- Basics
- About Knox
- Knox licenses
- Knox white paper
- Sign up for Samsung Knox
- Latest release notes
- General Knox FAQ
- General Knox KBAs
- Submit a support ticket
- User Acceptance Testing
- For IT admins
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Create a new profile
- Assign profiles to groups and organizations
- Enroll devices
- Shared Android device quickstart
- Non-shared Android device enrollment quickstart
- Android Management API device enrollment quickstart
- Apple User Enrollment quickstart
- View device information
- Apply profiles to organizations
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Device management
- Accept or reject devices
- Upload devices
- Delete devices
- Complete device management
- Send notifications
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQ
- KBAs
- Support
- Knox Guard REST API
- Samsung Care+ for Business
- For Knox Partners
- Knox Deployment Program
- Knox MSP Program
This section describes the Security Technical Implementation Guide (STIG) configurations and guidelines that devices need to meet in government and defense agencies. Devices that meet these configurations ensure the maximum protection for sensitive and confidential data as well as improve the security of information systems. As compliance with STIG requires the application of a wide range of configurations, Knox Service Plugin (KSP) attempts to fulfill a set of configurations that the UEM does not support natively. Policies supported by Android Enterprise are not supported by KSP.
Overview
The Security Technical Implementation Guides (STIGs) are the configuration standards and technical guidance to lock down Department of Defense (DoD) Information Assurance (IA) enabled devices, information systems, and software that might otherwise become vulnerable to malicious computer attacks.
The STIGs are created by the Defense Information Systems Agency (DISA) in collaboration with device vendors. Samsung works with DISA to produce a STIG with the specific configuration and technical guidance that defines how organizations can deploy Samsung devices with a required security posture for use within the DoD.
Samsung's STIG
The Samsung Android STIGs covers both Corporate Owned Business Only (COBO), and the fully managed device with a work profile use cases. UEMs can deploy these use cases in one of two ways:
- KPE (AE)—Knox Platform for Enterprise with Android Enterprise, current deployment model
- KPE (Legacy)—previous deployment model, which is marked for deprecation
DISA recommends that DoD mobile service providers support KPE (AE) deployments to the maximum extent possible.
The KPE (AE) deployment model complies with DISA's requirements using a UEM that supports AE policies, as well as the Knox Service Plugin (KSP) for additional KPE specific policies necessary for compliance. KSP can configure KPE specific policies for KPE (AE) deployments. KSP does not support KPE (Legacy) based deployments. Please note, UEMs may support KPE specific policies natively, in such case IT Admin may use either UEM or KSP to apply such policies.
STIG requirements
Company Owned Business Only (COBO)
Fully Managed Devices—also known as Company Owned Business Only (COBO)—are devices owned by the company. Such devices are set up to give IT admins control over an extended range of device settings and additional policy controls.
To reference a video describing STIG compliance for a fully managed device, go to: STIG compliance for a fully managed device.
Before devices are considered STIG-compliant, these devices must meet the following pre-requisites:
- The Samsung Android device must be one of those listed on the APL
- The device must be enrolled in the UEM as a fully Managed device
- Managed Google Play must be configured
- Using managed Google Play, the UEM Administrator must install KSP on the device
- A KPE Premium License must be activated either within the UEM console, or KSP
- The UEM administrator must apply the policies listed in the COBO KPE(AE) configuration table
- The STIG configuration must match the version of Android OS installed on the device
- The COBO KPE(AE) configuration table document contains only one table, “Table 1: COBO configuration policy rules for Device-Wide Work Environment” which contains policies that must be applied to the fully managed device
- AE policies must be applied using the UEM console
- KPE policies must be applied using KSP managed configuration
- Appropriate STIG policies are applied to the device. For information on applying COBO-specific STIG policies, go to: STIG compliance for COBO devices.
Fully managed device with a work profile
Fully managed work profile devices allow work apps and data to be stored in a separate, self-contained space within a device. An employee can continue to use their device as normal; all their personal apps and data remain on the device's primary profile.
To reference a video describing STIG compliance for a fully managed device with a work profile, go to: STIG compliance for fully managed devices with a work profile.
Before devices are considered STIG-compliant, these devices must meet the following pre-requisites:
- The Samsung Android device must be one of those listed on the APL
- The device must be enrolled in the UEM as a fully managed device with managed Profile
- Managed Google Play must be configured (in the managed Profile)
- The UEM Administrator must install two instances of KSP:
- Using the UEM console, the UEM Administrator must install KSP as a private or internal app within the “personal” side of the managed device
- Using managed Google Play, the UEM Administrator must install KSP within the managed Profile
- KPE Premium License is activated within the UEM console or using KSP in the managed Work profile.
- The fully managed device with a work profile KPE (AE) configuration document contains two tables, namely—Table 1: Configuration policy rules for Non-Work environment and Table 2: Configuration policy rules for Work environment. The UEM administrator must apply the policies listed in these two tables as follows:
- The STIG configuration must match the version of Android OS installed on the device
- Apply policies from Table 1: Configuration policy rules for Non-Work Environment to the Personal side of the fully managed device
- Apply policies from Table 2: Configuration policy rules for Work Environment the Work profile within the managed device
- Apply AE policies using the UEM console.
- Apply KPE policies using the KSP managed configurations.
- Appropriate STIG policies are applied to the device. For information on applying specific STIG policies, go to: STIG compliance for fully managed device with a work profile.
Using the UEM and KSP to apply STIG policies
STIG compliance requires devices to meet strict security requirements. While the actual labels and naming conventions for each of these policies differ for each UEM console, the restrictions that are applicable for each individual policy remain the same irrespective of the UEM used.
For a detailed description of the KPE APIs required to reach STIG compliance on a Samsung Knox device, go to: Knox STIG API Table (Knox 3.x / Android 10).
STIG compliance for COBO devices
For information about ensuring your fully managed devices are compliant with STIG guidelines, go to: STIG compliance for COBO devices.
STIG compliance for fully managed device with a work profile
For information about how you can ensure your fully managed work profile devices are compliant with STIG guidelines, go to: STIG compliance for fully managed device with a work profile.
