Samsung Android 7 on Galaxy Devices

Guidance documentation

Version 3.0
June 1, 2017
Document management

Document identification
Document ID Samsung Guidance documentation 3.0

Document title Samsung Android 7 on Galaxy Devices Guidance documentation

Release authority

Document history
Version Date Description Author

0.1 16-October-2013 Initial draft

0.2 20-December-2013 Initial draft for Samsung review.

0.5 January 31, 2014 Update for Android 4.4 Brian Wood

0.6 February 3, 2014 Updated CC Mode API Brian Wood

0.7 February 10, 2014 Updated based on feedback from CC evaluator Brian Wood

0.8 February 11, 2014 Added info about determining versions of Brian Wood
device, OS & apps

0.9 February 12, 2014 Added info about obtaining API SDK Brian Wood

0.10 February 13, 2014 Updates CC Mode app settings Brian Wood

0.11 February 20, 2014 Added versioning information Ed Morris

1.1 March 31, 2014 Updated for Galaxy S5/Note 10.1 Brian Wood

1.2 April 3, 2014 Added CRL Checking to the list of required Brian Wood
settings

1.3 April 23, 2014 Corrected Max Password value range Brian Wood

1.4 April 29, 2014 Updated to show VPN release number Brian Wood

1.5 April 30, 2014 Removed device locking on password failure Brian Wood

2 of 66
Version Date Description Author

1.5a May 2, 2014 Updated device list Brian Wood

1.5b June 6, 2014 Modified device list table Brian Wood

1.6 August 1, 2014 Updated for new devices and options Brian Wood

1.7 September 7, 2014 Updated for KNOX configurations & devices Brian Wood
Sung Whan
Moon

1.8 September 15, 2014 Edited container disable list Brian Wood

1.9 September 18, 2014 Edits based on KNOX eval feedback Brian Wood

1.10 September 19, 2014 Updated device list Brian Wood

1.11 October 7, 2014 Edited versions and CC Mode access Brian Wood

1.12 October 20, 2014 Edited CC mode access Brian Wood

1.13 October 28, 2014 Updated device list Brian Wood

1.14 October 30, 2014 Edits based on Validator feedback Brian Wood

2.0 December 18, 2014 Edited for Android 5 Brian Wood

2.1 April 9, 2015 Updated device list Brian Wood

2.2 July 31, 2015 Updated device list Brian Wood

2.3 October 1, 2015 Updated device list Brian Wood

2.4 April 19, 2016 Updated device list & features Brian Wood

2.5 October 4, 2016 Updated device list & features Brian Wood

3.0 June 1, 2017 Updated for Android 7 Brian Wood

3 of 66
Table of Contents
1 Document Introduction ..............................................................................................................6

1.1 Evaluated Devices ......................................................................................................................... 6

1.2 Terminology/Glossary ................................................................................................................... 8

2 Guidance Overview .................................................................................................................. 10

3 Introduction ............................................................................................................................. 11

3.1 Overview ..................................................................................................................................... 11

3.2 Evaluated Capabilities ................................................................................................................. 11
3.3 KNOX Management API .............................................................................................................. 13

4 Deployment process ................................................................................................................. 14

4.1 Enterprise architecture ............................................................................................................... 14

4.2 Secure preparation of the Enterprise Environment ................................................................... 18
4.3 Secure installation of Samsung Android user devices ................................................................ 18
4.4 Audit Records (KNOX) ................................................................................................................. 44
4.5 Secure Delivery ........................................................................................................................... 60
4.6 Secure Updates ........................................................................................................................... 62

5 Operational security ................................................................................................................. 64

5.1 Modes of operation .................................................................................................................... 64

5.2 Wiping data ................................................................................................................................. 65
5.3 VPN Client Use ............................................................................................................................ 66
5.4 Additional notes on operational security ................................................................................... 66

4 of 66
List of Figures
Figure 1 – Enterprise Environment ............................................................................................................. 17

Figure 2 - Tracking label .............................................................................................................................. 60

Figure 3 - Security Seal (Black) .................................................................................................................... 61

Figure 4 - Security Seal (White)................................................................................................................... 61

5 of 66
1 Document Introduction
This document contains enterprise guidance for the deployment of Samsung devices in accordance with
the Common Criteria configuration.

1.1 Evaluated Devices

The Common Criteria evaluation was performed on a set of devices covering a range of processors.
These devices were chosen based on the commonality of their hardware across several different devices
that are also claimed through equivalency. All device models are evaluated with Samsung Android 7
(Nougat).

The evaluation was performed on the following devices:

 System LSI Exynos and Qualcomm Snapdragon

o Galaxy S7 Edge
 Qualcomm Snapdragon
o Galaxy S8 +
o Galaxy Tab S3
 System LSI Exynos
o Galaxy S8
o Galaxy S6 Edge

The following table shows the devices for which equivalence is being claimed from each evaluated
device.

Evaluated
Processor Equivalent Devices Differences
Device
Galaxy S8 (Qualcomm) S8 + is larger
Galaxy S8 + S8 + is larger
Snapdragon 835
(Qualcomm) Galaxy S8 Active S8 Active has a IP68 & MIL-
STD-810G certified body
Galaxy S8
Exynos 8895 Galaxy S8 + (System LSI) S8 + is larger
(System LSI)
Galaxy Tab S3 T825 & T827 models have LTE
Snapdragon 820 Galaxy Tab S3
(T825Y) T820 models only have Wi-Fi
Snapdragon 820 Galaxy S7 (Qualcomm) Curved screen vs. Flat screen

6 of 66
 Evaluated
Processor Equivalent Devices Differences
Device
Curved screen vs. Flat screen
Galaxy S7 Edge S7 Active has a IP68 & MIL-
Galaxy S7 Active
(Qualcomm) STD-810G certified body
No fingerprint sensor
Galaxy S7 Edge
Exynos 8890 Galaxy S7 (System LSI) Curved screen vs. Flat screen
(System LSI)
Galaxy S6 Curved screen vs. Flat screen
Galaxy S6 Edge+ Curved screen vs. Flat screen
Curved screen vs. Flat screen
Note 5 is larger
Note 5 includes stylus &
Galaxy Note 5
functionality to take
Galaxy S6 Edge Exynos 7420
advantage of it for input (not
security related)
Curved screen vs. Flat screen
S6 Active has a IP68 & MIL-
Galaxy S6 Active
STD-810G certified body
No fingerprint sensor

The differences between the evaluated devices and the equivalent ones do not relate to security claims
in the evaluated configuration. The Wi-Fi chipsets are the same for each series of common devices.

The model numbers and evaluated versions of the mobile devices being claimed are as follows:

Base Model Android Kernel Build

Device Name Carrier Models
Number Version Version Number
Galaxy S8 (Qualcomm) SM-G950 7.0 4.4.16 NRD90M U
Galaxy S8 (System LSI) SM-G950 7.0 4.4.13 NRD90M N, F
Galaxy S8 + (Qualcomm) SM-G955 7.0 4.4.16 NRD90M U
Galaxy S8 + (System LSI) SM-G955 7.0 4.4.13 NRD90M N, F
Galaxy S8 Active SM-G892 7.0 4.4.16 NRD90M A, None
SM-T820 7.0 3.18.31 NRD90M None
Galaxy Tab S3 SM-T825 7.0 3.18.31 NRD90M N, Y, None
SM-T827 7.0 3.18.31 NRD90M V, A, R4
Galaxy S7 (Qualcomm) SM-G930 7.0 3.18.31 NRD90M T, P, R4, V, A
Galaxy S7 (System LSI) SM-G930 7.0 3.18.14 NRD90M F, S, K, L
Galaxy S7 Edge (Qualcomm) SM-G935 7.0 3.18.31 NRD90M A, T, P, R4, V
Galaxy S7 Edge (System LSI) SM-G935 7.0 3.18.14 NRD90M F, S, K, L
Galaxy S7 Active SM-G891 7.0 3.18.31 NRD90M A, None
F, I, A, T, P, R4,
Galaxy S6 Edge+ SM-G928 7.0 3.10.61 NRD90M
V, S, K, L
I, A, T, P, R4, V,
Galaxy Note 5 SM-N920 7.0 3.10.61 NRD90M
S, K, L

7 of 66
 Base Model Android Kernel Build
Device Name Carrier Models
Number Version Version Number
F, I, A, T, P, R4,
Galaxy S6 SM-G920 7.0 3.10.61 NRD90M
V, S, K, L
F, I, A, T, P, R4,
Galaxy S6 Edge SM-G925 7.0 3.10.61 NRD90M
V, S, K, L
Galaxy S6 Active SM-G890 7.0 3.10.61 NRD90M A, None

The Carrier Models column specifies the specific versions of the devices which have the validated
configuration. These additional letters/numbers denote carrier specific models (such as V = Verizon
Wireless). Only models with the suffixes listed in the table can be placed into the validated
configuration.

Note: Where Carrier Models specifies “None” that means a device without a suffix is also a device which
can be placed into a validated configuration.

The following table shows the Security software versions for each device.
WLAN
MDF MDF VPN v1.4 KNOX
Device Name v1.0
Version Release Release Release
Release
Galaxy S6, S6 Edge, S6 Active, Note 5 3.0 2 2 8.1 2.7
Galaxy S7, S7 Edge, S7 Active, Tab S3 3.0 2 2 8.1 2.7
Galaxy S8, S8+, S8 Active 3.0 2 2 8.1 2.8

The MDF version number is broken into two parts as the claimed MDFPP has been updated in the latest
devices. For example, the Galaxy S8 would show “MDF v3.0 Release 2”.

1.2 Terminology/Glossary
ADB Android Debug Tool

ADT Android Development Tools

API Application programming interface

BYOD Bring-Your-Own-Device

CA Certification Authority

MDM Mobile Device Management

ODE On-Device Encryption

SDK Samsung Enterprise Software Development Kit

8 of 66
SSL Secure Socket Layer

VPN Virtual Private Network

9 of 66
2 Guidance Overview
The Samsung model to maintain a secure mobile device environment involves a number of parties.
These include:

 Approved Mobile Device Management (MDM) software developers;

 Samsung Approved Carriers;

 Enterprise and Mobile Device Administrators; and

 Enterprise Users.

As a result, a number of elements of maintaining a secure mobile environment are reliant on parties
outside of Samsung and are not detailed in this documentation.

This document has been designed for Enterprise and Mobile Device Administrators and therefore
provides guidance on the configuration and deployment of a Mobile Enterprise solution using Samsung
devices. Guidance for device users is provided in a separate document.

10 of 66
3 Introduction

3.1 Overview
The TOE is a mobile operating system based on Android 7 with modifications made to increase the level
of security provided to end users and enterprises. The TOE is intended to be used as part of an
enterprise messaging solution providing mobile staff with enterprise connectivity.

The TOE combines with a Mobile Device Management (MDM) solution that enables the enterprise to
watch, control and administer all deployed mobile devices, across multiple mobile service providers as
well as facilitate secure communications through a VPN. This partnership provides a secure mobile
environment that can be managed and controlled by the environment and reduce the risks that can be
introduced through a Bring-Your-Own-Device (BYOD) model.

The Samsung Enterprise Software Development Kit (SDK) builds on top of the existing Android security
model by expanding the current set of security configuration of options to approximately 650
configurable policies and including additional security functionality such as application blacklisting. The
ability to set these policies is based on the capabilities of the MDM.

3.2 Evaluated Capabilities

The product provides a significant amount of security capabilities with the core capabilities being
included within the common criteria evaluation including:

Security feature Description

On Device Encryption (ODE). The TOE has the ability to encrypt data
on the device using AES 256.

Device data protection. The Removable storage encryption. The TOE can encrypt all file placed
TOE provides security onto, or already reside on, removable storage attached to the
functionality to protect data at device.
rest.
Sensitive data protection. The TOE has the ability to securely store
incoming data that is considered sensitive such that it can’t be
decrypted without the user logging in.

11 of 66
Security feature Description

Application Management. The Application resource restrictions. All applications are run within a
device provides a number of controlled environment that limits applications to only accessing
security functions to manage only authorized data and resources.
device software.

Device lock. The TOE can be configured to automatically lock after a

defined period of inactivity (1 to 60 minutes) limiting access to
device functions accept those that are explicitly authorized such as
emergency calls.

Local wipe. The TOE has the ability to wipe encryption keys/data on
a device after an administratively defined amount of authentication
attempts are surpassed.
Access Control. The device can
Credential complexity. The TOE can enforce enterprise password
implement access control that
policies forcing users to use a defined level of complexity in device
reduces mobile user
passwords.
permissions and assists in
reducing unauthorized access.
Privileged access. The TOE can be configured to restrict mobile
user’s access to privileged functions such as device configurations.

Hotspot Control. The TOE can be configured to act as a hotspot for

sharing Internet access to other devices.

Wireless network settings. The wireless network configuration of

the TOE can be specified, providing requirements or pre-loaded
networks.

Remote wipe. An enterprise administrator can send a message to

Enterprise device the TOE to wipe all local storage and the SD card.
management. Enterprise
administrators can control and Security policy. The TOE can be configured by a Mobile Device
audit mobile endpoint Management solution that supports the Samsung Enterprise SDK.
configurations and wipe device
if needed. Auditing. The TOE can monitor an generate records related to
security-relevant events within the device.

12 of 66
3.3 KNOX Management API
Samsung provides an extensive set of management APIs to fully control a Samsung device within your
environment. To obtain more information about specific APIs and capabilities provided by Samsung, sign
up for an account at https://seap.samsung.com/ and request access to the MDM API.

13 of 66
4 Deployment process
The specific deployment model is dependent on a number of factors including:

 Chosen MDM solutions supported architecture;

 Preferred mobile operating methods (often as a result of business culture);

 Financial considerations;

 Enterprise technical capability

 Risk appetite of the business; and

 Existing technological capital.

4.1 Enterprise architecture

The first step in deploying Samsung devices is to decide on both a Mobile Device Management solution
and an appropriate architecture. These two selections may be done in either order depending on the
preferences of the organization. In some organizations there may be a preferred architecture, and as a
result an MDM solution is based on its compatibility with that architecture, in others, the architecture
will be chosen to match the already chosen MDM.

There are three core architectures:

 Enterprise based deployment;

 Cloud based deployment; and

 Hybrid approach.

However, only the ‘enterprise based deployment’ architecture will be described in detail. The ‘cloud
based deployment’ and the ‘hybrid approach’ are not covered by this evaluation, though they are
certainly options which can be employed. Ideally any MDM solution will have been evaluated to the
requirements of the MDMPP (Mobile Device Management Protection Profile).

4.1.1 Enterprise based deployment

In this architecture the enterprise environment must provide all of the services required to operate and
manage devices. The basic components of this model include:

14 of 66
 Mobile Device Management Solution

The Mobile Device Management (MDM) Solution secures monitors, manages and supports
mobile devices deployed across companies. By controlling and protecting the data and
configuration settings for all Android devices in the corporate network business security risks
are reduced. Samsung offers an extensive range of different solutions. Every Mobile Device
Management solution supports the Samsung Enterprise SDK.

Android devices combine with a Mobile Device Management solution. This partnership provides
a secure mobile environment that can be managed and controlled by the environment and
reduce the risks that can be introduced through a Bring-Your-Own-Device (BYOD) model.

 Secure tunnel termination

A secure VPN tunnel should be initialized between the managed Android devices and the
Enterprise Environment to prevent unauthorized access to enterprise resources. The connection
should be based on certificates deployed on the Android user devices. Ideally mutual
authentication is deployed, meaning that both the Android user devices authenticate
themselves with a certificate but also the gateway to the enterprise environment. Mutual
authentication serves to prevent Android user devices to login into an unauthorized enterprise
network and on the other hand prevents the unauthorized login of untrusted devices into the
enterprise environment.

The tunnel establishment should be terminated in case of invalid certificates. Further, an idle
VPN session should be terminated after a certain time span.

 Directory services

The directory services should be set up to store, organize and provide access to information in a
directory.

 Business applications

Business applications allow enterprise users to fulfill or access certain business tasks pertinent
to requirements. This may include management tools, accounting utilities and contact
management software/solutions.

 Certificate services

15 of 66
 A certificate service must be implemented that manages all certificate needs throughout the
enterprise environment. This includes issuing new Android device user certificates that are
needed to facilitate secure communications through a VPN.

The advantages of this solution are that there will be no issue with data sovereignty plus the enterprise
increases its control of the over the managed devices as well as the deployed environment. The
downside is the increased costs for managing this enterprise environment.

Figure 1 shows an example of a high level design of an enterprise based environment.

16 of 66
 Enterprise Environment

Proxy/Secure
Connection
Managed Devices Termination Directory Services

Business
Applications

Service Provider
Networks

MDM Solution Certificate Services

DMZ Enterprise Resources

Figure 1 – Enterprise Environment

17 of 66
4.1.2 Compatible Mobile Device Management (MDM) solutions
The security configuration specified here can be set through the MDM for the evaluated configuration
or through the installation of an application provided by Samsung and some user configuration settings
as specified below. All other configuration items can be changed without changing the evaluated
configuration. The evaluated configuration is provided in Section 4.3.2.

4.2 Secure preparation of the Enterprise Environment

Prior to the configuration of a Samsung Android user device, the enterprise environment must be
securely prepared.

In particular, the guidance for the Mobile Device Management Solution should be followed. This
documentation provides information about the capability to remotely manage devices and perform
functions such as sending remote wipe messages. Further, it includes, or provides directions to
implement, infrastructure to support secure transmissions with devices.

For an enterprise deployment of Samsung Android devices that is suitable for organizations working
with official data, administrators should:

 Deploy and configure the requisite network components as described above

 Procure and set up an MDM server with a client that implements the KNOX APIs and is able to
enforce all the settings given in the Common Criteria Configuration section below.

Section 4.3.2 provides more detailed information about the options the MDM must support in order to
configure the devices in the evaluated configuration.

4.3 Secure installation of Samsung Android user devices

This section provides information on how an Enterprise and Mobile Device Administrator securely
installs a Samsung Android user device.

For an enterprise deployment of Samsung Android devices that is suitable for organizations working
with official data, administrators should:

 Perform the device deployment process described in on Section 4.3.1; and

 Create MDM security profiles for the devices in line with the guidance given in the Common
Criteria Configuration (Section 4.3.2) and associate these profiles with the devices.

18 of 66
4.3.1 Device deployment process
The following steps should be followed to provision each end user device onto the enterprise network to
prepare it for distribution to end users.

1. Install the MDM agent application, and enroll the device into the MDM.

2. Provision client certificates by either:

a. Provisioning the client certificates using a locally-enrolled MDM server;

b. Deploying the Android Development Tools (ADT) bundle and device-specific USB drivers
onto a dedicated provisioning terminal. This will allow the client certificates to be
manually deployed onto the device via the Android Debug Tool (ADB). Note that USB
debugging should be disabled once provisioning is complete.

The certificates required for an MDM deployment are:

i. Enterprise CA certificate (used to validate the server certificates presented by

the VPN endpoint and reverse proxy),

ii. VPN client certificate (for authentication to the enterprise VPN endpoint),

iii. SSL client certificate (for authentication to the reverse proxy for intranet
services).

3. Install applications required for enterprise productivity.

4. Ensure that only trusted applications are installed and enabled on the device (disable
unnecessary applications, including Google Play if necessary).

5. Configure on-device security settings (please refer also to Section 4.3.2).

6. Configure the VPN client to connect to the enterprise VPN endpoint, using the device-specific
client certificate that has been loaded onto the device. Enable ‘Always-On’ VPN

7. Configure the email client to connect to the enterprise server using client certificate
authentication.

4.3.2 Common Criteria Configuration

The following table shows settings which must be enabled to a specific value (or range of values) to
meet the specification of the evaluation. The evaluated security configuration consists of both Samsung

19 of 66
specific (Samsung Enterprise SDK) as well as Android specific settings. Please also follow the guidance
provided in [MDMG] to set the options listed below. The Classes or Methods used to configure these
settings are provided for reference and can be used to verify whether the MDM will support your needs.

The following sections specify the required settings that must be enabled/configured to place a device
into the evaluated configuration.

Note: Methods that can meet the requirement that are provided by Android natively are listed in italics.
In most cases there is a corresponding Samsung KNOX API as well. When this is the case, the two
Methods are highlighted to show the correspondence between the options. In these cases, the MDM
may use either call to achieve the same result.

4.3.2.1 Configurations with and without KNOX Containers

Samsung devices include an integrated capability to create separate containers within the device. These
are enabled by the KNOX components included in Samsung Android. When a KNOX container is
configured it provides a separated area of the device which can have its own apps and data which is not
accessible from the “normal” area. The KNOX containers can be used to separate different apps, such as
in BYOD scenarios where an enterprise could place their data into a separate container on the user’s
device.

A Samsung device can be placed into an evaluated configuration both with and without a KNOX
container. For organizations that do not need to segment the device, a configuration can be used
without creating any KNOX containers. For organizations that have a need for data separation, KNOX
containers can be created and still be in an evaluated configuration.

The setting listed below show the APIs which are used to place a device into an evaluated configuration
for either case. When configuring a device to use a KNOX container all settings marked (All) and those
marked (KNOX) are used. When using a device without a KNOX container only the settings marked (All)
need to be used.

Note: KNOX containers implement many of the same APIs as are available to non-containers (such as
hardware state configurations). Policies in KNOX containers are tied specifically to those containers as
part of the KNOX Premium API configuration. All KNOX APIs specified are part of the KNOX Premium set
of APIs and require a KNOX license to be used.

4.3.2.2 CC Mode Settings (All)

To place a device into the evaluated configuration the CC Mode must be enabled.

20 of 66
 Setting Value Description Class or Method

This setting enables

FIPS-validated crypto,
disables USB
Enable/
CC Mode connectivity in setCCMode()
Disable
recovery mode & only
allows FOTA updates
to the system

To ensure overall control of the configuration, once enabled, CC Mode cannot be disabled by an end
user except by performing a factory reset. It is possible to change the CC Mode status through the
MDM, a user can only turn off CC Mode by choosing to perform a factory reset.

4.3.2.2.1 CC Mode without MDM Support

CC Mode is not yet widely supported by MDM vendors. To facilitate customers in enabling CC Mode,
Samsung has provided a stand-alone app that can enable this setting locally on the device.

The CCMode.apk can be downloaded from Samsung here. In addition to the APK, you can download the
latest guidance documentation and the list of applications provided with each validated device.

For full instructions on configuring the device into the CC Mode utilizing the application, review the
Common Criteria User Guidance Documentation for the device that can be found at the same website.

4.3.2.2.2 CC Mode and Approved Cryptography

Part of the Common Criteria-evaluated configuration is the availability of approved cryptographic

engines for use by the system and applications. Samsung has chosen to utilize FIPS 140-2-validated
cryptographic modules on its devices for the Common Criteria configuration.

Samsung provides the following cryptographic modules on all the evaluated devices:

 Samsung Kernel Cryptographic Module

 BoringSSL FIPS Object Module
 SCrypto Module

All modules always run in a FIPS-validated mode. BoringSSL, for compatibility reasons, provides access to
non-FIPS algorithms, which developers should not utilize in a validated configuration (but which are
necessary to ensure functionality with many commercial services). The APIs which provide access to
FIPS-validated algorithms are detailed in the User Guidance documentation.

21 of 66
Note: Only these modules have been evaluated. It is also possible that some applications may
implement their own cryptography. Only the cryptographic modules provided with the device are
validated, any other cryptography must be evaluated on its own. Samsung recommends that developers
utilize the cryptographic functions provided with the device.

4.3.2.2.3 CC Mode Status

CC Mode has the following statuses:

Status Description
Ready (blank) CC Mode has not been turned on
Enforced CC Mode has been turned on but some of the
required settings or configurations have not been
set
Enabled CC Mode has been turned on and all required
settings and configurations have been set
Disabled CC Mode has been turned on but an integrity check
or self-test has failed (such as a FIPS 140-2 self-test)

The CC Mode status can be seen by going to Settings/About phone/Software Security Version. Clicking
on the item will show the current status.

Note: The Ready state does not have any indicator. Only Enforced, Enabled and Disabled actually show a
specific status

4.3.2.2.4 CC Mode Requirements/Configurations

When CC Mode is first turned on, it changes the status from Ready to Enforced. To change the status to
Enabled, the following settings must be configured:

1. Enable the Maximum Password Failure Policy

2. Enable On Device Encryption (ODE)

3. Enable SD Card Encryption

4. Enable CRL Checking

Note: To be Enabled, not only must the encryption settings be set, the storage must have been
encrypted by the user.

22 of 66
4.3.2.3 Encryption Settings (All)

There are two sets of encryption settings, one for internal storage and one for external (SD Card)
storage. Both must be enabled, even if no SD Card will be used in the device.

Setting Value Description Class or Method

setInternalStorageEncryption()
On Device This encrypts all
Encryption Enable internal storage setStorageEncryption()
(ODE) media
setRequireDeviceEncryption()

This encrypts all setExternalStorageEncryption()

SD Card
Enable external (SD Card)
Encryption setRequireStorageCardEncryption()
storage media

4.3.2.4 Authentication Settings (All)

Setting Value Description Class or Method

10 or less The maximum

for device number of times a

Max Password
password can be setMaximumFailedPasswordsForWipe()
Failures (Wipe) 99 or less entered before the
for KNOX device is wiped

4.3.2.5 Certificate Revocation Settings (All)

Setting Value Description Class or Method

Specifies that CRL

Certificate
Enable for checking is enabled
Revocation enableRevocationCheck()
All apps for all apps on the
Checking
device

23 of 66
4.3.2.6 KNOX Container Policy (KNOX)
Setting Value Description Class or Method

Class: KnoxContainerManager
Specifies the
policy to be createContainer()
Create Policy of
used when Class: CreationParams
Container container
creating the
setPasswordResetToken() (a value MUST be
container
specified here)

Class: KnoxConfigurationType

KnoxConfigurationType()
Container
Type and Creates a policy setMaximumTimeToLock()
policy template for a setPasswordMinimumLength()
Configure settings container. This
Container setPasswordQuality()
1-99 for is the default
Policy
failed settings for a setPasswordMinimumSymbols()

password new container setMaximumFailedPasswordsForWipe()

settings
setMaximumFailedPasswordsForDeviceDisable()

addConfigurationType()

Removes the
specified
Remove/Wipe Container container and
removeContainer()
Container ID wipes all data
associated with
that container

Note: When set in a KnoxConfigurationType(), the setMaximumFailedPasswordsForDeviceDisable() or

the setMaximumFailedPasswordsForWipe() settings will disable or wipe the container, not the whole
device.

4.3.3 Other Common Criteria Configurations

The settings in this section have been evaluated, but no specific configuration is required to place the
device into the evaluated configuration. They are part of the management functions that are included
and can be configured as needed for your specific environment.

24 of 66
4.3.3.1 Authentication Settings (All)

The settings here deal with passwords and other authentication-related settings.

Setting Value Description Class or Method

Password Minimum password

6-16 setPasswordMinimumLength()
Length length

setPasswordQuality()

setMaximumCharacterOccurrences()

setMaximumCharacterSequenceLength()

setMaximumNumericSequenceLength()

Set min # setMinPasswordComplexChars()

Settings to require
of setMinimumCharacterChangeLength()
Password different types of
characters
Complexity characters in a setPasswordMinimumLetters()
or max
password
sequences setPasswordMinimumLowerCase()

setPasswordMinimumNonLetter()

setPasswordMinimumNumeric()

setPasswordMinimumSymbols()

setPasswordMinimumUpperCase()

Specify the maximum

Password age of a password setPasswordExpires()
Expiration before it must be setPasswordExpirationTimeout()
changed

This prevents
Password entered passwords setPasswordVisibilityEnabled()
Disable
Entry Visible from being displayed
setScreenLockPatternVisibilityEnabled()
on the screen

25 of 66
 Setting Value Description Class or Method

Enable or Disable
biometric
Enable/ authentication
Biometrics Use setBiometricAuthenticationEnabled()
Disable methods (fingerprint
or iris, depending on
device support)

Note: To control biometrics usage with setBiometricAuthenticationEnabled(), setPasswordQuality()

must be set to something other than PASSWORD_QUALITY_UNSPECIFIED (which is the default setting).

Biometrics are not supported as a stand-alone authentication method for the KNOX Container.
Biometrics can only be used as part of a hybrid or multifactor authentication method.

4.3.3.2 Admin Settings (All)

Setting Value Description Class or Method

An MDM can prevent

Class: AdvancedRestrictionPolicy
new admins from
Allow new Enable /
getting installed / preventNewAdminActivation()
admin Disable
activated on the
preventNewAdminInstallation()
device

Can be used to
prevent the removal
Prevent Admin Enable /
of Admin/Device setAdminRemovable()
Removal Disable
Manager (i.e. MDM
Agent or similar)

Allows device to
Multi-User Enable/ support multiple,
allowMultipleUsers()
Mode Disable separate users
(Tablets-only)

Note: The preventNewAdminActivation setting requires that only one Admin/Device Manager be active
when enabled. This will prevent further Admin activations. If two (or more) are already enabled, the
setting will be ignored.

26 of 66
4.3.3.3 Lock screen Settings (All)
Setting Value Description Class or Method

This specifies how

Inactivity setPasswordLockDelay()
1 to 60 long the device will
Timeout Lock
minutes remain unlocked after setMaximumTimeToLock()
Period
usage has stopped

Will remotely lock the

Remote Lock Enable lockNow()
device immediately

Text to display on the

Up to 256 lock screen before
Unlock Banner changeLockScreenString()
characters login. Text will scroll
at XX characters

4.3.3.4 Lock screen Settings (Device only)

Setting Value Description Class or Method

Enable/ Provides control

setKeyguardDisabledFeatures()
Disable over lock screen
Lock screen
lock access to KEYGUARD_DISABLE_WIDGETS_ALL
controls KEYGUARD_DISABLE_SECURE_CAMERA
screen widgets/apps/
KEYGUARD_DISABLE_FEATURES_ALL
features features

Provides control
over Smart Lock
capabilities (which
Smart Lock Enable/ setKeyguardDisabledFeatures()
allow authentication
Controls Disable KEYGUARD_DISABLE_TRUST_AGENTS
to be bypassed
when certain
conditions are met)

4.3.3.5 Radio Control Settings (All)

Setting Value Description Class or Method

Control Enable/ Enable or Disable

allowBluetooth()
Bluetooth Disable access to Bluetooth

27 of 66
 Setting Value Description Class or Method

Enable/ Enable or Disable

Control Beam allowAndroidBeam()
Disable Android Beam

Enable/ Enable or Disable

Control Wi-Fi allowWiFi()
Disable access to Wi-Fi

Enable/ Enable or Disable

Control NFC setEnableNFC()
Disable access to NFC

Control Enable or Disable

Enable/
Cellular Data access to Cellular setCellularData()
Disable
Access Data (not Voice)

Control Enable or Disable

Enable/
Location access to Location setLocationProviderState()
Disable
Provider services on the device

4.3.3.6 Bluetooth Settings (All)

Setting Value Description Class or Method

Set the friendly

Bluetooth
Name Bluetooth name of bluetoothAdapter.setName()
Name
the device

Enable/ Enable or Disable the

Allowed Disable specified Bluetooth setProfileState()
Profiles
Profile profile

28 of 66
4.3.3.7 Wi-Fi Settings (All)
Setting Value Description Class or Method

Enable/Disable Wi-Fi
restrictions based on activateWifiSsidRestriction()
acceptable SSID addBlockedNetwork()
Specify SSIDs SSID
values. Both white
for Wi-Fi values addWifiSsidsToBlackList()
and black listing of
networks is addWifiSsidsToWhiteList()
supported.

Specify trusted CAs

Set WLAN CA
CA Cert for accepting WLAN setNetworkCaCertificate()
Certificate
server certificates

Specify the type of

security required on
Set Wi-Fi WLAN
a WLAN connection setMinimumRequiredSecurity()
security type security
(i.e. open, WEP,
WPA, etc)

setNetworkAnonymousIdValue()
Specify the values setNetworkClientCertificate()
Wi-Fi
WLAN required to connect
authentication setNetworkIdentityValue()
security to EAP-TLS
protocols
connections setNetworkPhase2()

setTlsCertificateSecurityLevel()

setNetworkPSK()

setNetworkPassword()
WLAN Specify the client setNetworkClientCertificate()
Wi-Fi client
client credentials to access
credentials setNetworkPrivateKey()
credentials a specified WLAN
setNetworkWEPKey1-4()

setNetworkWEPKeyId()

Note: In CC Mode, LEAP, PEAP and FAST modes are disabled due to their use of non-FIPS algorithms.

29 of 66
4.3.3.8 Hotspot/Tethering Settings (All)
Setting Value Description Class or Method

Specify if Wi-Fi Enable/Disable

Hotspot can Enable/ whether the user can
isWifiApSettingUserModificationAllowed()
be modified by Disable edit the Hotspot
user settings

SSID,
Specify
Security Specify the settings
Hotspot setWifiApSetting()
Type, for the Hotspot
settings
Password

Controls ability to
use the device as a
Wi-Fi hotspot to
share its Internet
connection. setTethering()
Tethering (Wi-
Enable/
Fi, USB and setTethering() setBluetoothTethering()
Disable
Bluetooth) controls access to all setUsbTethering()
other tethering
options (if that is
disabled no others
are allowed).

4.3.3.9 Services Control Settings (All)

Setting Value Description Class or Method

Enable/ Enable or Disable setCameraState()

Camera control
Disable access to Camera setCameraDisabled()

Microphone Enable/ Enable or Disable

setMicrophoneState()
control Disable access to microphone

30 of 66
Setting Value Description Class or Method

Enable or Disable
access to S-Voice or
the Voice Dialer
allowSVoice()
controls. This does
Enable/
Voice control not prevent access to disableVoiceDialer()
Disable
other voice-
allowVoiceDialer()
controlled apps, only
the Samsung-
provided ones.

Specifies whether the

device can check and
receive OTA updates.
Allow FOTA Enable/
This can be used to allowOTAUpgrade()
Updates Disable
block auto-updates
until they have been
approved.

Enable or Disable the

mounting of device
Allow storage over USB.
Mounting over When disabled USB
USB can only be used for
Enable/ charging. setUsbMediaPlayerAvailability()
Disable
Allow Locally- Locally-connected
connected backups can only be
Backup performed when USB
storage mounting is
enabled.

Enable or Disable the

ability to mount (and setSdCardState()
Allow SD Card Enable/
use) an SD Card. Also
to be mounted Disable allowSDCardWrite()
possible to mount SD
Card as read-only.

31 of 66
Setting Value Description Class or Method

Enable or Disable the

ability to mount (and
use) storage through
Allow USB the USB port on the
Enable/
storage to be device (i.e. allowing a allowUsbHostStorage()
Disable
mounted USB thumb drive to
be mounted as
storage to the
device).

Enable or Disable USB allowDeveloperMode()

Developer Enable/
Debugging for
Mode Disable setUsbDebuggingEnabled()
developer access

Enable or Disable the

use of Carrier Time
on the device.
Setting
Enable/ If this is disabled,
Automatic setAutomaticTime()
Disable then the time is
Time
handled solely on the
device with no
external checks.

Enable or Disable the

ability for the user to
Allow User Enable/ access and change
setDateTimeChangeEnabled()
Time Change Disable the date/time
settings on the
device.

Enable or Disable
Enable/ Google backup of
Google Backup setBackup()
Disable account and settings
information

32 of 66
 Setting Value Description Class or Method

Enable or Disable
Google Enable/ Google account sync
allowGoogleAccountsAutoSync()
Account Sync Disable settings (all Google
sync)

4.3.3.10 Notification Settings (All)

Setting Value Description Class or Method

Specify if
notifications are
Block All, blocked, what level
Blacklist
Block of blocking should
Application
Text, be done. Block all setApplicationNotificationMode()
Notification
Block Text notifications, Text
Mode
& Sound (status bar)
notifications only, or
only Text & Sound.

Whitelist and
Blacklist of apps that addPackagesToNotificationBlackList()
App can override default removePackagesFromNotificationBlackList()
App
Notification notifications.
Names addPackagesToNotificationWhiteList()
Lists Blacklist apps follow
that notification removePackagesToNotificationWhiteList()
mode setting

4.3.3.11 Lock screen Notification Settings (Device only)

Setting Value Description Class or Method

Enable/
Disable Provides control setKeyguardDisabledFeatures()
Lock screen
lock over lock screen KEYGUARD_DISABLE_SECURE_NOTIFICATIONS
controls
screen notifications KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS
features

33 of 66
4.3.3.12 Messaging (SMS) Settings (All)
Setting Value Description Class or Method

Allow user to receive allowIncomingMms()

Allow incoming Enable/
incoming SMS/MMS
messages Disable allowIncomingSms()
messages

Allow outgoing Enable/ Allow user to send allowOutgoingMms()

messages Disable SMS/MMS messages allowOutgoingSms()

4.3.3.13 Certificate/Key Management Settings (All)

Setting Value Description Class or Method

Import CA Certificates
into the Trust Anchor
installCertificate()
Database or the
Import credential storage. installCertificatesFromSdCard()
Certs
Certificates The choice of storage installCertificateWithType()
is dependent on the
installClientCertificate() (for VPN)
type of certificate
being imported.

Remove Individual
Remove
Cert certificates from the
Individual removeCertificate()
names database or
Certificates
credential store

This will clear all

Remove All imported Certificates
clearInstalledCertificates()
Certificates (except the built-in
TAD)

34 of 66
4.3.3.14 Application Management Settings (All)
Setting Value Description Class or Method

This allows an
application to be
Install Apps App name installApplication()
installed on the
device

This allows uninstallApplication()

applications to be
Uninstall Apps App name uninstallApplications() (bulk list of apps at
uninstalled from the
device. one time)

Class: ApplicationPolicy
Enables / disables
Control app
App name user uninstall of setApplicationUninstallationDisabled()
uninstall
specified application
setApplicationUninstallationEnabled()

public class ApplicationPolicy

Allows installation of
Control Google Enable /
applications from enableAndroidMarket()
Play Disable
Google Play
disableAndroidMarket()

Control Allows installation of Class: RestrictionPolicy

Enable /
Unknown application from
Disable setAllowNonMarketApps
Sources unknown sources

This allows an
application to be
disabled, even if it is
Enable/
Disable Apps installed, and prevent setDisableApplication()
Disable
it from running
(includes pre-
installed apps)

35 of 66
 Setting Value Description Class or Method

Allows the creation

of a list of approved
Application apps that can be
App name addAppPackageNameToWhiteList()
Whitelist installed. This should
always be paired with
a black list.

Allows the creation

Application
App name of a list of apps which addAppPackageNameToBlackList()
Blacklist
cannot be installed.

Allows the creation

of a list of approved
Application signatures for apps
App
Signature that can be installed. addAppSignatureToWhiteList()
signature
Whitelist This should be paired
with the signature
black list.

Allows the creation

Application
App of a list of apps based
Signature addAppSignatureToBlackList()
signature on signatures which
Blacklist
cannot be installed.

White/Black listing is done using the full name of the application (such as com.android.testingapp).

The method for configuring these lists is highly dependent on the MDM solution chosen. Please refer to
the MDM specific guidance [MDMG] on exactly how to set these policies.

Note: The Application White/Black lists will not have any impact on apps that are part of the system
image. Built-in apps can instead be Disabled.

36 of 66
4.3.3.15 Remote Wipe Settings (All)
Setting Value Description Class or Method

Remotely wipe the

data stored on the wipeDevice()
Remotely wipe
True device. This will
the device wipeData()
perform a factory
reset.

4.3.3.16 Lock Screen Settings (KNOX)

Setting Value Description Class or Method

Password Minimum container

6-16 setPasswordMinimumLength()
Length password length

setMaximumCharacterOccurrences()
Set min #
Settings to require setMaximumCharacterSequenceLength()
of
Password different types of
characters setMaximumNumericSequenceLength()
Complexity characters in the
or max
container password setMinPasswordComplexChars()
sequences
setMinimumCharacterChangeLength()

Specify the maximum

Password (in age of the container
setPasswordExpires()
Expiration seconds) password before it
must be changed

This prevents
entered passwords setPasswordVisibilityEnabled()
Password
Disable from being displayed
Entry Visible
on the container lock setScreenLockPatternVisibilityEnabled()
screen

37 of 66
4.3.3.17 Container Authentication Settings (KNOX)
Setting Value Description Class or Method

This specifies how

Inactivity long the container
1 to 60
Timeout Lock will remain unlocked setPasswordLockDelay()
minutes
Period after container usage
has stopped

Will remotely lock the

Remote Lock Enable container lock()
immediately

Will require the user

to provide both
Multi-Factor Enable/
biometrics and enforceMultifactorAuthentication()
Authentication Disable
PIN/password to
unlock the container

4.3.3.18 Services Control Settings (KNOX)

Setting Value Description Class or Method

Enable or Disable
Enable/
Camera control access to Camera setCameraState()
Disable
inside the container

Enable or Disable
Microphone Enable/
access to microphone setMicrophoneState()
control Disable
inside the container

4.3.3.19 Application Management Settings (KNOX)

Setting Value Description Class or Method

This allows an
application to be
Install Apps App name installApplication()
installed to the
container

38 of 66
 Setting Value Description Class or Method

This allows uninstallApplication()

applications to be
Uninstall Apps App name uninstallApplications() (bulk list of apps at
uninstalled from the
container. one time)

Enables / disables Class: ApplicationPolicy

Control app user uninstall of
App name setApplicationUninstallationDisabled()
uninstall specified application
from the container setApplicationUninstallationEnabled()

This allows an
application to be
disabled, even if it is
Enable/
Disable Apps installed, and prevent setDisableApplication()
Disable
it from running
(includes pre-
installed apps)

4.3.3.20 Notification Settings (KNOX)

Setting Value Description Class or Method

Specify if container
notifications are
Block All,
blocked, what level
Blacklist Block
of blocking should be
Application Text,
done. Block all setApplicationNotificationMode()
Notification Block
notifications, Text
Mode Text &
(status bar)
Sound
notifications only, or
only Text & Sound.

39 of 66
 Setting Value Description Class or Method

Whitelist and
Blacklist of apps that
addPackagesToNotificationBlackList()
can override default
App removePackagesFromNotificationBlackList()
App container
Notification
Names notifications. addPackagesToNotificationWhiteList()
Lists
Blacklist apps follow
removePackagesToNotificationWhiteList()
that notification
mode setting

Sets whether the

email app
Email Enable/
notifications are setEmailNotificationsState()
notifications Disable
displayed for the
container

4.3.3.21 Container Sharing Settings (KNOX)

Setting Value Description Class or Method

allowMoveAppsToContainer()
Define whether apps
Application & Enable/
can be moved into or allowMoveFilesToContainer()
File movement Disable
out of the Container
allowMoveFilesToOwner()

Define whether
setAllowChangeDataSyncPolicy()
Enable/ specific apps can
Application
Disable share data between  Contacts
Data Sync
for apps the container &  Calendar
outside  Notifications

Clipboard When enabled, this

sharing from Enable/ allows clipboard data
allowShareClipboardDataToOwner()
Container to Disable to be shared outside
OS the container

40 of 66
4.3.3.22 Application Control (All)
Setting Value Description Class or Method

Specifies whether the

Browser Auto browser should
Enable/
Text automatically fill setAutoFillSetting()
Disable
Completion forms from stored
data

Specifies restrictions
on allowed email addAccountsToAdditionBlackList()
Control Enable/
accounts. Can specify
Allowed Email Disable addAccountsToAdditionWhiteList()
allowed or blocked
Accounts for apps
domains or individual (specify restrictions for all account types)
accounts.

4.3.3.23 VPN Configuration (Device Only)

The built-in Samsung VPN client can be configured for use by the whole device. More information about
the specific management APIs can be found in the Samsung VPN Client on Galaxy Devices Guidance
Documentation v3.0.

4.3.3.24 KNOX VPN Services (All)

KNOX provides a highly flexible method for configuring VPNs that can include the ability to control
access to applications or groups of applications to specific tunnels. The KNOX VPN service can be used to
control tunnels both inside and outside the container, depending on where the VPN client is installed
(inside or outside the container)

To use the KNOX VPN services, the following is needed:

Component Contents Description

Installation package(s) from the VPN client vendor

VPN Installer(s) APKs from vendor for installation on the device. Generally (though
not always) this would include 2 files.

VPN profile(s) json files The VPN profile(s) to be deployed on the device

41 of 66
 Component Contents Description

The full set of configurations (including Knox

“vpn” folder json files and vendor.ini configuration) needed for deployment of the VPN
profile

The VPN client vendor would provide the files above though the json configuration would have to be
edited by the Administrator. More information about the json configuration can be found here:
https://seap.samsung.com/api-references/android-
premium/reference/com/sec/enterprise/knox/profile_creation.pdf.

A KNOX containerized VPN is a VPN installed specifically inside the KNOX container. It is possible to set
multiple VPN configurations in parallel for different apps or groups of apps. It is also possible to
configure dual layer VPN tunnels by using one VPN outside the container paired with a KNOX
containerized VPN. These Methods are all part of the GenericVpnPolicy Class.

Setting Value Description Class or Method

VPN Specifies the VPN

Create VPN
Vendor, client vendor and the createVpnProfile()
Profile
json file json configuration file

Enable/ Specifies to activate

Active VPN
Disable or deactivate VPN activateVpnProfile()
Profile
Profile profile

Remove VPN VPN

Deletes VPN profile removeVpnProfile()
Profile profile

Adds apps to VPN

profile such that addPackagesToVpn()
Add Apps to Package
these apps must use
VPN names addAllPackagesToVpn()
this VPN profile for
connectivity

42 of 66
 Setting Value Description Class or Method

Adds apps to
Container VPN profile
Add Apps to Package such that these apps addContainerPackagesToVpn()
Container VPN names must use this VPN addAllContainerPackagesToVpn()
profile for
connectivity

Remove Apps Package Removes apps from removePackagesFromVpn()

to VPN names VPN profile removeAllPackagesFromVpn()

Remove Apps removeContainerPackagesFromVpn()

Package Removes apps from
to Container
names Container VPN profile removeAllContainerPackagesFromVpn()
VPN

Note: When adding packages to a VPN profile, use User0 for the whole device and User100 for the Knox
container.

4.3.4 Sensitive Data Protection

Samsung has added capabilities for Sensitive Data Protection. This feature is designed to allow
applications which run in the background and receive information to protect that information upon
receipt. This feature is provided as part of the device, but its use is dependent on applications having
been written to the APIs providing the capability. It is expected that this list will grow over time, but is
currently limited to the Samsung Email application contained within the KNOX container.

The API for Sensitive Data Protection exists both for the whole device and KNOX, but unless an
application has been written to the API, it will not take advantage of the Sensitive Data Protection
function.

4.3.5 Additional notes

Samsung Android devices are usually configured by default to send anonymous usage data (including
location, device ID etc.) to Google and Samsung servers. This can be disabled through device settings
and will need to be enforced through procedural controls.

Samsung Android devices do not need to be associated with a Google account to operate as required
within the enterprise. For example, it is still possible to receive push notifications through Google Cloud

43 of 66
Messaging. KNOX MDM APIs can be used to prevent users from signing in to these services (see
[MDMG]).

4.4 Audit Records (KNOX)

Auditing is enabled and events retrieved through the MDM. A KNOX Premium license is required in
order to enable the collection of audit records.

Audit records are stored in a compressed format to minimize space and maximize the amount of records
that can be stored. When the allocated space is full the oldest events will be overwritten so the most
recent as always maintained (circular logging/buffering). Notifications are sent to the MDM based on
the log space becoming full to warn before wrapping occurs.

The minimum amount of allocated space for audit storage is 10MB with a maximum of 50MB,
depending on the available free space when activated. There must be at least 200MB of free space
when Auditing is enabled (an error is returned to the MDM if not), and no more than 5% of free space
will be used, up to the maximum of 50MB. The allocated space is not adjusted after it is initially set.

Within the logging it is also possible to specifically filter the events that are written to the log.

4.4.1 Types of Audit Events

There are three classes of audit events that can be logged, system and apps, kernel and IP tables. Each
can be controlled individually, so you can log just select classes of events. Kernel and IP table logging
generates a large amount of events, so care should be taken that the MDM collect the logs frequently if
they are enabled or the circular logging function could cause events to be overwritten and lost.

4.4.2 Audit Collection Settings

All methods are in the class com.sec.enterprise.knox.auditlog.

Setting Value Description Class or Method

Enable Enables audit

- enableAuditLog()
Auditing collection

Disable Disables audit disableAuditLog()

-
Auditing collection

44 of 66
 Setting Value Description Class or Method

See Filter Configures what

Configure setAuditLogRules()
Settings events to be captured
Logging Filters
table (see Filter table)

Enable IP Enables the collection enableIPTablesLogging()

-
Tables Auditing of IP Tables

Disable IP Disables the disableIPTablesLogging()

-
Tables Auditing collection of IP Tables

4.4.2.1 Audit Collection Filter Settings

Member Values Values & Description
1 = Alert
2 = Critical Specifies the minimum severity level to log.
setSeverityRule(int
3 = Error Everything with the specified number and
severityRule)
4 = Warning lower will be logged.
5 = Notice
0 = Fail
setOutcomeRule(int Specifies filtering based on the outcomes of
1 = Success
outcomeRule) each event
2 = All
1 = Security
2 = System
setGroupsRule(List<Integer> 3 = Network Specifies the groups of events to log. NULL
groupsRule) 4 = Events will log events from all groups.
5 = Application
NULL = All
setKernelLogsEnabled(boolean True = Enable
Enables or disables Kernel logging
enableKernel) False = Disable
This allows logging only from specified UIDs
in the list. This is only available to MDMs
setUsersRule(List<Integer> outside the KNOX container (inside the
List of UID
usersRule) container the MDM can only see the
container user).
System events (group 2) are always logged.

45 of 66
4.4.3 Audit Record Fields
The audit records have eight (8) fields as described in the following table.

Field Description

Timestamp Long value that represents the UTC timestamp

Integer value representing the severity: 1 (alert), 2 (critical), 3

Severity
(error), 4 (warning), 5 (notice)

Integer value representing the group code: 1 (security), 2

Group
(system), 3 (network), 4 (events), 5 (application)

Integer value representing the outcome of the event: 1

Outcome
(success), 0 (failure)

PID Integer value representing the process ID

Integer value representing the USERID for which the log was
originated

ID 0 is for a normal user

USERID
ID -1 is for system events

ID 100-102 is for container users (multiple containers can be

defined)

Component String representing the facility/Software Component name

Free-form message description of the event (generally a

Message
human-readable message)

4.4.4 Audit Events and Management

One important note about the audit capabilities is that they are tied to being enrolled to a management
server (MDM/EDM). If the device is not enrolled there is no way to enable auditing, and when a device is
unenrolled, the audit records are deleted as part of the unenrollment process, so any events created
between the last review/upload and the unenrollment will be lost.

46 of 66
4.4.5 Audit Events
The following list of audit records are produced related to the functionality claimed in the MDFPP.

4.4.5.1 System and Audit Service Events

Message Description

AuditLog status has changed to This shows the status of the audit log.
<enable> Note that when disabled, audit logs are erased

AuditLog has reached its critical size. Shows the audit storage has reached the percentage
Percentage is <value> full set in <value>

Android boot completed Startup of the operating system is complete

A shutdown command has been sent to the device

Android will be shutdown
(from any source)

The filtering rules for the audit log have been

AuditLog filter rules has changed
changed

4.4.5.2 Common Criteria Mode Events

Message Description

Admin <admin pkg name> has Shows when CC Mode is enabled or disabled by
requested to <enable, disable> CCMode policy

CC Mode status : <Ready, Enforcing,

Shows the current CC Mode status on device startup
Enabled, Disabled>

4.4.5.3 Encryption-related Events

These events cover ODE, external media encryption and FDP_DAR_EXT.2 functions.

47 of 66
 Message Description

These messages show the MDM enabling ODE. The

Admin <admin pkg name> has setting is requested, then the process of encryption is
requested storage encryption requested, and lastly showing it is active after the
encryption process is completed.

Admin <admin pkg name> has These messages show the MDM enabling SD card
requested SD card encryption. encryption.

Admin <admin pkg name> has These messages show the MDM enabling external
requested encryption of external storage encryption (such as when media is plugged in
storage through the USB port).

Encrypting storage card Shows success and failure of storage encryption for
<succeeded/failed> the SD Card.

user_id[<uid>]/pid[<pid>] failed to Shows failure of storage services related to

access file [<file>] FDP_DAR_EXT.2

4.4.5.4 Administration Settings

Message Description

Admin <pkg name> has changed

Shows the maximum failed passwords allowed before
maximum failed passwords for wipe to
the device is wiped has been set to <value>
<value>

Admin <admin pkg name> has changed The minimum password length has been set to
password minimum length to <value> <value>

Admin <admin pkg name> has changed The password quality (complexity) has been set to
password quality to <value> <value>

Admin <admin_pkg> has changed The session timeout for locking the screen has been
screen lock time out to <value msec> set to <value msec>

Admin <admin_pkg> has changed

The maximum failed password attempts before
maximum failed passwords for disable
locking the device is set to <value>
to <value>

48 of 66
Message Description

Admin <admin_pkg> has changed

The maximum number of times the same character
maximum character occurrences to
can be in the password is set to <value>
<value>

Admin <admin_pkg> has changed

The password expiration has been set to <value
password expiration time out to <value
msec>
msec>

The admin has allowed or blocked access to the

specific biometric listed:
Admin <uid> has <allowed|disallowed>
<biometric type>.  BIOMETRIC_AUTHENTICATION_FINGERPRINT

 BIOMETRIC_AUTHENTICATION_IRIS

Admin <admin_pkg> has <enabled,

disabled> reboot banner [with text
<text>]

Lock screen string was enabled.

Setting of the login banner
Lock screen string was changed to
<value>

Admin <admin> has cleared the lock

screen string

49 of 66
 Message Description

The admin has allowed or disallowed the following

features:

 Camera
 Microphone
 Developer mode
 Airplane mode
 USB Tethering setting
 Wi-Fi Tethering setting
Admin <admin_pkg> has  Bluetooth tethering
<allowed|enabled, disallowed|disabled>
 NFC
<feature>
 Cellular data
 USB debugging
 USB Media Player (MTP)
 VPN
 S-Beam
 Android Beam
 S-Voice
 USB Host Storage
 <profile> Bluetooth profile

Admin <admin_pkg> has changed WiFi

Admin has enabled or disabled Wi-Fi
allowed to <true, false>

Admin <admin_pkg> has changed allow

Admin has enabled or disabled Bluetooth
bluetooth to <true, false>

4.4.5.5 KNOX Container Management

Most of the management functions for the container (such as password management or camera access)
generate the same messages as outside the container. The messages inside the container will be marked
with the Container ID (usually 100).

50 of 66
 Message Description

Admin <admin pkg name> has

successfully requested to create Creation of a KNOX Container has been requested
container.

Admin <admin pkg name> has

successfully removed container Removal of a KNOX Container.
<container ID>

Admin <admin pkg name> has

The admin has locked or unlocked the container
<locked/unlocked> container

4.4.5.6 KNOX Container Sharing

Message Description

Admin <uid> has <allowed|disallowed> The admin has allowed or disallowed applications to
moving applications to container. be moved to the container.

Admin <uid> has <allowed|disallowed> The admin has allowed or disallowed files to be
moving files to container. moved to the container.

Admin <uid> has <allowed|disallowed> The admin has allowed or disallowed files to be
moving files to owner. moved from the container.

Admin <uid> has <allowed|disallowed>

The admin has allowed or disallowed the clipboard to
sharing clipboard to owner from
be shared from the container.
container.

4.4.5.7 External Media Access

Message Description

Admin <admin pkg name> has

Shows when SD card mounting has been allowed or
<enabled/disabled> access to external
blocked
SDCard

51 of 66
 Message Description

Removable Media Event : External SD

Card Mounted
Shows mount events for SD card and USB media.
Removable Media Event : External SD
Card Unmounted

4.4.5.8 Factory Reset Events

These events are only for reset failures since by definition a successful reset would wipe out the audit
logs.

Message Description

This event is seen when a wipe fails to occur and the

Starting user data Wipe
logs are not wiped.

4.4.5.9 Administration Command Events

Message Description

Admin <admin pkg name> has locked

The admin has forced the device to lock
device

Admin <admin pkg name> has The admin has sent a command to force a factory
requested full wipe of device reset

4.4.5.10 Key Management Events

Message Description

Key generation failed, with error

The generation of a key pair failed
<number>

52 of 66
Message Description

Key importing activity

(Keystore=<keystore>,
keyName=<keyname>, uid=<target uid>,
requested by <pkg name>: uid=<uid>
role=<SystemApp, UserApp> |
<Administrator, NonAdministrator>)
succeeded Shows success or failure of importing keys to the
Key importing activity keystore.
(Keystore=<keystore>,
keyName=<keyname>, uid=<target uid>,
requested by <pkg name>: uid=<uid>
role=<SystemApp, UserApp> |
<Administrator, NonAdministrator>)
failed with error <error msg>

Key destruction activity

(Keystore=<keystore>,
keyName=<keyname>, uid=<target uid>,
requested by <pkg name>: uid=<uid>
role=<SystemApp, UserApp> |
<Administrator, NonAdministrator>)
succeeded Shows success or failure of deleting keys from the
Key destruction activity keystore.
(Keystore=<keystore>,
keyName=<keyname>, uid=<target uid>,
requested by <pkg name>: uid=<uid>
role=<SystemApp, UserApp> |
<Administrator, NonAdministrator>)
failed with error <error msg>

Key integrity check failed: key Shows the integrity check of a key in the keystore has
filename=<filename>, uid=<uid> failed

53 of 66
4.4.5.11 Certification Revocation Events
Message Description

Shows enabling or disabling of certificate revocation

Admin id <admin pkg name> has checking.
<enabled, disabled> certificate
revocation check for <pkg name> <pkg name> shows if changed for specific packages.
“*” is shown for all packages.

Admin id <admin pkg name> has Shows enabling or disabling of OCSP checking.
<enabled, disabled> OCSP for <pkg <pkg name> shows if changed for specific packages.
name> “*” is shown for all packages.

Installing certificate succeeded. Keystore

<keystore>, <certificate information> Shows the status of adding and removing user
Deleting certificate succeeded. Keystore certificates into the Trust Anchor Database.
<keystore>, <certificate information>

Clearing credentials succeeded. Keystore

: <Wi-Fi, VPN and Apps> Shows clearing of credentials in the Trust Anchor
Database that are associated with specific
Clearing credentials succeeded. Keystore applications (or all).
: Default

Chain verification failed. Cert[<num>]:

Shows when X.509v3 certificate validation errors
<cert subject> Issuer: <cert issuer>
occur
Reason: <error msg>

CertPathValidator failed: Unable to

determine revocation status due to Shows error messages for CRL or OCSP failures
network error

4.4.5.12 Wi-Fi Management Events

Message Description

Admin id <admin pkg name> has

changed WiFi SSID restriction to Enables or disables SSID white/black listing
<true/false>

54 of 66
Message Description

The admin has added or removed specific SSIDs to

Admin id <admin pkg name> has the whitelist or blacklist.
<added/removed> SSID <SSID name> to “*” can be used on the blacklist to note that all
the restriction <blacklist/whitelist> networks except those explicitly allowed will be
blocked

Admin id <admin pkg name> has

The admin has removed all SSIDs from the specified
removed all SSIDs from the restriction
list
<blacklist/whitelist>

Admin id <admin pkg name> has

Individual SSID control without enabling white/black
<allowed/blocked> access to WiFi SSID
listing
<SSID name>

Admin id <admin pkg name> has set a

new wifi profile: SSID: <SSID name> The admin has pushed a new Wi-Fi profile to the
Security type <security> CA certificate: device
<cert>

55 of 66
4.4.5.13 Remote Session Events
Message Description

Application (<pkg name>, <uid>) has

started a SSL/TLS handshake with a
remote connection endpoint (<dst
name>:<dst port>)

Application (<pkg name>, <uid>) has

finished a SSL/TLS handshake with a
remote connection endpoint (<dst
name>:<dst port>)

Application (<pkg name>, <uid>) has

finished a SSL/TLS session with a remote
connection endpoint (<dst name>:<dst
port>)
Shows applications have started SSL, TLS or HTTPS
connections with remote endpoints.
Application (<pkg name>, < uid>) has
started a HTTPS handshake with a
remote connection endpoint (<dst
name>:<dst port>)

Application (<pkg name>, <uid>) has

finished a HTTPS handshake with a
remote connection endpoint (<dst
name>:<dst port>)

Application (<pkg name>, <uid>) has

finished a HTTPS session with a remote
connection endpoint (<dst name>:<dst
port>)

Application (<pkg name>, < uid>) got SSL

protocol exception: Handshake (failed, Shows applications have attempted to start SSL, TLS

aborted) Cause: <error msg> or HTTPS connections with remote endpoints but
there was a failure as specified in the <error msg>

56 of 66
 Message Description

Identifier verification failed. Presented

Shows the presented identifier to be checked and
identifier: <identifier> List of reference
rejected
identifiers: <reference identifiers>

Wi-Fi is failed to connect to <access

point> network. Reason: <msg reason>. EAP-TLS status messages
Wi-Fi is connected to <SSID> network Errors:
using <Type of Channel> channel
 Authentication Failure – invalid client
Wi-Fi is disconnected from <SSID> certificate
network using EAP-TLS channel

wpa_supplicant messages:

SSL handshake failed: SSL_connect error Certificate errors are shown in the EAP-TLS
<error #>:SSL routines:<routine>:<error processing
msg>

4.4.5.14 Application Install/Update Events

Message Description

Admin <admin pkg name> has

<allowed/blocked> access to Google Shows when Google Play store is allowed or not
Playstore (com.android.vending)

Admin <admin pkg name> has

Admin has allowed or blocked “Unknown Sources”
<allowed/disallowed> installation of
for installing apps
non-Google-Play application

Starting to install Application <pkg

name> Installation or update of application has started and
Install Application <pkg name> succeeded or failed
<succeeded/failed>

Uninstall Application <pkg name> The removal of the application has succeeded or
<succeeded/failed> failed

57 of 66
 Message Description

Admin <admin pkg name> has

The admin had installed or removed the application
<installed/removed> application <pkg
by policy
name>

The installed application has an insecure file path

Application installed from <path>
(such as a bad file extension even though the file was
insecure file path
a proper package)

Admin <admin pkg name> has installed The admin has installed an application from the path
application from <path> specified

The policy has been set to prevent the installation of

Admin <admin pkg name> has
the listed applications. “*” is used to denote all
prevented installation of <pkg names>
applications should be prevented.

The admin has added or removed a developer

Admin <uid> has <added/removed>
signature to an application whitelist or blacklist. This
<signature> to app signature
will allow or block all applications signed by this
<whitelist/blacklist>
signature.

Admin <uid> has <added/removed> The admin has added or removed a package name to
<signature> to package name an application whitelist or blacklist. “*” and “?” can
<whitelist/blacklist> be used as wildcards in denoting the package names.

4.4.5.15 Sync Events

Message Description

Syncing account <account name> The account has successfully completed a sync to the
succeeded associated server

4.4.5.16 User Events

Message Description

screen-lock enabled : password This shows the user has set or reset their password

The device time has been changed.

The device time has been changed
Current Time = <time> [<uid>, <pid>]

58 of 66
4.4.5.17 Location Events
Message Description

Admin <admin pkg name> has

The admin has started or stopped the GPS radio
<started/stopped> GPS

Admin <admin pkg name> has

The admin has enabled or disabled the specified
<enabled/disabled> location provider
location provider service
<GPS/network/passive>

4.4.5.18 FOTA Update Events

Message Description

Shows status of FOTA update process for All carriers

Software update: Software update except Verizon Wireless.
<version> succeeded The first message will appear before the reboot
Software update: Software update where the update will be applied.
<version> failed Success or failure of update will be recorded on the
boot after the update process has run.

Software update: Software update Shows status of FOTA update process Verizon
<packageName> started Wireless.

Software update: Software update The first message will appear before the reboot
<version> succeeded where the update will be applied.

Software update: Software update Success or failure of update will be recorded on the
<version> failed boot after the update process has run.

4.4.5.19 Integrity Events

Message Description

Verification failed. Unable to restart you

phone. The integrity verification has
NOTE: This is shown on the screen and forces a data
failed. You need to reset your phone to
wipe (so no log).
the factory default settings. This will
erase you data.

59 of 66
 Message Description

BoringSSL self-test <msg> Shows successful completion of BoringSSL self-tests

4.5 Secure Delivery

While a Samsung device requires initial configuration before it can be added to the enterprise
environment, it is also critical to ensure that the device is received prior to configuration in a secure
manner, free from tampering or modification.

It is very important that the devices to be deployed into the enterprise are obtained from reputable
carriers to reduce the likelihood that tampering of devices may occur.

Upon receipt, the boxes containing the device should have both a tracking label and two labels placed at
either end of the box to indicate whether the box has been opened prior to delivery. If these seals are
broken, do not accept the device and return it to your supplier.

The tracking label should look similar to Figure 2 - Tracking label, while the two tamper labels should
appear similar to Figure 3 - Security Seal (Black) or Figure 4 - Security Seal (White).

Figure 2 - Tracking label

60 of 66
 Figure 3 - Security Seal (Black) Figure 4 - Security Seal (White)

4.5.1 Evaluation version

There are a number of components to determining the device that is being used and the components on
that device (such as the operating system version, the build version, etc.). These are all contained under
Settings/About device. The following are version information that can be found:

 Model number – this is the hardware model (this is carrier specific, so for example a Samsung
Galaxy S4 on Verizon Wireless has a different model number than on AT&T)

 Android version – this is the Android OS version

 Build number – this is the specific binary image version for the device

 Security Software Version – this shows the Common Criteria evaluations and the version of the
software components related to those evaluations on the device

For the Common Criteria evaluation for the mobile device, this will show:

MDF vABC Release XYZ

Where ABC is the version of the MDFPP and XYZ is the version number of the software that has been
validated.

61 of 66
4.5.2 Pre-packaged Software Versions
Samsung Android devices come with large amounts of software apps to provide the full breadth of
functionality expected by the customer. Some of the apps come from Google, some from Samsung, and
others from the cellular carrier. For a list of the apps and their versions contained on a specific device,
visit the website where you can download the CC Mode app and select the device you are using. This
will provide a complete list of the software installed on the evaluated device.

4.5.2.1 Software Versions on Device

To verify the versions of any software on the device (compared to the list from the website), open
Settings/Application manager. Under the heading All, you will see every application on the device (both
those that are pre-installed and any you have installed). Selecting an application will display its
properties. The version number is shown at the top under the name.

Note: Using adb (USB debugging must be enabled to use adb) it is possible to extract all package version
information at once.

4.6 Secure Updates

Once a device has been deployed, it may be desirable to accept updates to the software on the device
to take advantage of the latest and greatest features of Samsung Android. Updates are provided for
devices as determined by Samsung and the carriers based on many factors.

When updates are made available, they are signed by Samsung with a private key that is unique to the
device/carrier combination (i.e. a Galaxy S7 on Verizon will not have an update signed with the same key
as a Galaxy S7 on AT&T). The public key is embedded in the bootloader image, and is used to verify the
integrity and validity of the update package.

When updates are made available for a specific device (they are generally rolled out in phases across a
carrier network), the user will be prompted to download and install the update (see the User Guide for
more information about checking for, downloading and installing the update). The update package is
checked automatically for integrity and validity by the software on the device. If the check fails the user
is informed that there were errors in the update and the update will not be installed.

4.6.1 Allowed Update Methods

When CC Mode is enabled, only Firmware Over the Air (FOTA) updates are allowed to be installed on
the device. Other methods for installing updates (such as ODIN or Samsung KIES) are blocked and cannot

62 of 66
be used to update the firmware. This provides insurance against local, physical attacks that could change
the software unknowingly.

4.6.2 Blocking Updates

It is possible to block FOTA updates on a device by setting allowOTAUpgrade() to be false via the MDM.
This can be used to either freeze the software installed or to allow an organization time to test the
update before letting it roll out to the user community.

63 of 66
5 Operational security

5.1 Modes of operation

The TOE can be operated in four different modes, depending on the role of the user accessing the
device:

 Administrator mode;

 User mode;

 Error mode; and

 Recovery mode

A device is considered to be in Administrator mode before it is delivered to the user. The device is
prepared and configured for deployment in the enterprise environment via the Samsung Enterprise SDK.
The TOE administrators are trusted to follow and apply all administrator guidance in a trusted manner.
An unprivileged user will not have access to this mode of operation.

If an error or operational failure occurs during the transition from Administrator mode (causing the
device to momentarily enter the Error mode of operation) to User mode, the administrator should
follow the guidance for the Mobile Device Management Solution to rectify the failure and restore the
device to normal operational abilities. If it is not possible to adequately eliminate the error or
operational failure, the device is not to be delivered to an end user and should be returned to the
supplier.

After the device is configured in accordance with the Common Criteria evaluated settings, the device is
ready for deployment to a user. When the user receives the device, only the TouchWiz user interface
will be visible and no further changes to the security configuration are possible. Once deployed to a
user, the device will be operating in User Mode. Within User Mode, the only security relevant functions
accessible for the user are ‘lock screen password protection’, ‘change of password’ and ‘local device
wipe’. Typically, an administrator will not access the device in this mode of operation.

The TOE may also be placed into Recovery mode, bypassing the standard boot process and allowing for
configuration changes to be made to the installation of Android. However, this requires the boot loader
for the device to be unlocked and is therefore considered out of scope for this environment.

64 of 66
5.2 Wiping data
The evaluated security configurations provide the ability to both locally or remotely wipe data on the
device. Based on the device configuration, it is possible to wipe data at the device level, the KNOX
container level or both.

An enterprise initiated remote wipe command (either for the device or just the KNOX container,
depending on the configuration) occurs under the following conditions:

 The enterprise sends a remote wipe command to the device:

o when the device has been lost or stolen;

o in response to a reported incident;

o in an effort to resolve current mobile issues; and

o for other procedural reasons such as when an Android device end user leaves the
organization.

5.2.1 Wiping the device

The evaluated security configuration provides for a local and a remote wiping process of Android user
devices. This type of wipe works at the storage level and will wipe all data on the device. In a KNOX
container configuration this will wipe all data including the KNOX container (as well as everything not in
the container). This type of wipe is available in all configurations.

The local wipe is manually initiated by the Android device user or after an exceeded number of incorrect
login attempts. The remote wipe process is in general remotely initiated by the Enterprise and Mobile
Device Administrator via a remote wipe command.

5.2.2 Wiping the KNOX Container

When a KNOX container has been enabled it is also possible to wipe only the data stored in the KNOX
container. A wipe of the container data will remove the container, including apps and data, but it will
not remove anything outside the KNOX container. This process must be initiated remotely by the
Enterprise and Mobile Device Administrator via a remote wipe container command.

The only way for a user to locally wipe the KNOX container is to unenroll the device from the control of
the MDM. When this is done the KNOX container, all data and apps as well as the MDM Agent will all be
removed from the device.

65 of 66
5.3 VPN Client Use
While Samsung devices come with a Common Criteria-certified VPN client, some Enterprise customers
may have a need for a VPN client from a third party vendor. Android provides the public class
android.net.VpnService for third party vendors to build VPN clients that can be installed and used for
functionality beyond that which is provided by the Android or Samsung built-in VPN clients. VPN client
software built using this interface may provide their own management interface outside of that
provided by Samsung.

More information about this can be found here:

https://developer.android.com/reference/android/net/VpnService.html.

5.4 Additional notes on operational security

Common Criteria Part 3 does require operational user guidance for the following:

 User-accessible functions and privileges that should be controlled in a secure processing

environment, including appropriate warnings.

 Secure usage of available interfaces.

 Security parameters of interfaces and functions under the control of the user and their secure
values.

 Each type of security-relevant event relative to the user-accessible functions.

Administrators and users are considered to use a Samsung Enterprise device. As described in previous
sections of this document, the administrator is responsible for configuration and installation of the
device. The end user receives the device in an operational state where no further security configuration
is possible. The only user accessible user functions are ‘lock screen password protection’, ‘change of
password’ and ‘local device wipe’.

The user is responsible to obey the provided user guidance and to not actively working against the
protection of the device data.

The TOE Administrators are trusted to follow and apply all administrator guidance, resp. [MDMG] in a
trusted manner. [MDMG] provides further operational user guidance.

66 of 66