*BASICS*
The Knox Ecosystem
White Paper
- Introduction
  - The Samsung Knox Platform
  - Feature Summary
- Core Platform Security
- Network Security
  - Virtual Private Networks
  - Network Platform Analytics
- Certificate Management
- Device Management
- User Authentication
  - Biometric Authentication
- App and Data Protection
- Appendix
Samsung Knox Portal
Knox Cloud Services
- Sign in with SSO
General Knox Support
Knox Licenses
*FOR IT ADMINS*
Knox Admin Portal
- About
- Introduction
  - Select Knox services
- Release notes
Knox Suite
- Introduction
- How-to videos
- Get started
- Learn more about Knox Suite
- Enterprise Edition devices
- FAQs
- KBAs
Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
  - Before you begin
- Get started with UEMs
- Knox Service Plugin
- Release notes
- Migrate to Android 11
  - Device management modes
  - Prepare Knox for Android 11
- FAQs
- Troubleshoot
  - Get device logs
- KBAs
Knox Mobile Enrollment
- Introduction
- How-to videos
- Get started
- Features
- Release notes
- FAQs
- Troubleshoot
  - Get support
- KBAs
- On-Premise
Knox Configure
- Mobile
- Wearables
- Shared Device
- KBAs
Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- End users: Get started
  - Getting started with Knox Capture
- Features
- Release notes
- FAQs
- Troubleshoot
Knox Asset Intelligence
- Introduction
- How-to videos
- Get started
- Set up reported device data
- Features
- Troubleshoot
  - Device-side errors
  - Portal-side errors
- Release notes
- FAQs
- KBAs
Knox Manage
- Introduction
- How-to videos
- Get started
- Configure
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQs
- KBAs
Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
  - Install an app to devices through an EMM
  - EMM compatibility matrix
- Release notes
- FAQs
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
  - Knox E-FOTA Advanced
  - Knox E-FOTA on MDM
Samsung Care+ for Business
- Introduction
- Get started
- Submit claim
- Features
- Release notes
- FAQs
*FOR RESELLERS*
Knox Deployment Program
- Introduction
- Get started
  - Get access to the Reseller Portal
  - Buy from a reseller
- Features
- Release notes
- FAQs
- KBAs
*FOR MANAGED SERVICE PROVIDERS*
Knox MSP Program
- Introduction
- How-to video
- Get started
  - Firewall exceptions
  - Before you begin
- Features
- Release notes
- FAQs
- KBAs
- Glossary

STIG 9 compliance for fully managed devices with a work profile using UEM and KSP

NOTE—This section provides high-level instructions to set up and configure STIG policies on a fully managed device with a work profile using VMware Workspace ONE UEM console. For detailed information on configuring STIG policies VMware Workspace ONE UEM console, see VMware AirWatch v9.x MDM STIG.

To reference a video describing STIG compliance for fully managed devices with a work profile, go to: STIG compliance for fully managed devices with a work profile.

VMware Workspace ONE UEM does not currently provide native support for all STIG policies necessary for compliance. IT admins can use KSP from within Workspace ONE to ensure compliance with STIG policies.

NOTE—Currently, you can create a Personal space—also known as Personal profile in Android Enterprise—on fully managed device with a work profile using VMware Workspace ONE UEM, but cannot use KSP to apply additional policies to the Personal space. This results in an inability to use KSP to enforce STIG compliance for Personal space policies.

To apply STIG compliance policies:

Set the fully managed device with a work profile mode on your UEM console.
Implement the fully managed device with a work profile method of AE deployment on your devices.
Add KSP as an app in DO and PO as described in Step 1: VMware Workspace ONE UEM - Add to UEM.
Create new DO and PO profiles with appropriate policy restrictions as described in Step 2: VMware Workspace ONE UEM - Configure.
In your UEM console, go to Devices > Profiles & Resources > Profiles. The Profiles page opens.
On this page, click Add > Add profile. The select platform to start page opens.
On this page, double-click Android. The Add a New Android Profile page opens to show a left navigation menu of items you can configure for your device profile.
Edit the STIG compliance policies using the items on the left navigation menu. edit the Save your changes.
From the UEM console home page, go to Devices > Device Settings > Android > Android EMM Registration > fully managed device enrollments list, set the value to Corporate Owned Personally Enabled.
Enable audit logging as follows:
1. From the UEM console home page, go to Devices > Device Settings > Android > Intelligent Hub Settings > Samsung Knox settings.
2. Set the value of the Enable Audit Logging field to Enabled.
3. Save your changes.
Set additional policies and values using KSP.
Deploy KSP policy changes to a fully managed device with a work profile as described in Step 3: VMware Workspace ONE UEM - Deploy.

Settings for STIG compliance

NOTE—The policies, values, and configuration options described in the tables below are supported by KSP and designed to work within your unique UEM environment.

Primary profile (DO)

Policy Group	Policy Rule	Available Options	Applicable Configuration Items
Knox Bluetooth	Allow these profiles	HSP, HFP, PBAP, A2DP, AVRCP, SPP, NAP, BNEP, HID, BPP, DUN, SAP	HFP, HSP, SPP
Knox Wi-Fi	Allow connections to an unsecured hotspot	Select OR Unselect	Unselect
Knox application	Disable system applications	Configure	Add all non-AO-approved system app packages Add all system app packages that are identified as having non-DoD-approved characteristics Add all preinstalled public cloud backup system apps
Knox audit log	Enable audit log	Select OR Unselect	Select
Knox banner	Show banner text	Configure	Add DoD-mandated warning banner text
Knox certificate	Enable OCSP check	Configure	Enable for all apps
Knox certificate	Enable revocation check	Configure	Enable for all apps
Knox encryption	Enable encryption of external storage devices	Select OR Unselect	Select
Knox password constraints	Maximum number of sequential characters allowed in passwords	0+	2
Knox password constraints	Maximum number of sequential numbers allowed in passwords	0+	2
Knox restrictions	Add items to USB host mode exception list	APP, AUD, CDC, COM, CON, CSC, HID, HUB, MAS, MIS, PER, PHY, PRI, STI, VEN, VID, WIR	HID
Knox restrictions	Enable CC mode	Select OR Unselect	Select

Managed Profile (PO)

Policy Group	Policy Rule	Available Options	Applicable Configuration Items
Knox RCP	Allow moving applications from Personal space to Managed Workspace	Select OR Unselect	Unselect
Knox RCP	Allow moving files from Managed Workspace to Personal space	Select OR Unselect	Unselect
Knox RCP	Allow sharing data from the Managed Workspace clipboard to the Personal space	Select OR Unselect	Unselect
Knox RCP	Allow syncing Managed Workspace calendar to Personal space	Select OR Unselect	Unselect
Knox RCP	Allow syncing Managed Workspace contacts to Personal space	Select OR Unselect	Unselect
Knox application	Disable system applications	Configure	Add all non-AO-approved system app packages Add all system app packages that are identified as having non-DoD-approved characteristics Add all preinstalled public cloud backup system apps
Knox certificate	OCSP check	Configure	Enable for all apps
Knox certificate	revocation check	Configure	Enable for all apps
Knox restrictions	Disallow share via list	Select OR Unselect	Select
Knox restrictions	allow auto-fill	Select OR Unselect	Unselect
Knox restrictions	allow google accounts auto sync	Select OR Unselect	Unselect