
KPE Audit
Log
Audit Log Enable/Disable Enable II AuditLog
enableAuditLog
(0) UEM must provide the means to read the log in their console

1. Work profile policies
(Profile Owner)

2. Enable work profile policies [enable]

3. Audit log

4. Enable Audit Log [enable]

5. Log Path [configure]

Restrictions USB host mode exception list APP AUD CDC COM CON CSCHID HUB MAS MIS PER PHY PRI STI VEN VID WIR HID II RestrictionPolicy
setUsbExceptionList
USBInterface.HID.getValue NA
Restrictions USB Host Storage Enable/Disable Disable II RestrictionPolicy
allowUsbHostStorage

(must be toggled off/on for USB
exception list to take effect)
TRUE NA
Restrictions Bluetooth Allow/Disallow Allow/Disallow III RestrictionPolicy
allowBluetooth
FALSE NA
Bluetooth Bluetooth UUID Allow list and Block list A2DP_ADVAUDIODIST_UUID
A2DP_AUDIOSINK_UUID
A2DP_AUDIOSOURCE_UUID AVRCP_CONTROLLER_UUI AVRCP_TARGET_UUID
BNEP_UUID
BPP_UUID
DUN_UUID
FTP_UUID
HFP_AG_UUID
HFP_UUID
HSP_AG_UUID
HSP_UUID
NAP_UUID OBEXOBJECTPUSH_UUID PANU_UUID
PBAP_PSE_UUID
PBAP_UUID
SAP_UUID
SPP_UUID
  III BluetoothPolicy
addBluetoothUUIDsToWhiteList


BluetoothPolicy
addBluetoothUUIDsToBlackList
(*) Wildcard String NA
User
Agreement
User Agreement User Agreement DoD-mandated warning banner text in User Agreement II Put the DoD Warning Banner Text
in the User Agreement
0 NA
Banner Banner Text Configure DoD-mandated warning banner text III BootBanner
enableRebootBanner
TRUE NA
Restrictions Date Time Change Enable/Disable Disable II DateTimePolicy
setDateTimeChangeEnabled
FALSE NA
Restrictions Outgoing Beam Allow/Disallow Disallow II RestrictionPolicy
allowAndroidBeam
FALSE NA
Restrictions Share Via List Allow/Disallow Disallow II RestrictionPolicy
allowShareList
FALSE

1. Work profile policies
(Profile Owner)

2. Enable work profile policies [enable]

3. Restrictions in work profiles

4. Enable work profile restriction controls [enable]

5. Allow share via option [disable]

Restrictions Backup Service Allow/Disallow Disallow II RestrictionPolicy
setBackup
FLASE NA
RCP Move File to Personal Allow/Disallow Disallow II RCPPolicy
AllowMoveFilesToOwner
FALSE NA
RCP Sync Calendar to Personal Allow/Disallow Disallow II RCPPolicy
setAllowChangeDataSyncPolicy
CALENDAR, EXPORT,

FLASE
NA
Account Account Addition Blacklist Blacklist "Blacklist all" for Work email app, Samsung accounts, and Google accounts II DeviceAccountPolicy
addAccountsToAdditionBlackList
Account Types (Wotk Email App. Google Accounts, Samsung Accounts)

(*) Wildcard String

Step 1

1. Work profile policies
(Profile Owner)

2. Enable work profile policies [enable]

3. Device Account Policy

4. Enable Device Account policy controls [enable]

5. Enable Device Account policies (Configure profiles below) [enable]

Step 2

1. Device Account Policy Configurations

2. Device Account Policy Configuration

3. Add Account Type to Addition Allow or Block list [choose types]

4. Add Accounts to Addition Allow list or Block list [configure "*"]

Application System App Disable List Core App List List non AO approved system app packages II ApplicationPolicy
setDisableApplication
Package Name

1. Work profile policies
(Profile Owner)

2. Enable work profile policies [enable]

3. Application managment policies

4. Enable appplication management controls [enable]

5. Disable application without user interaction [comma separated pkg list]

Restrictions Revocation Check Enable/Disable Enable II CertificatePolicy
enableRevocationCheck
(*) Wildcard String

TRUE

1. Work profile policies
(Profile Owner)

2. Enable work profile policies [enable]

3. Certificate management policies

4. Enable certificate management controls [enable]

5. Certificate revocation

6. Enable revocation check [enable]

Restrictions OCSP Check

(With Revocation Check Fallback)
Enable/Disable Enable II CertificatePolicy
enableOcspCheck
(*) Wildcard String

TRUE

1. Work profile policies
(Profile Owner)

2. Enable work profile policies [enable]

3. Certificate management policies

4. Enable certificate management controls [enable]

5. Certificate revocation

6. Enable OCSP check before CRL [enable]

Policy
Management
Certificates Configure Include DoD certificates in work profile II CertificateProvisioning
installCertificateToKeystore
TYPE_CERTIFICATE/TYPE_PKCS12, Certificate, Alias, Decryption Password

KEYSTORE_DEFAULT/KEYSTORE_FOR_WIFI/KEYSTORE_FOR_VPN_AND_APPS

 

1. Work profile policies
(Profile Owner)

2. Enable work profile policies [enable]

3. Certificate management policies

4. Enable certificate management controls [enable]

5. Install certificate in keystore(s) silently [configure]

Certificates Certificates Configure Include DoD certificates in work profile II CertificatePolicy
allowUserRemoveCertificates
FALSE

1. Work profile policies
(Profile Owner)

2. Enable work profile policies [enable]

3. Certificate management policies

4. Enable certificate management controls [enable]

5. Block user from removing certificate [enable]

Applications List of approved apps listed in managed Google Play List of Apps List only approved work apps II ApplicationPolicy
addAppPackageNameToWhiteList

ApplicationPolicy
addAppPackageNameToBlackList
Package name

(*) Wildcard String

1. Work profile policies
(Profile Owner)

2. Enable work profile policies [enable]

3. Application management policies

4. Enable application management controls

5. Enable Allow list or Block list by package name [configure comma separated pkg name or "*"]

Applications List of approved apps listed in managed Google Play List of Apps List only approved work apps II
ApplicationPolicy
addAppSignatureToWhiteList

ApplicationPolicy
addAppSignatureToBlackList

Package Signature


(*) Wildcard String

1. Work profile policies
(Profile Owner)

2. Enable work profile policies [enable]

3. Application management policies

4. Enable application management controls

5. Enable Allow list or Block list by signature used [configure comma separated pkg list or "*"]

RCP Show detailed notifications Allow/Disallow Disallow II RCPPolicy
allowMoveFilesToOwner
NOTIFICATIONS,
SANITIZE_DATA

FALSE

1. Work profile policies
(Profile Owner)

2. Enable work profile policies [enable]

3. RCP Policy

4. Enable RCP Policy Controls [enable]

5. Allow moving files from work profile to personal space [enable]

RCP Sharing clipboard to personal Allow/Disallow Disallow II RCPPolicy
allowShareClipboardDataToOwner
FALSE

1. Work profile policies
(Profile Owner)

2. Enable work profile policies [enable]

3. RCP Policy

4. Enable RCP Policy Controls [enable]

5. Enable Sharing of Clipboard Data to Owner [enable]