Action when apps are compromised
Knox can identify if an app on a device has been compromised. If it detects an app on the device is different than the one that was loaded through your MDM, the following actions can be taken.
- Stop app from running – prevents the app from being launched on the device.
- Uninstall – Uninstall the app from the device.
- Lock Device – Lock the device screen. Only IT administrators can unlock the device screen.
- Report Compliance – Send a message to the IT admin that a compromised app has been detected.
- Factory Reset + SD Card Initialization – Factory reset is performed on the device and the SD card is initialized.
- Factory Reset (Only) – Factory reset is performed on the device but the SD card is not initialized.
For example, there are the options you can choose if you are using Knox Manage.
Whitelist / blacklist apps
Knox can control how apps work on your phone. You can prevent a user from installing or launching apps using the whitelist and blacklist.
App blacklist settings
- Installation Blacklist – Apps on the list cannot be installed and are removed if already installed.
- Launch Blacklist – Apps on the list can be installed but the app icon is not displayed so user cannot click it.
- Launch Prevention List – Apps on the list can be installed but the app is not launched even when the user taps on the app icon.
App whitelist settings:
- App Installation Whitelist – Preloaded apps and apps deployed via MDM are internally included on the whitelist. Apps not included on the whitelist are removed if already installed.
- Launch Whitelist – Preloaded apps and apps deployed via MDM are internally included on the whitelist.
- Uninstall Prevention List – Apps on the list cannot be removed from device.
For example, this screenshot below:
- Automatically uninstalls Chrome (due to the inclusion on the blacklist.)
- Prevents the S browser from being installed.
Control Android Browser
Knox can enable or disable the native Android browser. This is useful if you have an internal solution that you require employees to use.
If you allow the Android browser, you can choose to control specific assets if needed. These include the following:
- Autofill - Control the storage of form data.
- Pop-ups - Control the pop-up blocker.
For example, in this screenshot below, the Android browser is allowed with some restrictions.
- Cookies, autofill's are not allowed to ensure sensitive employee information is not saved accidentally.
- The pop-up blocker is enabled. This lowers the chance an employee will click on a malicious pop-up or a phishing attempt.
Managed Google Play
Managed Google Play (formerly called Google Play for Work) lets enterprises use a customized version of the Google Play store that has only apps approved for work.
- Enable Managed Google Play on a device or inside the Android Enterprise work profile container.
- Silently install and uninstall apps.
- Whitelist the apps that are allowed, or blacklist the apps that are not allowed.
- Allow Google Voice apps to use voice recognition in addition to the touchscreen keyboard.
- Allow employees to download apps as needed from Google Play.
- Manage app updates from Google Play.
- A gaming company allows employees to download and try games on corporate issued mobile phones, but wants enterprise apps managing confidential data to be secured on the phones.
- An enterprise IT admin uses an MDM console to push the Managed Google Play store on mobile phones, and whitelists the gaming apps that employees can freely install on their phones.
- To secure corporate data on the phone, the IT admin creates a Work container on each phone, and whitelists only the apps managing confidential data.
- Employees are more productive using a wide range of apps on a mobile device.
- Enterprises have the flexibility to manage many apps in Google Play, using whitelisting and blacklisting to control what apps employees can use
Control Google Play
Knox allows you to disable Google Play on your devices. This combined with the policy disable app installation from unknown sources helps ensure that only approved apps pushed through an MDM are installed.
In this example below, we prevent users from installing apps from unknown sources and accessing the Play Store.
App push without Google Play
Knox can push a single app form an app store without requesting the user to install Google Play. In this example below, we are searching through Google Play to push an app to a device.
Push an APK with an MDM policy
You can push any APK to a device using your MDM. In this example below, we add the Samsung messaging app to our internal application repository. This is useful if you have internal apps that you need to install on your devices.