Information
CC mode implements several security controls required by the Mobile Device Functional Protection Profile (MDFPP). If CC mode is not implemented, DoD data is more at risk of being compromised, and the mobile device is more at risk of being compromised if lost or stolen.
CC mode implements the following controls:
- enables the OpenSSL FIPS crypto library
- sets the password failure settings to wipe the device to 5 (5 failed consecutive attempts will wipe the device)
- disables ODIN mode (download mode)
SFR ID: FMT_SMF_EXT.1.1 #47
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Configure the Samsung Android 7 with Knox to enforce CC mode.
On the MDM console, enable the "Enable CC mode" setting in the "Android Advanced Restrictions" rule.
If this setting is not available on the console, install the CC mode APK and enable CC mode from this application.
This APK will be made available by Samsung.
Note: Before applying CC policy, the CC mode state will be "Ready". Once policy is applied, the state will change to "Enforced" until device meets all the prerequisites.
If device meets all prerequisites, CC mode will be enabled after rebooting and state will change to "Enabled".
If the device is tampered or FIPS self-test is failed, the state will change to "Disabled".
Note: To fully enable CC mode, below prerequisites should be satisfied:
1. Enable Device Encryption
2. Enable SD Card Encryption
3. Set maximum Password Attempts before Wipe
4. Enable Certificate Revocation
5. Disable Password History