- Basics
- About Knox
- Knox licenses
- Knox white paper
- Sign up for Samsung Knox
- Latest release notes
- General Knox FAQ
- General Knox KBAs
- Submit a support ticket
- User Acceptance Testing
- For IT admins
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Create a new profile
- Assign profiles to groups and organizations
- Enroll devices
- Shared Android device quickstart
- Non-shared Android device enrollment quickstart
- Android Management API device enrollment quickstart
- Apple User Enrollment quickstart
- View device information
- Apply profiles to organizations
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Device management
- Accept or reject devices
- Upload devices
- Delete devices
- Complete device management
- Send notifications
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQ
- KBAs
- Support
- Knox Guard REST API
- Samsung Care+ for Business
- For Knox Partners
- Knox Deployment Program
- Knox MSP Program
Knox White Paper
The Knox Platform's granular device management features are specifically curated, from partner feedback and industry data, to solve some of the most common frustrations enterprises face when mass deploying devices. These unique policies provide device flexibility and customization beyond any other device provider. The policies help organizations manage operations more effectively, secure confidential assets, and reduce administrative overhead. They also solve particular issues regarding industry regulation and compliance.
Custom boot banner
Samsung Knox is the only mobile platform that allows an enterprise to natively change the device boot logo. In many industries, such as government or defense, this change is mandatory for compliance. Through the Knox Platform, enterprise IT admins and developers can customize the following:
- Samsung boot up display
- Splash screen animation, when the device is turned on or off
- Lockscreen image, which can provide an enterprise logo or contact info for lost phones
Enterprises can use these capabilities to mitigate problems such as the following:
- Phone is lost and found — Owner information is available by simply powering on the device. There is no need to attempt to unlock the device or call the carrier. The device can be returned to the enterprise quickly.
- Multiple phones — Displaying an enterprise logo on bootup lets users know that the device belongs to and is secured by the enterprise. This logo clearly distinguishes it from other devices in the user's possession.
Split billing (Dual APN)
Split billing separates enterprise and personal data usage.
- In Bring Your Own Device (BYOD) deployments, enterprise billing allows employees to be properly compensated for data costs generated from work-related app usage.
- In Corporately Owned, Personally Enabled (COPE) deployments, enterprise billing allows employers to pay for data usage incurred only for work purposes.
Split billing also works with dual SIM devices, by mapping some apps to using the data plan from one SIM, and other apps to the other SIM's data plan.
Remote admin lock of device
This feature allows an IT admin to remotely lock out a device, for example, when the device is out of compliance. Once the device is locked, only an IT admin can unlock it and not a device user. This functionality solves two problems:
- Prevents unauthorized users from accessing the device if it gets lost or stolen.
- Prevents users with valid login credentials from using the device, for example, if the credentials are stolen or the user is no longer allowed to use the device.
With stock Android, an IT admin can lock a device only if it is currently unlocked. If the device is already locked, an admin can't lock it to prevent future unauthorized logins.
Enterprise roaming
Roaming mobile connections can incur unexpected data costs. Multiplied across an enterprise's mobile workforce, these costs can become exorbitant.
Rather than just simply disabling all mobile roaming, the Knox Platform provides more granular controls for enterprises, letting them control which mission-critical apps are allowed to use data during mobile roaming. Enterprises could enable roaming data for:
- All apps in the Work container
- A single app within the Work container
- A single app in the personal space
They can also set up Split Billing, with separate roaming policies for the APNs set up for personal and enterprise billing.
Granular policies
Call restrictions
Enterprises can apply granular settings to the caller app, allowing only:
- Emergency calling
- Calling to certain numbers
- A limited number of calls per day
SMS management
Knox provides many advanced SMS policies. Policies frequently used by organizations include:
- Adding an automatic company disclaimer to the bottom of every outgoing text
- Restricting the number of texts per day
- Auditing and recording all incoming and outgoing SMS messages
SD card restrictions
Most vendors don't provide sophisticated options to manage an SD card. Typically, enterprises must choose between one of two options: allow full read and write access to the SD card or completely block it.
The Knox Platform addresses this industry pain point by giving enterprises independent control over read and write access. Knox can:
- Allow read access but block write access
- Allow write access but block read access
This level of control means you can provide one-way data access to sensitive data to effectively meet your security requirements.
Bluetooth restrictions
To mitigate attacks perpetrated through Bluetooth connections, Knox provides these controls:
- Completely disable Bluetooth — Turn off Bluetooth and Bluetooth background scanning.
- Block specific Bluetooth profile types — Restrict the types of Bluetooth devices that the user can
connect to the device, for example:
- Allow Bluetooth headphones
- Block Bluetooth file transfers, which could leak private data
USB class restrictions
Knox can restrict or allow different types of USB-connected devices, more specifically, the USB device classes defined through usb.org. This feature includes access to the following USB device classes:
- Audio, Video, Audio/Video
- Mass Storage
- Content Security
- Smart Card
- Printer
- Hub, Type-C Bridge, Wireless Controller
- Human Interface Device (HID)
- Communications, CDC Control, CDC Data
- Personal Healthcare
- Billboard
- Diagnostic
For example, you could block all USB devices except Smart Card readers.
Keyboard Input Methods (IME)
The Keyboard Input Method (IME) framework has received a major security upgrade with Knox 3.2.1.
In Knox 3.2.1, the personal and Work container keyboards are completely separate to ensure that important work data is not compromised. In an Android Enterprise Work Profile, the same IME is used for both the personal and profile side. An shared IME may potentially leak sensitive data through an exploit buried in the IME.
For example, let's say a device user downloads a malicious IME from Google Play for use on the personal side.
- Android Enterprise: this IME is shared with the Work profile and sensitive data may leak.
- Samsung Knox: The IME is isolated from the Work containerand can't access sensitive information.
In previous versions of Knox, IT admins were required to add 3rd party IMEs to an allowlist for added security. Now that personal and Work container IMEs are kept separate, users are able to use third party keyboards without prior explicit allowance from IT admins.
