Samsung Knox supports select Virtual Private Network (VPN) solutions. This section describes how to use the Knox VPN client.
About Knox VPNs
Knox Platform for Enterprise supports these types of VPN models:
- Device-wide VPN* — All outgoing traffic from the device goes through the same VPN connection. In this case, you use the Android VPN client that is preloaded with the device. This method is not recommended as it is not as secure as the next two methods. If you are using personal Knox this is the only VPN method available.
- Workspace wide VPN — All data sent to and from the Knox container goes through the same VPN connection. With this model, you use a more powerful Knox VPN client, which supports a wider range of more secure VPN protocols.
- Per-app VPN — You can configure up to 5 separate VPN connections and assign container apps to VPN connections. With this model, a container app can have its own dedicated VPN connection. You need the Knox VPN client for this model too.
As with other Workspace policies, IT Admins have the option to enable and set up these features to meet enterprise policies. You can use Workspace to manage VPN connections, but only for user accounts you control. This typically includes the default user and any Workspaces you activate. VPN connections for apps installed in user accounts you don't control, such as those created for Android for Work managed profiles, must be managed separately.
Knox Generic VPN framework
The Samsung Knox Virtual Private Network (VPN) framework enables advanced configurations using VPN clients from various vendors. Each client has unique features that can be researched to find the best match for your needs. Once you’ve selected a VPN client, you can download and deploy the client to your mobile devices, and can then use an MDM system to define and activate VPN profiles on devices.
Android VPN client
The built-in Android VPN client (also called StrongSwan) is available on all Samsung devices but, until now, has been limited to simple VPN configurations on individual devices. Samsung devices come with an enhanced version of the Android VPN Service. The built-in Android VPN client wasn’t designed to take advantage of these enhancements, limiting its use in enterprise environments. Modifying the client to support these enhancements would require us to maintain our own version of the client. This would require us to have our client separately certified for FIPS-compliance.
Android VPN Management for Knox
We chose to leave the Android VPN client unmodified and instead added a new management app to sit in between our enhanced VPN framework and the VPN client. This management app is called Android VPN Management for Knox and unlocks the following extra Knox VPN features for the built-in Android VPN client:
- per-app connections
- on-demand connections
- device-wide connections
- always-on connections
- blocking routes to prevent data leakage if a mandatory VPN connection drops
- MDM solutions can push VPN profiles to the built-in clients on multiple devices
The following criteria must be considered when implementing VPN in your enterprise.
|Secure Channel. Enterprise devices can securely connect to the enterprise network.||VPN. The TOE provides a secure communications channel to the VPN Gateway.|
|Enterprise Device Management. Enterprise administrators can control mobile endpoint configurations.||Security policy. The TOE can be configured by a Mobile Device Management solution that supports the Samsung Enterprise SDK.|
Common VPN Client Settings
The settings here relate to the configuration of the VPN client profile.
|Profile Management||Profile name||Create, rename and delete VPN profiles|
|VPN Type Setting||The types of VPN connections that can be set. Those listed here are the only validated types.|
|VPN Settings (PSK)||The settings needed to configure the VPN tunnel when using a Pre-Shared Key.|
|VPN Settings (certificate)||The settings needed to configure the VPN tunnel when using a certificate.|
|VPN Optional Network Settings||These settings provide additional network configuration and routing options for the tunnel.|
|Always-on VPN||Enable/ Disable||Specifies whether all traffic must go through the specified VPN tunnel. If no connection can be made no traffic will flow.|
|User Control||Enable/ Disable||Whether the user is allowed to create new VPN profiles, change profiles or modify the Always-on VPN setting.|
Regular VPN deployment
Samsung provides a VPN client. This tunnel is accessed through the normal VPN user interface and then selecting the appropriate options for the type of connection. To access the VPN interface:
- On the device, go to Settings > Connections > More Connections > VPN > Add VPN.
- Enter a name for this VPN connection.
- Select the VPN type. The available types depend on the Android VPN client preloaded onto the device.
- Enter the IP address of the VPN server.
- Configure the VPN settings so that they match or are compatible with the VPN server settings.