STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated just now
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Google Android 17 COBO Security Technical Implementation Guide

V-285856

CAT II (Medium)

The Google Android 17 device must be configured to disable web-based artificial intelligence (AI) interactions.

Rule ID

SV-285856r1240712_rule

STIG

Google Android 17 COBO Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000366

Discussion

Sensitive DoW data could be exposed when an AI app processes device data in the cloud. SFR ID: FMT_SMF.1.1 #47

Check Content

Verify the Google Android 17 device has been configured to disable web-based AI interactions.

On the Android 17 phone, try to browse to unauthorized AI URLs. Examples to input are chatgpt.com, claude.ai, gemini.google.com, and v0.dev.

Verify the unauthorized AI websites cannot be reached.

If the Google Android 17 device has not been configured to disable web-based AI interactions, this is a finding.

Fix Text

Configure the Google Android 17 device to disable web-based AI interactions.

For web-based AI in the browser: 

Create an App Configuration Policy (Requires EMM Admin access):

Navigate to your EMM's Policy/App Configuration section and create a new policy targeted at Managed Devices/Android Enterprise. Select the browser (Google Chrome) as the targeted application.
 
Configure the URL blocklist:

Locate the URL blocklist setting. Add the domains of the AI tools you want to block. Examples to input include chatgpt.com, claude.ai, gemini.google.com, and v0.dev.
 
Block Incognito Mode:

In the same Chrome configuration layout, look for IncognitoModeAvailability. 

Set Incognito mode to disabled. This ensures users cannot bypass the URL blocklist by launching an anonymous browsing session.

Assign and Push:

Save the configuration and assign it to the device groups containing the COBO and COPE profiles.

For other browsers it depends on deployment type.
 
For COBO: Because the first step limits the managed Google Play store to only approved apps, ensure that no other browsers (Firefox, Opera, or Edge) are approved in the app allowlist.

For COPE: Create a Device Restrictions Policy for the personal profile and set "Disallow install of applications from unknown sources" to True.