Common Criteria Mode for corporate-owned Android Enterprise devices

This week something completely different compared to the last few weeks. While the last last few weeks were all about the great simplicity of Windows 365 Enterprise, this week is all about Android Enterprise. Different platform, theoretically possibly the same device. With the introduction of Android 11 (API level 30), some nice new features were introduced for enterprises. That includes the addition of the Common Criteria (CC) Mode. CC Mode already exists for a few years for Samsung Knox devices and – in combination with Microsoft Intune – already could be configured by using OEMConfig (with the KSP app), but is now available by default within Android Enterprise. Even better, with one of the latest service releases (2207) of Microsoft Intune that can now be configured on all corporate-owned Android Enterprise devices.

Note: Previously, CC Mode only existed as a platform restriction for Samsung Knox devices (via OEMConfig).

Introducing Common Criteria Mode for Android Enterprise devices

When looking at CC Mode, the feature is designed to simplify the task of correctly configuring a device to be compliant with the Common Criteria Mobile Device Fundamentals Protection Profile (MDFPP) specific requirements. Common Criteria, also known as Common Criteria for Information Technology Security Evaluation, is an international standard for defining security standards for IT products and for evaluating vendor compliance with these standards. Starting with Android 11, organizations can use Android Enterprise to enable this specific mode for corporate-owned devices. When devices receive a policy with this mode enabled, it will elevate security components that include but are not limited to:

  • Bluetooth Long Term Keys are integrity-protected with AES-GCM
  • Wi-Fi configuration stores are integrity-protected with AES-GCM
  • Bootloader download mode is blocked
  • Additional key zeroization mandated on key deletion
  • Non-authenticated Bluetooth connections are prevented
  • FOTA updates are required to have 2048-bit RSA-PSS signature 

Note: Keep in mind that removing CC Mode might require Wi-Fi profiles to be recreated for usage.

Configuring Common Criteria Mode for Android Enterprise devices

When looking at configuring CC Mode, the steps are actually pretty straight forward. With one of the latest service releases (2207) of Microsoft Intune, the ability to enable CC Mode was introduced in the device restrictions profile. Enabling CC Mode on corporate-owned Android Enterprise devices can be achieved by going through the eight steps below.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Devices > AndroidConfiguration profiles
  2. On the Android | Configuration profiles page, click Create profile
  3. On the Create a profile page, provide the following information and click Create
  • Platform: Select Android Enterprise to select the platform that can enable CC Mode
  • Profile type: Select Device restrictions to select the profile type that contains the setting to enable CC Mode
  1. On the Basics page, provide a valid name for the device restrictions profile and click Next
  2. On the Configuration settings page, as shown below in Figure 1, configure at least the following setting and click Next
  • System security
    • Common Criteria mode: Select Require to enable CC Mode on the device
  1. On the Scope tags page, add any required scope tags and click Next
  2. On the Assignments page, configure the assignment to the required users and/or devices and click Next
  3. On the Review + create page, verify the configuration and click Create

Note: Keep in mind that these steps walk through the minimal required steps to configure CC Mode.

Verifying the configuration of Common Criteria Mode on Android Enterprise devices

When looking at verifying the configuration of the CC Mode on corporate-owned Android Enterprise devices, the easiest method is to verify the applied configuration. That can be achieved by looking at the configuration results in the Microsoft Endpoint Manager admin center portal, or by simply looking at the configuration results locally on the device. The latter option provides the most concrete and direct information.

On corporate-owned Android Enterprise devices that information can be retrieved by looking at the Android Device Policy app. On Android 12, navigate to Settings > Biometrics and security > Work policy info (or Settings > Google > Device Policy) to open the app. Enable Debug items, to view the applied policies, by navigating to Device info your IT admin can see and tap multiple times on Model. Now go back to Policies that affect your device and enable View policies to get an overview of the applied configuration on the device.

The applied configuration of the CC Mode can be found as a property of the advancedSecurityOverrides (as shown on the right in Figure 2). Look for the commonCriteriaMode property and that should have the value of COMMON_CRITERIA_MODE_ENABLED.

More information

For more information about Common Criteria Mode on Android Enterprise devices, refer to the following docs.

3 thoughts on “Common Criteria Mode for corporate-owned Android Enterprise devices”

  1. Hell yeah! Even if i wasn’t interested in the CC-Mode, i finally found the place to see which settings applied on-device. :—D
    Thank you very much for this! (And many other of your articles!)


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.