Back to top

Knox Platform for Enterprise 3.10 release notes

Last updated November 6th, 2023

Certificate distribution through ACME protocol

Knox 3.10 adds support for Automated Certificate Management Environment (ACME) as a certificate management protocol.

Using ACME with Knox offers some major benefits compared to other certificate protocol and platform solutions:

  • The client’s identity — in this case, a Samsung device — is attested through a hardware-backed asymmetric key pair instead of a shared secret. The private key on the device is never exposed, so if an attacker intercepts the public key during a transaction, they won’t be able to use that information to impersonate the device.
  • It eases the deployment of new certificates to a large number of devices by installing them automatically and silently.
  • The device user doesn’t need to take any action when a new certificate becomes available, reducing IT overhead and certificate coverage when users are neglectful or uncertain.

Within the Knox implementation of this protocol, Knox acts as the agent between the EMM and the ACME server that acts as a certificate authority (CA) by coordinating the certificate transaction. When a new certificate is published, an IT admin in your enterprise can send a command to your device fleet through your EMM. When a device receives this signal, the built-in Knox framework queries the CA, and correctly identifies and authenticates itself during the initial challenge-response. When the CA is certain that the request and the device are genuine, it sends the certificate to the device, which in turn seamlessly places said certificate into its Android keystore.

For a more technical look at how ACME works within the Knox platform, see the release material for Knox SDK 3.10.

Granular SIM restrictions

With Knox 3.9, the platform could disable the secondary physical SIM slot on devices. While handy for enterprises that needed to enforce a particular cell service, this feature didn’t account for more complex hardware setups, such as devices that have the SIM slot numbers reversed, or that have eSIMs. Devices carrying a combination of physical SIMs and eSIMs have become increasingly common in many regions of the world, and are likely to continue growing in popularity.

To account for more complex cellular service plans, Knox 3.10 now offers additional capabilities for controlling Samsung devices. Enterprises can now:

  • Disable either SIM slot on dual-SIM devices
  • Prevent device users from disabling SIM slots
  • Block new eSIMs
  • Disable existing eSIMs
  • Disable all eSIMs except eSIM 1

Force single-window view on Settings app

The Galaxy S23, Flip5, and Fold5 support Multi window, a feature that allows users to multitask with two apps at the same time. By default, the Settings app on these devices opens in this split screen view. The Knox team was made aware by its partners of a potential security vulnerability — some EMM agents can’t monitor and restrict the device user’s actions in the Settings app while it’s in Multi window view.

To cover this security gap, Knox 3.10 now has the capability to force the Settings app into the standard single-screen view.

Audit log enhancements

Knox 3.10 makes the audit log more convenient for developers by consolidating all entries into a single file on the device.

Enhancements to UCM keystore and keyguard

The Knox platform’s Universal Credential Management (UCM) provides a plug-and-play framework to ease the management of credentials across a variety of different storage media. In particular, it provides higher mobile security by supporting the storage and management of major certificates and credentials for embedded devices.

The UCM keystore now supports AES, ECDSA (with NIST and Brainpool curves), and HMAC cipher and signature algorithms.

Back to release notes

Is this page helpful?