Rule ID
SV-285857r1244384_rule
Version
V1R1
CCIs
Sensitive DoW data could be exposed when an AI app processes device data in the cloud. SFR ID: FMT_SMF.1.1 #47
Verify the Google Android 17 device has been configured to disable web-based AI interactions. On the Android 17 phone, try to browse to unauthorized AI URLs. Examples to input include chatgpt.com, claude.ai, gemini.google.com, and v0.dev. Verify the unauthorized AI web sites cannot be reached. If the Google Android 17 device has not been configured to disable web-based AI interactions, this is a finding.
Configure the Google Android 17 device to disable web-based AI interactions. For web-based AI in the browser: Create an App Configuration Policy (Requires EMM Admin access): Navigate to your EMM's Policy/App Configuration section and create a new policy targeted at Managed Devices/Android Enterprise. Select the browser (Google Chrome) as the targeted application. Configure the URL blocklist: Locate the URL blocklist setting. Add the domains of the AI tools you want to block. Examples to input include chatgpt.com, claude.ai, gemini.google.com, and v0.dev. Block Incognito Mode: In the same Chrome configuration layout, look for IncognitoModeAvailability. Set Incognito Mode to disabled. This ensures users cannot bypass the URL blocklist by launching an anonymous browsing session. Assign and Push: Save the configuration and assign it to the device groups containing the COBO and COPE profiles. For other browsers it depends on deployment type. For COBO: Because the first step limits the managed Google Play store to only approved apps, ensure that no other browsers (Firefox, Opera, or Edge) are approved in the app allowlist. For COPE: Create a Device Restrictions Policy for the personal profile and set "Disallow install of applications from unknown sources" to True.