Samsung Android 16 must disable the ability of the user to wipe the device.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-276648	PP-MDF-993300	KNOX-16-011000	SV-276648r1139776_rule	2025-09-22	1

Description
This feature must be disabled in order to comply with DOD electronic records retention requirements for mobile devices. Otherwise, mobile device users could wipe the device, which would violate DOD policy. SFR ID: FMT_MOF_EXT.1.2 #47

ℹ️ Check
Review configuration settings to confirm the user is unable to perform a factory reset and the admin has the ability to inject a recovery account on the device to unlock Factory Reset Protection (FRP). This check procedure is performed on the device management tool and the Samsung Android 16 device. On the MDM console: Verify factory reset configuration. COBO/COPE procedures: 1. Open user restrictions. 2. Verify that "Disallow Factory Reset" is enabled. Verify factory reset protection policy configuration. 1. From the Android Enterprise policy management, go to the Factory Reset Protection section. 3. Verify "Factory Reset Protection" is set to "Allow/Enabled". 4. Verify the correct Google Account ID(s) is listed as allowed to unlock the FRP. On the managed Samsung Android 16 device, verify factory reset configuration. COBO/COPE: 1. Open Settings >> General management >> Reset. 2. Tap the "Factory data reset" option. 3. Verify the "Action not allowed" pop up appears and that the factory data reset does not proceed. If the Android device user is able to perform a factory reset or the admin cannot unlock the Android phone after an FRP event, this is a finding.

ℹ️ Check

Review configuration settings to confirm the user is unable to perform a factory reset and the admin has the ability to inject a recovery account on the device to unlock Factory Reset Protection (FRP). This check procedure is performed on the device management tool and the Samsung Android 16 device. On the MDM console: Verify factory reset configuration. COBO/COPE procedures: 1. Open user restrictions. 2. Verify that "Disallow Factory Reset" is enabled. Verify factory reset protection policy configuration. 1. From the Android Enterprise policy management, go to the Factory Reset Protection section. 3. Verify "Factory Reset Protection" is set to "Allow/Enabled". 4. Verify the correct Google Account ID(s) is listed as allowed to unlock the FRP. On the managed Samsung Android 16 device, verify factory reset configuration. COBO/COPE: 1. Open Settings >> General management >> Reset. 2. Tap the "Factory data reset" option. 3. Verify the "Action not allowed" pop up appears and that the factory data reset does not proceed. If the Android device user is able to perform a factory reset or the admin cannot unlock the Android phone after an FRP event, this is a finding.

✔️ Fix
Configure Samsung Android 16 device to disable the ability of the user from wiping the Android device. In addition, enable the admin to inject a recovery account on the device so they can unlock FRP. On the MDM console, do the following: COBO/COPE procedures – disallow factory reset: 1. Open user restrictions. 2. Enable "Disallow Factory Reset". COBO/COPE procedures – set factory reset protection policy: 1. Select Device owner management >> Set factory reset protection. 2. From the "Accounts" section, go to Add Account >> Enter recovery account, then press "Ok". 3. From the "Enabled" section, select "Enabled" to enable factory reset protection policy. 4. Press "Save" to confirm all changes. API: addUserRestriction, DISALLOW_FACTORY_RESET and setFactoryResetProtectionPolicy

✔️ Fix

Configure Samsung Android 16 device to disable the ability of the user from wiping the Android device. In addition, enable the admin to inject a recovery account on the device so they can unlock FRP. On the MDM console, do the following: COBO/COPE procedures – disallow factory reset: 1. Open user restrictions. 2. Enable "Disallow Factory Reset". COBO/COPE procedures – set factory reset protection policy: 1. Select Device owner management >> Set factory reset protection. 2. From the "Accounts" section, go to Add Account >> Enter recovery account, then press "Ok". 3. From the "Enabled" section, select "Enabled" to enable factory reset protection policy. 4. Press "Save" to confirm all changes. API: addUserRestriction, DISALLOW_FACTORY_RESET and setFactoryResetProtectionPolicy