Knox White Paper
Granular Device Management
The Knox Platform's granular device management features are specifically curated, from partner feedback and industry data, to solve some of the most common frustrations enterprises face when mass deploying devices. These unique policies provide device flexibility and customization beyond any other device provider. The policies help organizations manage operations more effectively, secure confidential assets, and reduce administrative overhead. They also solve particular issues regarding industry regulation and compliance. For example, Rich Communication Services (RCS) logging is required by law in the financial industry. Samsung is the only vendor to provide this critical auditing feature.
Custom boot banner
Samsung Knox is the only mobile platform that allows an enterprise to natively change the device boot logo. In many industries, such as government or defense, this change is mandatory for compliance. Through the Knox Platform, enterprise IT admins and developers can customize the following:
- Samsung boot up display
- Splash screen animation, when the device is turned on or off
- Lockscreen image, which can provide an enterprise logo or contact info for lost phones
Enterprises can use these capabilities to mitigate problems such as the following:
- Phone is lost and found — Owner information is available by simply powering on the device. There is no need to attempt to unlock the device or call the carrier. The device can be returned to the enterprise quickly.
- Multiple phones — Displaying an enterprise logo on bootup lets users know that the device belongs to and is secured by the enterprise. This logo clearly distinguishes it from other devices in the user's possession.
Split billing separates enterprise and personal data usage.
- In Bring Your Own Device (BYOD) deployments, enterprise billing allows employees to be properly compensated for data costs generated from work-related app usage.
- In Corporately Owned, Personally Enabled (COPE) deployments, enterprise billing allows employers to pay for data usage incurred only for work purposes.
Split billing also works with dual SIM devices, by mapping some apps to using the data plan from one SIM, and other apps to the other SIM's data plan.
This feature allows an IT admin to remotely lock out a device, for example, when the device is out of compliance. Once the device is locked, only an IT admin can unlock it and not a device user. This functionality solves two problems:
- Prevents unauthorized users from accessing the device if it gets lost or stolen.
- Prevents users with valid login credentials from using the device, for example, if the credentials are stolen or the user is no longer allowed to use the device.
With stock Android, an IT admin can lock a device only if it is currently unlocked. If the device is already locked, an admin can't lock it to prevent future unauthorized logins.
Roaming mobile connections can incur unexpected data costs. Multiplied across an enterprise's mobile workforce, these costs can become exorbitant.
Rather than just simply disabling all mobile roaming, the Knox Platform provides more granular controls for enterprises, letting them control which mission-critical apps are allowed to use data during mobile roaming. Enterprises could enable roaming data for:
- All apps in the Work container
- A single app within the Work container
- A single app in the personal space
They can also set up Split Billing, with separate roaming policies for the APNs set up for personal and enterprise billing.
Enterprises can apply granular settings to the caller app, allowing only:
- Emergency calling
- Calling to certain numbers
- A limited number of calls per day
The Knox Platform allows an enterprise to log RCS messages. For many industries, such as financial services, the ability to audit sent and received messages is required by law.
RCS messaging is a new messaging protocol that replaces SMS as the default messaging platform for carriers. It adds much needed features such as group messages and allows users to send more file types. Currently, enterprises that can't capture RCS messages must turn RCS off and lose the benefits of this new protocol. Knox RCS logging capabilities mean deployments can use powerful RCS abilities while staying compliant.
Knox provides many advanced SMS policies. Policies frequently used by organizations include:
- Adding an automatic company disclaimer to the bottom of every outgoing text
- Restricting the number of texts per day
- Auditing and recording all incoming and outgoing SMS messages
SD card restrictions
Most vendors don't provide sophisticated options to manage an SD card. Typically, enterprises must choose between one of two options: allow full read and write access to the SD card or completely block it.
The Knox Platform addresses this industry pain point by giving enterprises independent control over read and write access. Knox can:
- Allow read access but block write access
- Allow write access but block read access
This level of control means you can provide one-way data access to sensitive data to effectively meet your security requirements.
To mitigate attacks perpetrated through Bluetooth connections, Knox provides these controls:
- Completely disable Bluetooth — Turn off Bluetooth and Bluetooth background scanning.
- Block specific Bluetooth profile types — Restrict the types of Bluetooth devices that the user can
connect to the device, for example:
- Allow Bluetooth headphones
- Block Bluetooth file transfers, which could leak private data
USB class restrictions
Knox can restrict or allow different types of USB-connected devices, more specifically, the USB device classes defined through usb.org. This feature includes access to the following USB device classes:
- Audio, Video, Audio/Video
- Mass Storage
- Content Security
- Smart Card
- Hub, Type-C Bridge, Wireless Controller
- Human Interface Device (HID)
- Communications, CDC Control, CDC Data
- Personal Healthcare
For example, you could block all USB devices except Smart Card readers.
Keyboard Input Methods (IME)
The Keyboard Input Method (IME) framework has received a major security upgrade with Knox 3.2.1.
In Knox 3.2.1, the personal and Work container keyboards are completely separate to ensure that important work data is not compromised. In an Android Enterprise Work Profile, the same IME is used for both the personal and profile side. An shared IME may potentially leak sensitive data through an exploit buried in the IME.
For example, let's say a device user downloads a malicious IME from Google Play for use on the personal side.
- Android Enterprise: this IME is shared with the Work profile and sensitive data may leak.
- Samsung Knox: The IME is isolated from the Work containerand can't access sensitive information.
In previous versions of Knox, IT admins were required to whitelist 3rd party IMEs for added security. Now that personal and Work container IMEs are kept separate, users are able to use third party keyboards without prior explicit whitelisting from IT admins.