Google Android 15 must be configured to enforce a password for Wi-Fi and Bluetooth hotspot, if approved for use by the authorizing official (AO). If not approved for use, Wi-Fi and Bluetooth hotspot must be disabled.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-267549	PP-MDF-993300	GOOG-15-009950	SV-267549r1031832_rule	2024-12-05	1

Description
Wi-Fi and Bluetooth hotspot use may increase the risk for exposing sensitive DOD data for some use cases, therefore it should be disabled unless approved by the AO. When a DOD mobile phone is used as a Wi-Fi or Bluetooth hotspot, a hotspot password must be enabled, otherwise unauthorized devices could connect to the DOD hotspot which may increase the risk of exposure of sensitive DOD data and/or a performance degradation of the DOD mobile phone. SFRID: FMT_SMF_EXT.1.1 / WLAN #3

Description

Wi-Fi and Bluetooth hotspot use may increase the risk for exposing sensitive DOD data for some use cases, therefore it should be disabled unless approved by the AO. When a DOD mobile phone is used as a Wi-Fi or Bluetooth hotspot, a hotspot password must be enabled, otherwise unauthorized devices could connect to the DOD hotspot which may increase the risk of exposure of sensitive DOD data and/or a performance degradation of the DOD mobile phone. SFRID: FMT_SMF_EXT.1.1 / WLAN #3

ℹ️ Check
Review device configuration, user training, and determine if the AO has approved hotspot use. If the AO has not approved hotspot use, verify hotspot use has been disabled: On the EMM console: COBO: 1. Open "Set user restrictions". 2. Verify "Disallow config tethering" is toggled to "ON". COPE: 1. Open "Set user restrictions on parent". 2. Toggle "Disallow config tethering" to "ON". On the managed Google Android 15 device: COBO and COPE: 1. Go to Settings >> Network & Internet. 2. Verify "Hotspot & tethering" is "Controlled by admin". 3. Verify that tapping "Hotspot & tethering" provides a prompt to the user specifying "Action not allowed". If on the managed Google Android 15 device "Hotspot & tethering" is enabled, this is a finding. If hotspot use has been approved, verify the user has been trained to use the default hotspot password. See GOOG-15-009800 for procedure. If users are not trained to use the default hotspot password, this is a finding.

ℹ️ Check

Review device configuration, user training, and determine if the AO has approved hotspot use. If the AO has not approved hotspot use, verify hotspot use has been disabled: On the EMM console: COBO: 1. Open "Set user restrictions". 2. Verify "Disallow config tethering" is toggled to "ON". COPE: 1. Open "Set user restrictions on parent". 2. Toggle "Disallow config tethering" to "ON". On the managed Google Android 15 device: COBO and COPE: 1. Go to Settings >> Network & Internet. 2. Verify "Hotspot & tethering" is "Controlled by admin". 3. Verify that tapping "Hotspot & tethering" provides a prompt to the user specifying "Action not allowed". If on the managed Google Android 15 device "Hotspot & tethering" is enabled, this is a finding. If hotspot use has been approved, verify the user has been trained to use the default hotspot password. See GOOG-15-009800 for procedure. If users are not trained to use the default hotspot password, this is a finding.

✔️ Fix
Disable hotspot functions on the DOD phone if not approved by the AO. On the EMM console: COBO: 1. Open "Set user restrictions". 2. Toggle "Disallow config tethering" to "ON". COPE: 1. Open "Set user restrictions on parent". 2. Toggle "Disallow config tethering" to "ON". If the use of Wi-Fi and Bluetooth hotspots has been approved by the AO, train the user to not change the default hotspot password (see GOOG-15-009800). By default, when Wi-Fi Hotspot is enabled, a 15-character complex password is automatically configured for the hotspot.

✔️ Fix

Disable hotspot functions on the DOD phone if not approved by the AO. On the EMM console: COBO: 1. Open "Set user restrictions". 2. Toggle "Disallow config tethering" to "ON". COPE: 1. Open "Set user restrictions on parent". 2. Toggle "Disallow config tethering" to "ON". If the use of Wi-Fi and Bluetooth hotspots has been approved by the AO, train the user to not change the default hotspot password (see GOOG-15-009800). By default, when Wi-Fi Hotspot is enabled, a 15-character complex password is automatically configured for the hotspot.