Samsung Knox supports select Virtual Private Network (VPN) solutions. This section describes how to use the Knox VPN client.
Knox Platform for Enterprise supports these types of VPN models:
As with other Workspace policies, IT Admins have the option to enable and set up these features to meet enterprise policies. You can use Workspace to manage VPN connections, but only for user accounts you control. This typically includes the default user and any Workspaces you activate. VPN connections for apps installed in user accounts you don't control, such as those created for Android for Work managed profiles, must be managed separately.
The Samsung Knox Virtual Private Network (VPN) framework enables advanced configurations using VPN clients from various vendors. Each client has unique features that can be researched to find the best match for your needs. Once you’ve selected a VPN client, you can download and deploy the client to your mobile devices, and can then use an MDM system to define and activate VPN profiles on devices.
The built-in Android VPN client (also called StrongSwan) is available on all Samsung devices but, until now, has been limited to simple VPN configurations on individual devices. Samsung devices come with an enhanced version of the Android VPN Service. The built-in Android VPN client wasn’t designed to take advantage of these enhancements, limiting its use in enterprise environments. Modifying the client to support these enhancements would require us to maintain our own version of the client. This would require us to have our client separately certified for FIPS-compliance.
We chose to leave the Android VPN client unmodified and instead added a new management app to sit in between our enhanced VPN framework and the VPN client. This management app is called Android VPN Management for Knox and unlocks the following extra Knox VPN features for the built-in Android VPN client:
The following criteria must be considered when implementing VPN in your enterprise.
|Secure Channel. Enterprise devices can securely connect to the enterprise network.||VPN. The TOE provides a secure communications channel to the VPN Gateway.|
|Enterprise Device Management. Enterprise administrators can control mobile endpoint configurations.||Security policy. The TOE can be configured by a Mobile Device Management solution that supports the Samsung Enterprise SDK.|
The settings here relate to the configuration of the VPN client profile.
|Profile Management||Profile name||Create, rename and delete VPN profiles|
|VPN Type Setting||The types of VPN connections that can be set. Those listed here are the only validated types.|
|VPN Settings (PSK)||The settings needed to configure the VPN tunnel when using a Pre-Shared Key.|
|VPN Settings (certificate)||The settings needed to configure the VPN tunnel when using a certificate.|
|VPN Optional Network Settings||These settings provide additional network configuration and routing options for the tunnel.|
|Always-on VPN||Enable/ Disable||Specifies whether all traffic must go through the specified VPN tunnel. If no connection can be made no traffic will flow.|
|User Control||Enable/ Disable||Whether the user is allowed to create new VPN profiles, change profiles or modify the Always-on VPN setting.|
Regular VPN deployment
Samsung provides a VPN client. This tunnel is accessed through the normal VPN user interface and then selecting the appropriate options for the type of connection. To access the VPN interface: