Security notice regarding storage and search behavior for PII

Last updated October 7th, 2024

Categories:

Environment

Samsung Knox solutions and services

Overview

Starting with the Knox cloud services 23.12 release, the Samsung Knox Team implemented a critical data-at-rest security update related to personally-identifiable information (PII) stored on Knox infrastructure.

PII receives an additional layer of encryption in compliance with internal security policies at Samsung, which dictate a higher security standard than those required by legislation across our various global markets. With this new encryption layer, the attack surface of your business and end user PII is further minimized.

The corresponding security changes impact Knox cloud services’ search operations on the central Administrators & Roles page, and on individual services’ Users, Groups, Devices, History, and Activity log pages.

For details on the impacts on search behavior for each service, refer to Per-service search behavior limitations.

Impact

The following database fields, which are treated as containing PII, are affected:

Personal name
Email
Phone number

All other fields are unaffected.

The impacts are as follows:

To search for any of these fields, you must enter the entire identifier. In other words, partial searching is no longer supported. Partial searching means searching for incomplete segments, or sub-strings, of a field. For example, before you could search for all admins with the term Al to retrieve all first names that started with those two letters, such as Ali, Alex, and Alexandra. For another example, if prior to 23.12 you searched by email domain to return all accounts of a particular division, such as @support.example.com to return both alex@support.example.com and ali@support.example.com, you must now search by their complete addresses instead.
Sorting the search results for these fields is no longer supported.

Per-service search behavior limitations

Consult the following table for a breakdown of the search behavior for PII across Knox services.

The Samsung Knox team plans to continue implementing additional modifications to search behavior in other interfaces and Knox services. The table below will be updated to reflect these changes as they are deployed.

Affected service	Affected areas	Search behavior
Knox Admin Portal	Administrators & Roles > Administrators Activity log	Searching for partial email addresses and partial personal names is unsupported.
Knox Manage	Device User Group > Add Group > All Users/Devices History > Email & SMS History Setting > Android > Limited Enrollment	The first and last name are a single joined string. To search for a name, you must search for the full name, including the space between first and last names. Searching for email addresses and personal names is case-sensitive. Searching for partial email addresses, partial personal names, and partial phone numbers is unsupported.
Knox Remote Support	Devices History Activity log	Searching for partial email addresses and partial phone numbers is unsupported.
Knox Guard	Administrators and Roles > Administrators Activity log	The first and last name are a single joined string. To search for a name, you must search for the full name, including the space between first and last names. Searching for partial email addresses and partial personal names is unsupported.
Knox Reseller Portal	Administrators & Roles > Administrators Activity log	The first and last name are a single joined string. To search for a name, you must search for the full name, including the space between first and last names. Searching for partial email addresses and partial personal names is unsupported.
Knox MSP Portal	Administrators Activity log	The first and last name are a single joined string. To search for a name, you must search for the full name, including the space between first and last names. Searching for partial email addresses and partial personal names is unsupported.

Ongoing support

If your enterprise needs help with these changes to functionality, please submit a support ticket.