- Basics
- About Knox
- Knox licenses
- Knox white paper
- Sign up for Samsung Knox
- Latest release notes
- General Knox FAQ
- General Knox KBAs
- Submit a support ticket
- User Acceptance Testing
- For IT admins
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Create a new profile
- Assign profiles to groups and organizations
- Enroll devices
- Shared Android device quickstart
- Non-shared Android device enrollment quickstart
- Android Management API device enrollment quickstart
- Apple User Enrollment quickstart
- View device information
- Apply profiles to organizations
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Device management
- Accept or reject devices
- Upload devices
- Delete devices
- Complete device management
- Send notifications
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQ
- KBAs
- Support
- Open API reference
- Samsung Care+ for Business
- For Knox Partners
- Knox Deployment Program
- Knox MSP Program
STIG 9 compliance for fully managed devices with a work
profile using UEM and KSP
NOTE—This section provides high-level instructions to set up and configure
STIG policies on a fully managed device with a work profile using VMware Workspace
ONE UEM console. For detailed information on configuring STIG policies VMware Workspace
ONE UEM console, see VMware AirWatch v9.x MDM
STIG.
To reference a video describing STIG compliance for fully managed devices with a work profile, go to: STIG compliance for fully managed devices with a work profile.
VMware Workspace ONE UEM does not currently provide native support for all STIG policies necessary for compliance. IT admins can use KSP from within Workspace ONE to ensure compliance with STIG policies.
NOTE—Currently, you can create a Personal space—also known as Personal profile
in Android Enterprise—on fully managed device with a work profile using VMware Workspace ONE UEM, but
cannot use KSP to apply additional policies to the Personal space. This results in an inability to use KSP
to enforce STIG compliance for Personal space policies.
To apply STIG compliance policies:
- Set the fully managed device with a work profile mode on your UEM console.
- Implement the fully managed device with a work profile method of AE deployment on your devices.
- Add KSP as an app in DO and PO as described in Step 1: VMware Workspace ONE UEM - Add to UEM.
- Create new DO and PO profiles with appropriate policy restrictions as described in Step 2: VMware Workspace ONE UEM - Configure.
- In your UEM console, go to Devices > Profiles & Resources > Profiles. The Profiles page opens.
- On this page, click Add > Add profile. The select platform to start page opens.
- On this page, double-click Android. The Add a New Android Profile page opens to show a left navigation menu of items you can configure for your device profile.
- Edit the STIG compliance policies using the items on the left navigation menu. edit the Save your changes.
- From the UEM console home page, go to Devices > Device Settings > Android > Android EMM Registration > fully managed device enrollments list, set the value to Corporate Owned Personally Enabled.
- Enable audit logging as follows:
- From the UEM console home page, go to Devices > Device Settings > Android > Intelligent Hub Settings > Samsung Knox settings.
- Set the value of the Enable Audit Logging field to Enabled.
- Save your changes.
- Set additional policies and values using KSP.
- Deploy KSP policy changes to a fully managed device with a work profile as described in Step 3: VMware Workspace ONE UEM - Deploy.
Settings for STIG compliance
NOTE—The policies, values, and configuration options described in the tables below are supported by KSP and designed to work within your unique UEM environment.
Primary profile (DO)
Policy Group | Policy Rule | Available Options | Applicable Configuration Items |
---|---|---|---|
Knox Bluetooth | Allow these profiles | HSP, HFP, PBAP, A2DP, AVRCP, SPP, NAP, BNEP, HID, BPP, DUN, SAP | HFP, HSP, SPP |
Knox Wi-Fi | Allow connections to an unsecured hotspot | Select OR Unselect | Unselect |
Knox application | Disable system applications | Configure |
|
Knox audit log | Enable audit log | Select OR Unselect | Select |
Knox banner | Show banner text | Configure | Add DoD-mandated warning banner text |
Knox certificate | Enable OCSP check | Configure | Enable for all apps |
Knox certificate | Enable revocation check | Configure | Enable for all apps |
Knox encryption | Enable encryption of external storage devices | Select OR Unselect | Select |
Knox password constraints | Maximum number of sequential characters allowed in passwords | 0+ | 2 |
Knox password constraints | Maximum number of sequential numbers allowed in passwords | 0+ | 2 |
Knox restrictions | Add items to USB host mode exception list | APP, AUD, CDC, COM, CON, CSC, HID, HUB, MAS, MIS, PER, PHY, PRI, STI, VEN, VID, WIR | HID |
Knox restrictions | Enable CC mode | Select OR Unselect | Select |
Managed Profile (PO)
Policy Group | Policy Rule | Available Options | Applicable Configuration Items |
---|---|---|---|
Knox RCP | Allow moving applications from Personal space to Managed Workspace | Select OR Unselect | Unselect |
Knox RCP | Allow moving files from Managed Workspace to Personal space | Select OR Unselect | Unselect |
Knox RCP | Allow sharing data from the Managed Workspace clipboard to the Personal space | Select OR Unselect | Unselect |
Knox RCP | Allow syncing Managed Workspace calendar to Personal space | Select OR Unselect | Unselect |
Knox RCP | Allow syncing Managed Workspace contacts to Personal space | Select OR Unselect | Unselect |
Knox application | Disable system applications | Configure |
|
Knox certificate | OCSP check | Configure | Enable for all apps |
Knox certificate | revocation check | Configure | Enable for all apps |
Knox restrictions | Disallow share via list | Select OR Unselect | Select |
Knox restrictions | allow auto-fill | Select OR Unselect | Unselect |
Knox restrictions | allow google accounts auto sync | Select OR Unselect | Unselect |