KNOX-07-017100 - The VPN client must be configured: 1. Disabled 2. Configured for container use only. 3. Configured for per app use.

Information

The device VPN must be configured to disable access from the personal space/container since it is considered an untrusted environment. Therefore, apps located in the personal container on the device should not have the ability to access a DoD network. In addition, Smartphones do not generally meet security requirements for computer devices to connect directly to DoD networks.

SFR ID: FMT_SMF_EXT.1.1 #3

Solution

Configure the Samsung Android 7 with Knox native VPN client in one of the following configurations so that the device VPN is not available in the personal space:
1. Disabled
2. Configured for container use only.
3. Configured for per app use for the personal side.

This implementation guidance covers the first of these options.

On the MDM console, deselect the "Allow VPN" checkbox in the "Android Restrictions" rule.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Samsung_Android_OS_7_with_Knox_2-x_V1R1_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17(2), CAT|II, CCI|CCI-000068, Rule-ID|SV-91295r1_rule, STIG-ID|KNOX-07-017100, Vuln-ID|V-76599

Plugin: MDM

Control ID: 2f7fc58c607d5c42acb28d328d1dbff09f4fadc3317bff8a08698b4fbfb8b86d