Knox Platform for Enterprise 3.8 release notes

November 2021

Additional Advanced Access Control enhancements

For device users who need security features over and above the standard features of Knox enterprise, this release provides additional Advanced Access Control (AAC) enhancements. These enhancements add additional KPE features and use Continuous Multi-Factor Authentication (CMFA) to automatically log users in to their phone and applications without needing their credentials at each log in.

The framework uses the following factors to test the device’s trust score:

• Face recognition factor that authenticates the user with facial recognition using the front facing camera.

• Device integrity factor that calls the keystore attestation API to obtain integrity information from ICCC TA.

• Touch Dynamics factor that uses commonly used keystroke pattern data to verify that the current user is authorized user of the device and the work profile.

This release focuses on adding the previously mentioned touch dynamics factor. This factor analyzes the digital signatures generated when a human interacts with a device, commonly known as keystroke or typing patterns, to verify that the user typing on the device is the authorized primary user of the device. In cases where the user is determined not to be the primary, authorized user, the Work profile on the device is locked and access to sensitive data is immediately revoked.

For more information on AAC, see Additional Advanced Access Control enhancements.

Peripheral device management

This release provides the partners a new SDK to develop applications for peripheral devices such as barcode scanners. Currently, the SDK supports KOAMTAK USB scanner and BT scanner.

For details, see:

• Peripherals Overview

• How it works

• Tutorial

Deep Settings Customization enhancements

The Deep Settings Customization (DSC) enhancements made with this release close some UI vulnerabilities of device security controls as follows:

• Block gesture options in Kiosk mode — In some use cases, in spite of IT admins blocking the Home key in Kiosk mode, device users could use the Gesture event to exit the Kiosk mode and potentially access sensitive data. With this release, IT admins can enable Kiosk mode as well as disable the Gesture option in Advanced features. The IT admin can now restrict the device user from using the following gestures to exit the Kiosk mode:

  • Short press the Home button.
  • Swipe down from the center of the bottom edge of the screen.

• Support additional sound settings — IT admin can now use KSP to configure the sound options:

  • Enable or disable system sound
  • Make system sounds silent
  • Hide settings menu using

• Disable third-party content menu setting — The in-built Samsung keyboard allowed device users to select the Third-party content menu item on the Samsung keyboard to bypass restrictions on using the Internet on their devices. This release allows IT admins to disable the use of this menu from the Settings > Language and input > On-screen keyboard > Default keyboard > Samsung Keyboard settings > Third-party content.

  If the third-party app is already installed on the device, blocking this option does not disable the current keyboard deep settings. Users can still continue to access the Internet from this option.

• Disable Wi-Fi proxy settings menu — IT admins can now disable the use of the Wi-Fi proxy settings menu to ensure that a blacklisted domain is never accessible once the blacklisting policy is set.

• Restrict sharing of Wi-Fi profiles using QR codes — IT admins can now use KSP to restrict users from sharing Wi-Fi profiles, including login credentials and passwords, with other devices using QR codes.

• Change password settings — IT admins can now use KSP to hide or disable screen lock type menu item. IT admins can also set the screen lock type to None.

• Hide virtual keyboard when an external keyboard is connected — With this release, IT admins can now hide the virtual keyboard that shows up on the device’s screen even when an external keyboard or input device (such as a scanner) is connected to the device.

Each KSP release introduces additional deep settings so you are encouraged to browse the KSP release notes or KSP policy schema for all the latest capabilities.

Optimize SUW for AER for managed devices

Currently, the setup wizard (SUW) for Android Enterprise Recommended (AER) devices includes options that allow device users to consent to collection of marketing and other data. The collection of these items is not recommended or appropriate for managed devices. To close this gap, the SUW should be changed to disallow data collection. To implement this change, the SUW now includes options that allow the user to consent to data collection, but in case of managed devices, data collection is automatically disabled for the device.

For more information on this feature, see Optimized Setup Wizard for AER (Android Enterprise Recommended).

Separated Apps v2

This release adds additional functionality to the features available with Separated Apps V1. Separated Apps V2 features include items that were either not released with V1 or identified as needing enhancements after V1 was released. V2 includes the following features:

• Improve the Separated Apps user experience — The Separated Apps user experience sees the improvements allowing device users to:

  • Change folder names and color for Separated Apps
  • Select multiple Separated Apps for uninstallation
  • Long-press the Separated Apps app icon to bring up a quick option menu, similar to other apps

• Allow use of biometric methods for Separated Apps — For devices where biometric authentication methods are set up in User0 or for other apps, Separated Apps can now use these registered biometric methods as well.

  Currently, biometric settings for Separated Apps are also controlled by the common Device Settings menu.

• Set remote control and screen capture behavior — IT admins can now control the remote control and screen capture features not only for User0 but also for Separated Apps. Depending upon whether the screen capture and remote control features are activated from within User0 or Separated Apps, the resulting image or media is stored in User0 or Separated Apps storage space.

VPN platform enhancements - Auto Recreation of profile

This release includes VPN enhancements to improve the security of managed devices. For managed devices, the VPN framework tries to recreate the VPN profile configuration and reconnect the VPN connection automatically for any VPN clients installed on managed devices. This automatic reconnection happens in the following two cases:

• A device user clears data intentionally or accidentally

• There is an issue with the VPN client during the create connection process, and the database saving process is not complete, such as during device reboot or VPN client restart

This automatic reconnection feature ensures there is no data leakage for apps that are configured to connect using the VPN profile. In cases where the reconnection effort fails, the VPN framework notifies the EMM client, allowing it to apply security policies such as locking the Work container or the entire device, as well as apply firewall rules and recreate VPN policies.

To read more about this feature, see VPN Platform Enhancement.

Android 12 OS changes

• Password policy modifications — This release improves the password complexity feature to reduce the risk of users forgetting their passwords and needing to factory reset their devices to reset the password. This feature sets device-wide password requirements in the form of predefined complexity buckets, such as High, Medium, Low, and None. If necessary, IT admins can then set stricter password requirements on the work profile’s security challenge.

• Sensor permission restrictions —IT admins can no longer silently grant the permissions to use the location, camera, microphone, body, or physical activity sensor.

• Managed device control enhancements — The following new features are available for company-owned devices:

  • An IT administrator can disable USB, except for charging functions, on company-owned devices. This feature includes the capability to check if this feature is supported on the device and if it is currently enabled.

  • Company-owned devices with a work profile can limit the input methods used in the personal profile to allow only system input methods.