- *BASICS*
- The Knox Ecosystem
- Samsung Knox Portal
- Knox Cloud Services
- General Knox Support
- Knox Licenses
- *FOR IT ADMINS*
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- White paper
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Introduction
- Get started
- Features
- Register resellers
- Add an admin
- Create profiles
- Google device owner support
- MDM compatibility matrices
- Device users
- Activity log
- Enroll and unenroll devices
- Configure devices
- Provide KME feedback
- Use the Knox Deployment App (KDA)
- Recover Google FRP locked devices using KME
- Role-based access control (RBAC)
- Release notes
- FAQs
- Troubleshoot
- KBAs
- Knox Configure
- Mobile
- Wearables
- Shared Device
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQs
- Troubleshoot
- Knox Manage
- Introduction
- How-to videos
- Get started
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- FAQs
- KBAs
- Knox E-FOTA
- Introduction
- White paper
- Knox E-FOTA One
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQs
- Troubleshoot
- KBAs
- Migrate from Knox E-FOTA Advanced to Knox E-FOTA One
- Knox E-FOTA Advanced
- Knox E-FOTA on MDM
- Samsung Care+ for Business
- *FOR RESELLERS*
- Knox Deployment Program
- *FOR MANAGED SERVICE PROVIDERS*
- Knox MSP Program

Knox White Paper
Device Health Attestation
Mobile apps can be compromised if unauthorized actors are able to run them in on untrustworthy hardware or firmware. This can be done by either:
- a malicious user deliberately accessing a device they're not authorized to, for example, while the user is away
- a bad actor who manipulates the device, or its firmware in transit
Such an actor can easily gain full control over the device firmware, files, UI, and apps. Unfortunately, malicious actors can exploit these scenarios to:
- steal passwords
- hijack identities
- access secret information
- install apps
Enterprises with Bring Your Own Device programs are especially at risk, as employees may potentially use compromised Android devices in the workplace. Risks range from:
- the undetected exposure of confidential enterprise assets
- wider more insidious attacks on other enterprise resources and infrastructure
Enterprises must have a fail-safe way to detect if a device or its firmware is compromised, before allowing device users to deploy it in the workplace.
Reliable detection of compromised devices
Malware can potentially intercept and forge the results of a device health check, making a compromised device seem secure. The Knox platform leverages its hardware-backed trusted environment to reliably detect and report compromised devices.
Because a Samsung Attestation Key (SAK) is unique to each device, it can tie data to a device through cryptographic signatures.The SAK signs the Attestation data to prove that it originated from the TrustZone Secure World on a Samsung Knox device.
Knox Attestation works in tandem with Trusted Boot to ensure the integrity of devices during deployment, bootup, and operation.
How Knox Attestation works
- A device check is initiated by either:
- An enterprise IT admin using an EMM console
- A regularly scheduled check
- The web server that initiated the check
- requests a nonce from the Samsung Attestation server. A nonce is a random number used in cryptographic communication to time-bound and identify each attestation result.
- instructs the device to begin a check, passing the nonce as a check identifier.
- The Keymaster Trusted Application (TA) in Secure World gathers this data:
- the requesting app’s package name, version code, and developer key
- signed info about the device’s current state and expected environment
- hardware fuse readings indicating if untrusted firmware was ever loaded onto the device
- The TA compiles this information into an Attestation Result and signs it with a key that can be verified using the Samsung Root Certificate.
- The Samsung Attestation Server validates the Attestation Result's signature to ensure that it was generated on Samsung hardware and by Samsung’s TA.
- The Samsung Attestation Server analyzes the Attestation Result to determine if the returned nonce matches the one sent out and whether the data within it can be trusted.
The original requestor of the device check can quickly take action, for example,
- Report the verdict to the device user.
- Immediately prevent the device from accessing enterprise systems.
- Uninstall any enterprise apps or assets already on the device.
Highly secure or firewalled operations that don't want to access the web-based Samsung Attestation server can install an Attestation Validator tool onto a local server to parse the Attestation Result and keep device verdicts within the firewall.
Unique advantages of Knox Attestation
Knox Attestation provides these key differentiators:
- Health measurements guaranteed per request through a nonce, a unique number randomly generated by the Samsung Attestation Server.
- Health results that easily map to device identifiers like an IMEI. Unlike other solutions on the market, Knox Attestation enables IT admins to determine which attestation result correlates with which device, without having to painstakingly map IDs manually. With competitor solutions, results are returned for separate devices, but IT admins can't differentiate between devices, and consequently the results are not actionable. Knox Attestation returns a single device ID and enables IT admins to prevent or contain issues promptly.