Run-time protection

This section provides information on managing run-time protection processes embedded in the Knox Platform for Enterprise. Note that this is not an exhaustive list of all Knox features, but rather a starting point for IT Admins to use when deploying devices. Check with your MDM for a full list of supported features.

Platform integrated security

Knox helps keep your data safe with a series of secure boot-time protection process.

After booting, various run-time protections continue to monitor devices.

  • Periodic Kernel Measurements (PKM)
  • Real-time Kernel Measurement (RKP)
  • Kernel credential protection
  • Return Oriented programing (ROP)
  • DM-Verity

IT admins do not have to manage any specific settings regarding these processes. These features are built into the device hardware and software in the factory. For security reasons, they cannot be modified with an MDM or any equivalent management policies.

However, take note of the following topics below. These can help you manage the software on your devices and ensure boot and run-time process operate properly.

Control firmware updates

Samsung E-FOTA

Samsung Enterprise Firmware-Over-The-Air is an enterprise solution that controls OS versions on Samsung mobile devices to maximize cost efficiency and to ensure the latest security patches are deployed to devices on schedule. IT admins can test updates before deployment, ensuring compatibility between in-house apps and new OS versions. Check if your MDM supports E-FOTA. Read more about device software update management in the Knox White Paper.

NOTE – Samsung E-FOTA requires a separate license key.

In this example below, we are using E-FOTA and Knox Manage to push the Android 7.1.1 firmware to our device fleet. Notice how we have selected Force as the Firmware update type. This option prevents the user from canceling the update.

Firmware update policies

With policies you can protect your devices from unintended firmware updates. Here are some options.

  1. Only allow Firmware Over the Air (FOTA) updates on the device. When this policy is activated other methods for installing updates (such as ODIN or Samsung KIES) are blocked and cannot be used to update the firmware. This provides insurance against local, physical attacks that could change the software unknowingly.
  2. Control access to the firmware download mode that can be accessed using the hardware key.

  3. Block FOTA updates on a device by turning off OTA upgrades. This can be used either to freeze the software installed or to allow an organization time to test the update before letting it roll out to the user community.

Android Security Update Policy

You can specify whether the Android security policy is updated automatically or by only by user input.

  • Allow – Allow users to use the Update Now or the Automatic Update functions related to the security policy.
  • Disallow – Prohibit users from using the Update Now or Automatic Update functions related to the security policy update.
  • Forced – A forced security update to the device is pushed to the device.

Block additional Device Administrators

Modifying this setting prevents the installation of any additional Device Administrator apps, such as another MDM agent. It also prevents users from accidentally granting apps the Device Administrator status. Malicious apps often subtly guide users, through social engineering and a series of confusing screens, to grant extra permissions and control over device without explicit consent.

Device Health Attestation

Admins use Device Health Attestation to check if a mobile device's runtime state has been compromised. A device check is initiated by either:

  • An enterprise IT admin using an MDM console.
  • A web script executing a regularly scheduled check.

There are several actions you can take if a problem is detected.

  • N/A – No action is taken.
  • Lock Knox Container – Previously created Knox Workplaces are locked.
  • Delete Knox Container – Previously created Knox Workplaces are deleted.
  • Screen Lock Device is locked.
  • Factory Reset + SD Card Initialization Factory reset is performed on the device and the SD card is initialized.
  • Factory Reset Factory reset is performed on the device but the SD card is not initialized.

For example, here are the above options avaialble in Knox Manage.

Device status

Most MDM's allow you to check devices to ensure they remain in compliance according to your company polices. For example, Knox Manage allows you to check many features such as when a policy was last pushed or if a Knox container is currently active.

Audit log

You can enable or disable logs used for a deeper, forensic analysis of a device. Audit Log also provides additional features to manage logging, such as enabling, disabling and getting log size and file.

Each message will appear as a line on the log file like the following example:

1424494060432 5/4/1/3938/0/NetdCallbackReceiver/Linkstate Wi-Fi hotspot


  • 1424494060432 - Timestamp of the event occurrence. In order to preserve log coherence, administrator may block manual time changing. For more information, please see DateTimePolicy.
  • 5 - Severity.
  • 4 - Module group.
  • 1 - Outcome. 1 for success and 0 for failure.
  • 3938 - Process ID (PID) that triggered the event.
  • 0 - User ID that triggered the event.
  • NetdCallbackReceiver - Software component where the event occurred.
  • Linkstate Wi-Fi hotspot - Complementary log information.

App permission monitor

App Permission Monitor is a feature that provides device users with alerts when apps attempt to access a predefined permission while in background mode. This can be used inside and outside of the Work profile. End users can now receive alerts specific to when apps attempt to access predefined permissions in the Work profile.

The following features are available for IT admins:

  • Enable and disable access to App Permission Monitor – Depending on the enterprise’s policies and the use case for specific solutions, Admins can enable or disable access to this feature.
  • Add or Remove specific apps from the App Permission monitor list – Provides Admins with the ability to ensure that certain apps are being monitored.
  • Data collection – Collect location info, foreground + background app info and statistics on data that may have leaked via hidden background permissions.
  • Force stop background app – Stop background apps that may be leaking data.

Warranty bit

NOTE— To take advantage of all the latest Knox features, we strongly recommend that you use Android Enterprise work profiles as secure app containers. Knox Workspace containers were deprecated with Knox 3.4.1 on Android 10, which debuted with the Note 10. However, older devices like the S10 that are upgraded to Knox 3.4.1 or higher still support the Knox Workspace containers until EOL.

The Samsung Knox warranty bit is a security feature that detects when unofficial software has been installed on your phone. This helps prevent malicious attempts from accessing your data.  

The Knox Warranty Bit detects if a non-Knox kernel has been loaded onto the device. It is a one-time programmable bit e-fuse, which can only be turned from 0X0 to 0X1 (i.e. triggered). If a non-Knox boot loader or kernel is installed on the device, Knox can no longer guarantee the security of the Knox Workspace. As a result, the Warranty Bit is triggered to 0X1, indicating that this device can no longer use the Knox Workspace service.

If the Knox bit has been triggered:

  • A new Knox Workspace can no longer be created on such a device
  • The data encrypted and stored in an existing Knox Workspace can no longer be retrieved

Everything else outside the Workspace should be the same as before.

To know whether the Warranty Bit has been activated, please follow the next steps:

  1. Power off your device.
  2. Once off, simultaneously press the volume down, home, and power button.
  3. When warning screen is displayed, press the volume up button.
  4. The Warranty Bit status is displayed in upper left hand corner.

If the Warranty Bit is fired, the device displays Knox WARRANTY VOID: 0x01.

If that is the case, there is no way to revert the Warranty Bit and Knox won't work on this device. The only way to get the device back to its original settings is to replace the PBA (Printed Board Assembly) on the device; hardware replacement will be required.

Knox version

To find out what version of the Knox platform your device is running, go to: Settings > About Device > Software Information > Knox Version. To identify the SDK version that corresponds with the Knox API Level of your target devices, see the Knox version mapping table on SEAP.

Further reading

Use these Samsung Insights posts to learn more about the securing mobile devices.