Information
The device VPN must be configured to disable access from the personal space/container since it is considered an untrusted environment. Therefore, apps located in the personal container on the device should not have the ability to access a DoD network. In addition, Smartphones do not generally meet security requirements for computer devices to connect directly to DoD networks.
SFR ID: FMT_SMF_EXT.1.1 #3
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Configure the Samsung Android 7 with Knox VPN client in one of the following configurations so that the device VPN is not available in the personal space:
1. Disabled
2. Configured for container use only
3. Configured for per app use for the personal side
This implementation guidance covers the second of these options.
On the MDM Administration Console, do the following:
1. Configure the organization VPN profile in the "Enterprise VPN profiles" rule.
2. Enable "Add All Container Packages To Vpn" in the "Generic VPN" rule.