This section provides information on how to protect data using Knox Platform for Enterprise. Note that this is not an exhaustive list of all Knox features, but rather a starting point for IT Admins to use when deploying devices. Check with your MDM for a full list of supported features.
Device users typically want their personal data and work data on one device. This presents a challenge for enterprises, which need to ensure that:
- Work data is fully protected, and
- They do not run into any liability issues by accidentally interfering with a user’s personal data
is an app container that provides enterprises with a solution to securely isolate personal and work data on one device with granular management policies.
Dual DAR encryption allows enterprises to secure their work data with two layers of encryption, which provides protection to devices even while powered off or in an unauthenticated state. With single layer encryption, potential flaws in the implementation may result in a single point of failure.
Sensitive Data Protection (SDP)
Sensitive Data Protection is a feature that enables companies to meet the necessary data security requirements to work with government agencies. See the Knox White paper for more information on how it works.
- A sub-contractor bidding for a government contract discovers that they need to comply with MDFPP.
- The sub-contractor chooses to use Samsung Knox devices, which are certified MDFPP-compliant.
- An IT admin uses:
- The Samsung Email app to protect emails with SDP by default.
- Knox Chamber to protect confidential documents with SDP.
SDP automatic encryption
SDP handles incoming sensitive data, such as emails and notifications, ensuring it is immediately encrypted and not accessible until the user is authenticated. The native email app pre-installed on Samsung devices automatically uses SDP to protect email bodies and attachments when deployed inside the . For performance reasons, the email header (including the subject and sender) is not encrypted.
Chamber is a unique feature available on Samsung devices running Knox Platform for Enterprise. Files placed in this folder are automatically protected by Samsung's Sensitive Data Protection feature. You can access chamber through the following settings > Settings > My Files > Internal Storage > Chamber.
SDP app integration
Knox SDP can also be used by app developers to protect individual files, databases, and any other sensitive enterprise data. Adding these features requires a developer to work specifically on your solution. See the Knox SDK on SEAP for more details.
Encrypting data that is stored on a mobile device is a basic security measure. Samsung Galaxy phones since the S7 have provided full-device encryption as a default feature out of the box. You do not have to change any settings on your devices as long as they are running Android 7 and above.
Check for devices protected by Full Disk Encryption
Use a MDM console to audit devices to ensure they are running the correct version of Android that supports Full Disk Encryption. After you identify what devices are not running Android 7 or above, you can upgrade them or purchase new devices. For example, this image below of the Knox Manage dashboard indicates how many devices are running Android. Further investigation shows the specific OS version.
Force SD card encryption
IT admins can force users using SD cards to turn on encryption.
Compromised OS detected
The following policy determines what actions to take if an unauthorized OS is detected. This helps keeps data inaccessible, even if a device goes missing.
- Lock Device / Lock the screen – Only IT Admins can unlock the screen.
- Lock Email – Lock the email.
- Factory Reset + SD Card Initialization – Factory reset is performed on the device and the SD card is initialized.
- Factory Reset (Only) – Factory reset is performed on the device but the SD card is not initialized.
Control factory reset
One important policy to consider setting is control a users ability to preform a factory reset. Preventing a factory resting helps mitigate the loss of data due to accidental misuse or malicious attempts to remove the device administrator.
Remote data wipe
Remote data wipe is a standard command in almost every MDM. This should be used when devices go missing, are decommission or re purposed for another employee. Samsung devices use embedded Multi-Media Controller (eMMC) chips with an embedded controller in all models. Read more about how this helps your enterprise deployment.
Multi factor authentication
Multi-factor authentication provides stronger security by requiring several forms of identity. Enterprises can mandate multi-factor authentication to unlock both a device as well as a secure container on the device. Each extra layer of authentication lowers the chance of unauthorized access to confidential assets.
Here's an example of some of the password policies you can pair with a second authentication.
- A government agency mandates two-factor authentication to access its internal websites.
- A policy advisor selects two forms of authentication: Smart Card to identify the person accessing the websites, and fingerprint in the event a card is stolen.
- An IT admin uses an MDM console to define this policy for its mobile devices, issuing Bluetooth Smart Card readers to mobile device users and identifying the browser apps and web domains that require this authentication.
- When employees use a mobile device to access an internal website, they insert their Smart Card into their Bluetooth reader, then provide a fingerprint imprint on the device.