KNOX-07-017120 - The VPN client must be configured: 1. Disabled 2. Configured for container use only. 3. Configured for per app use.

Information

The device VPN must be configured to disable access from the personal space/container since it is considered an untrusted environment. Therefore, apps located in the personal container on the device should not have the ability to access a DoD network. In addition, Smartphones do not generally meet security requirements for computer devices to connect directly to DoD networks.

SFR ID: FMT_SMF_EXT.1.1 #3

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configure the Samsung Android 7 with Knox VPN client in one of the following configurations so that the device VPN is not available in the personal space:
1. Disabled
2. Configured for container use only.
3. Configured for per app use for the personal side.

This implementation guidance covers the third of these options.

On the MDM Administration Console, do the following:
1. Configure the organization VPN profile in the "Enterprise VPN profiles" rule.
2. Add each AO-approved Package to "Add Packages To Vpn" in the "Generic VPN" rule.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Samsung_Android_OS_7_with_Knox_2-x_V1R1_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17(2), CAT|II, CCI|CCI-000068, Rule-ID|SV-91299r1_rule, STIG-ID|KNOX-07-017120, Vuln-ID|V-76603

Plugin: MDM

Control ID: 12d415d6e7ffc4688edd2bd3b99501313d9bec995e8d8807fe3a8b5f55540f15