Knox Platform for Enterprise 3.10 release notes

Certificate distribution through ACME protocol

Knox 3.10 adds support for Automated Certificate Management Environment (ACME) as a certificate management protocol.

Using ACME with Knox offers some major benefits compared to other certificate protocol and platform solutions:

• The client’s identity — in this case, a Samsung device — is attested through a hardware-backed asymmetric key pair instead of a shared secret. The private key on the device is never exposed, so if an attacker intercepts the public key during a transaction, they won’t be able to use that information to impersonate the device.
• It eases the deployment of new certificates to a large number of devices by installing them automatically and silently.
• The device user doesn’t need to take any action when a new certificate becomes available, reducing IT overhead and certificate coverage when users are neglectful or uncertain.

Within the Knox implementation of this protocol, Knox acts as the agent between the EMM and the ACME server that acts as a certificate authority (CA) by coordinating the certificate transaction. When a new certificate is published, an IT admin in your enterprise can send a command to your device fleet through your EMM. When a device receives this signal, the built-in Knox framework queries the CA, and correctly identifies and authenticates itself during the initial challenge-response. When the CA is certain that the request and the device are genuine, it sends the certificate to the device, which in turn seamlessly places said certificate into its Android keystore.

For a more technical look at how ACME works within the Knox platform, see the release material for Knox SDK 3.10.

Galaxy AI data processing

The Knox platform now provides you the means to disable data processing in the cloud for Galaxy AI features. When enforced, the AI features will only process data on the device itself. If a feature can’t process data on the device, it’s disabled.

For information on how to manage this setting in Knox Service Plugin, see Data processing for Galaxy AI.

To learn about the implementation details for this control in the Knox SDK, see allowIntelligenceOnlineProcessing().

Force single-window view on Settings app

The Galaxy S23, Flip5, and Fold5 support Multi window, a feature that allows users to multitask with two apps at the same time. By default, the Settings app on these devices opens in this split screen view. The Knox team was made aware by its partners of a potential security vulnerability — some EMM agents can’t monitor and restrict the device user’s actions in the Settings app while it’s in Multi window view.

To cover this security gap, Knox 3.10 now has the capability to force the Settings app into the standard single-screen view.

Audit log enhancements

Knox 3.10 makes the audit log more convenient for developers by consolidating all entries into a single file on the device.

Enhancements to UCM keystore and keyguard

The Knox platform’s Universal Credential Management (UCM) provides a plug-and-play framework to ease the management of credentials across a variety of different storage media. In particular, it provides higher mobile security by supporting the storage and management of major certificates and credentials for embedded devices.

The UCM keystore now supports AES, ECDSA (with NIST and Brainpool curves), and HMAC cipher and signature algorithms.