Menu

STIG configurations

This section describes the Security Technical Implementation Guide (STIG) configurations and guidelines that devices need to meet in government and defense agencies. Devices that meet these configurations ensure the maximum protection for sensitive and confidential data as well as improve the security of information systems. As compliance with STIG requires the application of a wide range of configurations, Knox Service Plugin (KSP) attempts to fulfill a set of configurations that the UEM does not support natively. Policies supported by Android Enterprise are not supported by KSP.

Overview

The Security Technical Implementation Guides (STIGs) are the configuration standards and technical guidance to lock down Department of Defense (DoD) Information Assurance (IA) enabled devices, information systems, and software that might otherwise become vulnerable to malicious computer attacks.

The STIGs are created by the Defense Information Systems Agency (DISA) in collaboration with device vendors. Samsung works with DISA to produce a STIG with the specific configuration and technical guidance that defines how organizations can deploy Samsung devices with a required security posture for use within the DoD.

Samsung's STIG

NOTE—For a list of most recently available STIGs, Protection Profile for Mobile Device Fundamentals (MDFPPs), and Approved Product List (APL), see https://www.samsungknox.com/en/knox-platform/knox-certifications.

The Samsung Android STIGs covers both Corporate Owned Business Only (COBO), and the fully managed device with a work profile use cases. UEMs can deploy these use cases in one of two ways:

  • KPE (AE)—Knox Platform for Enterprise with Android Enterprise, current deployment model
  • KPE (Legacy)—previous deployment model, which is marked for deprecation

DISA recommends that DoD mobile service providers support KPE (AE) deployments to the maximum extent possible.

The KPE (AE) deployment model complies with DISA's requirements using a UEM that supports AE policies, as well as the Knox Service Plugin (KSP) for additional KPE specific policies necessary for compliance. KSP can configure KPE specific policies for KPE (AE) deployments. KSP does not support KPE (Legacy) based deployments. Please note, UEMs may support KPE specific policies natively, in such case IT Admin may use either UEM or KSP to apply such policies.

STIG requirements

Company Owned Business Only (COBO)

Fully Managed Devices—also known as Company Owned Business Only (COBO)—are devices owned by the company. Such devices are set up to give IT admins control over an extended range of device settings and additional policy controls.

To reference a video describing STIG compliance for a fully managed device, go to:STIG compliance for a fully managed device.

Before devices are considered STIG-compliant, these devices must meet the following pre-requisites:

  • The Samsung Android device must be one of those listed on the APL
  • The device must be enrolled in the UEM as a fully Managed device
  • Managed Google Play must be configured
  • Using managed Google Play, the UEM Administrator must install KSP on the device
  • A KPE Premium License must be activated either within the UEM console, or KSP
  • The UEM administrator must apply the policies listed in the COBO KPE(AE) configuration table
  • The STIG configuration must match the version of Android OS installed on the device
    • The COBO KPE(AE) configuration table document contains only one table, “Table 1: COBO configuration policy rules for Device-Wide Work Environment” which contains policies that must be applied to the fully managed device
    • AE policies must be applied using the UEM console
    • KPE policies must be applied using KSP managed configuration
    NOTE—At the time of writing this guide, the most recent version of the Samsung STIG configuration is contained within the document Samsung Android OS 9 Knox 3.x COBO KPE (AE) Configuration Tables.
  • Appropriate STIG policies are applied to the device. For information on applying COBO-specific STIG policies, see STIG compliance for COBO devices.

Fully managed device with a work profile

Fully managed work profile devices allow work apps and data to be stored in a separate, self-contained space within a device. An employee can continue to use their device as normal; all their personal apps and data remain on the device's primary profile.

To reference a video describing STIG compliance for a fully managed device with a work profile, go to: STIG compliance for fully managed devices with a work profile.

Before devices are considered STIG-compliant, these devices must meet the following pre-requisites:

  • The Samsung Android device must be one of those listed on the APL
  • The device must be enrolled in the UEM as a fully managed device with managed Profile
  • Managed Google Play must be configured (in the managed Profile)
  • The UEM Administrator must install two instances of KSP:
    1. Using the UEM console, the UEM Administrator must install KSP as a private or internal app within the “personal” side of the managed device
    2. Using managed Google Play, the UEM Administrator must install KSP within the managed Profile
    3. IMPORTANT—Ensure that the KSP version installed within the Personal profile of the managed device is the same or higher than the KSP version installed within the Managed Work profile.
  • KPE Premium License is activated within the UEM console or using KSP in the managed Work profile.
  • The fully managed device with a work profile KPE (AE) configuration document contains two tables, namely—Table 1: Configuration policy rules for Non-Work environment and Table 2: Configuration policy rules for Work environment. The UEM administrator must apply the policies listed in these two tables as follows:
    • The STIG configuration must match the version of Android OS installed on the device
    • Apply policies from Table 1: Configuration policy rules for Non-Work Environment to the Personal side of the fully managed device
    • Apply policies from Table 2: Configuration policy rules for Work Environment the Work profile within the managed device
  • Apply AE policies using the UEM console.
  • Apply KPE policies using the KSP managed configurations.
  • NOTE—At the time of writing this guide, the most recent version of the Samsung STIG configuration is contained within the document Samsung Android OS 9 Knox 3.x KPE (AE) Configuration Tables.
  • Appropriate STIG policies are applied to the device. For information on applying specific STIG policies, see STIG compliance for fully managed device with a work profile.

Using the UEM and KSP to apply STIG policies

STIG compliance requires devices to meet strict security requirements. While the actual labels and naming conventions for each of these policies differ for each UEM console, the restrictions that are applicable for each individual policy remain the same irrespective of the UEM used.

For a detailed description of the KPE APIs required to reach STIG compliance on a Samsung Knox device, see Knox STIG API Table (Knox 3.x / Android 9).

STIG compliance for COBO devices

For information about ensuring your fully managed devices are compliant with STIG guidelines, see STIG compliance for COBO devices.

STIG compliance for fully managed device with a work profile

For information about how you can ensure your fully managed work profile devices are compliant with STIG guidelines, see STIG compliance for fully managed device with a work profile.