Run-time protection

This section provides information on managing run-time protection processes embedded in the Knox Platform for Enterprise. Note that this is not an exhaustive list of all Knox features, but rather a starting point for IT Admins to use when deploying devices. Check with your MDM for a full list of supported features.

Platform integrated security

Knox helps keep your data safe with a series of secure boot-time protection process.

After booting, various run-time protections continue to monitor devices.

IT admins do not have to manage any specific settings regarding these processes. These features are built into the device hardware and software in the factory. For security reasons, they cannot be modified with an MDM or any equivalent management policies.

However, take note of the following topics below. These can help you manage the software on your devices and ensure boot and run-time process operate properly.

Control firmware updates

Samsung E-FOTA

Samsung Enterprise Firmware-Over-The-Air is an enterprise solution that controls OS versions on Samsung mobile devices to maximize cost efficiency and to ensure the latest security patches are deployed to devices on schedule. IT admins can test updates before deployment, ensuring compatibility between in-house apps and new OS versions. Check if your MDM supports E-FOTA. Read more about device software update management in the Knox White Paper.

NOTE – Samsung E-FOTA requires a separate license key.

In this example below, we are using E-FOTA and Knox Manage to push the Android 7.1.1 firmware to our device fleet. Notice how we have selected Force as the Firmware update type. This option prevents the user from canceling the update.

Firmware update policies

With policies you can protect your devices from unintended firmware updates. Here are some options.

  1. Only allow Firmware Over the Air (FOTA) updates on the device. When this policy is activated other methods for installing updates (such as ODIN or Samsung KIES) are blocked and cannot be used to update the firmware. This provides insurance against local, physical attacks that could change the software unknowingly.
  2. Control access to the firmware download mode that can be accessed using the hardware key.


  3. Block FOTA updates on a device by turning off OTA upgrades. This can be used either to freeze the software installed or to allow an organization time to test the update before letting it roll out to the user community.

Android Security Update Policy

You can specify whether the Android security policy is updated automatically or by only by user input.

Block additional Device Administrators

Modifying this setting prevents the installation of any additional Device Administrator apps, such as another MDM agent. It also prevents users from accidentally granting apps the Device Administrator status. Malicious apps often subtly guide users, through social engineering and a series of confusing screens, to grant extra permissions and control over device without explicit consent.

Device Health Attestation

Admins use Device Health Attestation to check if a mobile device's runtime state has been compromised. A device check is initiated by either:

There are several actions you can take if a problem is detected.

For example, here are the above options avaialble in Knox Manage.

Device status

Most MDM's allow you to check devices to ensure they remain in compliance according to your company polices. For example, Knox Manage allows you to check many features such as when a policy was last pushed or if a Knox container is currently active.

Audit log

You can enable or disable logs used for a deeper, forensic analysis of a device. Audit Log also provides additional features to manage logging, such as enabling, disabling and getting log size and file.

Each message will appear as a line on the log file like the following example:

1424494060432 5/4/1/3938/0/NetdCallbackReceiver/Linkstate Wi-Fi hotspot

Where

App permission monitor

App Permission Monitor is a feature that provides device users with alerts when apps attempt to access a predefined permission while in background mode. This can be used inside and outside of the . End users can now receive alerts specific to when apps attempt to access predefined permissions in the .

The following features are available for IT admins:

Warranty bit

The Samsung Knox warranty bit is a security feature that detects when unofficial software has been installed on your phone. This helps prevent malicious attempts from accessing your data.  

The Knox Warranty Bit detects if a non-Knox kernel has been loaded onto the device. It is a one-time programmable bit e-fuse, which can only be turned from 0X0 to 0X1 (i.e. triggered). If a non-Knox boot loader or kernel is installed on the device, Knox can no longer guarantee the security of the Knox Workspace. As a result, the Warranty Bit is triggered to 0X1, indicating that this device can no longer use the Knox Workspace service.

If the Knox bit has been triggered:

Everything else outside the Workspace should be the same as before.

To know whether the Warranty Bit has been activated, please follow the next steps:

  1. Power off your device.
  2. Once off, simultaneously press the volume down, home, and power button.
  3. When warning screen is displayed, press the volume up button.
  4. The Warranty Bit status is displayed in upper left hand corner.

If the Warranty Bit is fired, the device displays Knox WARRANTY VOID: 0x01.

If that is the case, there is no way to revert the Warranty Bit and Knox won't work on this device. The only way to get the device back to its original settings is to replace the PBA (Printed Board Assembly) on the device; hardware replacement will be required.

Knox version

To find out what version of the Knox platform your device is running, go to: Settings > About Device > Software Information > Knox Version. To identify the SDK version that corresponds with the Knox API Level of your target devices, see the Knox version mapping table on SEAP.

Further reading


Use these Samsung Insights posts to learn more about the securing mobile devices.