The Samsung Android 15 allowlist must be configured to not include artificial intelligence (AI) applications that process device data in the cloud, including Google Gemini.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-272582 | KNOX-15-705700 | SV-272582r1098780_rule | Medium |
| Description |
| Sensitive DOD data could be exposed when an AI app processes device data in the cloud. SFR ID: FMT_SMF.1.1 #8 |
| STIG | Date |
| Samsung Android 15 MDFPP 3.3 BYOAD Security Technical Implementation Guide | 2025-04-29 |
Details
| Check Text (C-76663r1098620_chk) |
| Review managed Samsung Android 15 device configuration settings to determine if the mobile device has an AI application that processes device data in the cloud, including Google Gemini. Verify requirement KNOX-15-709200 (disallow modify accounts) has been implemented. The following validation procedure is performed on the management tool Administration Console. Verify that the KPE API "isIntelligenceOnlineProcessingAllowed()" returns false or that the KSP configuration has the restriction "Allow process data only on device" set to true. If "disallow modify accounts" is not set to "enable" (KNOX-15-709200) and the KPE API "isIntelligenceOnlineProcessingAllowed()" returns true and the KSP configuration does not have the restriction "Allow process data only on device" set to true, this is a finding. |
| Fix Text (F-76568r1098779_fix) |
| This validation procedure is performed only on the EMM Administration Console. On the EMM console: 1. Review the list of selected Managed Google Play apps. 2. Verify no AI applications that processes device data in the cloud, including Google Gemini, are included. Note: This restriction does not include Galaxy on device AI. Galaxy on device API is a "built-in" capability of Android 15 and processes device data on the device. If the EMM console device policy includes AI applications that processes device data in the cloud, including Google Gemini, this is a finding. Disallow modify accounts (refer to requirement KNOX-15-709200). If "disallow modify accounts" has not been implemented, this is a finding. Apply the "Disallow Intelligence Online Processing" using the KPE API or KSP. The KPE API is allowIntelligenceOnlineProcessing(false) and the KSP restriction is "Allow process data only on device", which should be set to true. |