Menu

Knox White Paper

Feature Summary

For those wanting a quick reference to the security, manageability, and advanced VPN features offered by Samsung Knox devices, review the summary below. For details about how Samsung Knox differentiates compared to other OEM devices, speak with your Samsung account manager or contact us if you do not have one.

Feature Summary
Security
Hardware-Backed Keystore This feature is a hardware-dependent claim. All Samsung Knox devices have keystores backed by hardware protections.
Secure Lockdown on Tampering
Upon detecting critical security compromises, the system locks down sensitive areas, preventing unauthorized enterprise data access and leakage. When there is evidence of device tampering, Samsung prevents users from accessing the data in a work profile or on a fully managed device. To unlock the device again, one needs to factory reset the device, which wipes out the data inside.
Remote Device Health Get visibility into which devices have security issues like unauthorized firmware, allowing you to take action right away. Knox checks the record of IMEI tampering and whether the warranty bit is blown.
Knox Vault An isolated, tamper-proof, secure subsystem with its own processor and memory, Knox Vault stores sensitive data such as hardware-backed Android Keystore keys, the Samsung Attestation Key, biometric data, and blockchain credentials. It runs security-critical code that authenticates users with increasing timeouts between failures and controls access to keys depending on authentication.
Keystore Support of eSE & Other High-Security Storage Numerous services require credentials for access. They include Wi-Fi, VPN, email, and websites. In order to safely store sensitive credentials, developers need to write new credential storage code for any new storage hardware. Knox provides a plug-and-play framework for credential management across a variety of hardware, eliminating the need to develop in-house credential management implementation logic.
Sensitive Data Protection (SDP) SDP keeps data encrypted while a work profile or fully managed device is locked, even during runtime when other solutions decrypt data.
Real-Time Kernel Protection (RKP)

Drastically limits possible attacks on Samsung devices with best-in-class kernel attack prevention features:

  • Kernel Text Protection (KTP): Protects against any attempt to forge or manipulate Kernel text (code and RO data).
  • Page Table Protection (PTP): Protects against any attempt to forge or manipulate the Kernel and user page table.
  • Kernel Data Protection (KDP): Protects against any attempt to forge or manipulate the Kernel namespace/credential/security ID/double map including kernel code, kernel data, and kernel control flow protections.
  • Control Flow Protection (CFP): Prevents Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP) attacks that re-use existing kernel logic to piece together exploits from the kernel’s own code.
DualDAR Encryption

With a single instance of encryption, potential flaws in the implementation can result in a single point of failure. KPE DualDAR provides two independent layers of encryption to achieve an even higher level of reliability by enabling redundancies in protecting Data-At-Rest. You can further strengthen data encryption by using a third-party cryptographic module to customize encryption.

This dual encryption is required for classified deployments. Note that there is an additional license fee to use DualDAR.
ML Model Protection

Machine Learning and Neural models come with unique security challenges that are difficult to address without support from the mobile operating system platform. Knox ML Model Protection leverages the Knox platform to provide developers with the secure encryption, operation, and access control of ML models.
Enforced Two-Factor
Authentication 		Enables IT admins to force end-user two-factor authentication for logging in to a work profile or fully managed device. Two-factor authentication is done through a combination of biometrics (fingerprint, iris, face) and more traditional means (password, PIN, pattern).
Government-Grade Common
Criteria Mode 		Simplifies configuring devices into a compliant state for Common Criteria (national security) deployments.
Separated Apps For enterprises that need full control over a corporate-owned device, while still enabling authorized third-party business apps, Samsung exclusively offers Separated Apps to isolate third-party apps in a sandboxed folder.
App Isolation Groups
(SEAMS)		 Unlike classic app containers with a GUI, you can manage "invisible" app isolation groups to protect a set of apps from any other set. Up to 300 groupings are possible.
Secure Certificate Enrollment Agents (SCEP, CMP, CMC_EST protocols) Samsung provides a free set of certificate enrollment agents that follow the latest security protocols. There is no reason to enroll certificates insecurely, or implement your own protocols.
Manageability
Audit Log Provides comprehensive and detailed device audit logs, recording numerous extra types of events in the areas of system security, authentication, app management, data protection, network connectivity, and peripheral control. Satisfies government requirements for security audit trails.
Device Software Updates Knox E-FOTA running on top of KPE enables IT to deploy a particular firmware version that is not necessarily the latest version. These selective firmware updates provide a stable environment for business apps and services. KPE allows firmware updates under certain conditions such as a particular time of the day, network (Wi-Fi or mobile), or battery power status. These features help optimize productivity and ensure a successful upgrade.
Remote Control KPE enables IT to remotely control devices, by injecting finger, keyboard, and mouse events. This is in addition to remotely viewing devices.
Peripheral Framework In addition to managing mobile devices, you can use the Samsung Knox SDK to manage peripherals like barcode readers that are connected to or integrated with devices. Through a peripheral framework, partners can easily automate the setup, monitoring, diagnostics, and control of different peripheral models.
Customization

Allows IT to customize various aspects of the device software and UI. In addition to more common capabilities, KPE provides these additional abilities:

  • Change the bootup logo
  • Change power behavior such as auto power on/off
  • Change homescreen layout
  • Remap hardware key such as PTT and Emergency
  • Configure Settings at a deep granularity
  • Extend battery life by allowing charging only up to 80%
Granular Roaming Controls

IT can control which mission-critical apps are allowed to use data during mobile roaming, which often incurs high call, text, and data rates. AE only allows IT admins to disable mobile data – it can't block calls or app update downloads while allowing other mobile data use. KPE Premium also enables separate roaming controls for each APN.
Admin Device Lock Knox allows IT admins to remotely lock a device in a way that a user cannot unlock at all. In addition, Knox allows controlling the personal space and work profile separately. For example, the personal space can be open while the work profile is locked.
Data Sharing Policy KPE provides data sync of Contacts, Calendar, and Notifications. Also, KPE provides a unified Calendar with both personal and work events.
Firewall Management Industry-exclusive ability to set on-device firewall rules. KPE can also notify IT when employees attempt to visit blocked domains.
Granular Device Policies Meet compliance or other deployment requirements with policies not supported on AE for SMS/MMS disclaimers, RCS/SMS/MMS logging, call restrictions, read and write restrictions on SD cards, granular Bluetooth profile restrictions, and even manage DeX deployment settings.
Advanced Workspace Configuration Enables strict policy enforcement for Bluetooth, SD Card, USB, and other technologies inside the work profile, while allowing full use outside the work profile.
Unlock using Active
Directory Credentials 		No need to make employees remember separate credentials for Windows laptops and mobile devices. Device users can use their existing Active Directory credentials to unlock their devices.
Split Billing (Dual APNs) Enables enterprises to pay only for the data usage of their approved business apps. Employees are responsible for fees for personal data usage.
Network Analytics Allows IT to deploy network threat detection solutions without granting such tools complete access to all network traffic. For details about the insights provided, see Network Platform Analytics.
VPN
VPN Granularity: Per-App, Per-Container, or Whole Device KPE provides the most granular VPN controls. In addition to configuring a VPN for an app, work profile, or fully managed device, KPE can configure a single VPN for the entire device — that is, work profile as well as fully managed device.
Non-bypassable VPN KPE has strict controls that block any traffic from bypassing a configured VPN, even in edge cases where a device is rebooting, a VPN client crashes, an app accesses the physical interface directly, or an app using a VPN is deleted and re-installed.
On-Demand VPN KPE can activate a VPN only when a target app is launched. Such a feature allows customers to save on service fees from unused VPNs.
HTTP Proxy over VPN

KPE has a wide range of network protocols that can use HTTP Proxy.

  • No auth, basic auth, NTLM v2 auth
  • Both IPv4 and IPv6 are supported
VPN Chaining Allows the use of two VPN tunnels to double-encrypt traffic, enhance anonymity, and prevent a single security bug in a VPN layer from compromising network encryption.