Rule ID
SV-284831r1240690_rule
Version
V1R1
CCIs
If the user is able to add a personal email account (POP3, IMAP, EAS) to the work email app, it could be used to forward sensitive DoW data to unauthorized recipients. Restricting email account addition to the administrator or restricting email account addition to allowlisted accounts mitigates this vulnerability. SFR ID: FMT_SMF.1.1 #47
Review the managed Google Android 17 work profile configuration settings to confirm that users are prevented from adding personal email accounts to the work email app. This procedure is performed on both the EMM administration console and the managed Google Android 17 device. COPE: On the EMM console: 1. Open "Set user restrictions". 2. Verify that "Disallow modify accounts" is toggled to "ON". On the managed Google Android 17 device: 1. Open Settings. 2. Tap "Accounts and backup". 3. Select "Work">>"Manage accounts". 4. Tap "Add account". 5. Verify "Add account" is grayed out and cannot be selected. If on the EMM console the restriction to "Disallow modify accounts" is not set, or on the managed Android 17 device the user is able to add an account in the "Work" section, this is a finding.
Configure the Google Android 17 device to prevent users from adding personal email accounts to the work email app. On the EMM console: COPE: 1. Open "Set user restrictions". 2. Toggle "Disallow modify accounts" to "ON". Refer to the EMM documentation to determine how to provision users' work email accounts for the work email app. Configuration API: DISALLOW_MODIFY_ACCOUNTS