- Basics
- About Knox
- Knox licenses
- Knox white paper
- Sign up for Samsung Knox
- Latest release notes
- General Knox FAQ
- General Knox KBAs
- Submit a support ticket
- User Acceptance Testing
- For IT admins
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Create a new profile
- Assign profiles to groups and organizations
- Enroll devices
- Shared Android device quickstart
- Non-shared Android device enrollment quickstart
- Android Management API device enrollment quickstart
- Apple User Enrollment quickstart
- View device information
- Apply profiles to organizations
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Device management
- Accept or reject devices
- Upload devices
- Delete devices
- Complete device management
- Send notifications
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQ
- KBAs
- Support
- Open API reference
- Samsung Care+ for Business
- For Knox Partners
- Knox Deployment Program
- Knox MSP Program
Knox White Paper
Digital credentials are critical mobile security building blocks, leveraging trusted authorities to validate identity and secure private channels across public deployments. Your mobile device credentials provide seamless access to secured Wi-Fi, VPN, email, and websites. Credentials include certificates providing identity and private keys to decrypt sensitive data. These credentials must be securely stored to prevent malicious parties from exploiting your identity and accessing confidential data.
Secure elements
While Android apps are able to store digital credentials securely on Samsung Android devices using the hardware-backed Keystore, some use cases require the user credentials and secrets stored in a secure element, which can come in form factors such as the following:
- Embedded Secure Element (eSE) — Supports the storing and accessing of credentials, allowing secure storage on the device without additional hardware.
- Micro SD card
- Universal Integrated Circuit Card (UICC)
- Smart card — Smart cards' resiliency makes them ideal for storing credentials if the threat model calls for trust to be shifted outside the device.
Certain customers, especially in government and related industries, have internal regulations requiring the use of approved secure elements for storing credentials and secrets. The secure element is provisioned with an applet that provides certain cryptographic functions.
Use cases
The UCM framework implements a service layer that allows vendors to make their solution available to specialized apps on the device including:
- Device lock (keyguard) — The user inserts a PIN to authenticate themselves to the applet running in the secure element. If the PIN authentication is successful, the UCM framework retrieves a password from credential storage, which is used as the device password to unlock the device.
- Data at Rest (DAR) encryption — The applet provides another layer of protection for the device encryption keys. UCM allows for the device encryption key to be wrapped by the applet. The wrapped device encryption is unwrapped when the user provides the correct PIN on device boot.
UCM framework
The Universal Credential Management (UCM) framework enables Android apps to access all credential storage devices through the same standard programming interface—the Java Cryptography Extensions (JCE) API via either:
- a specific provider to carry out supported crypto operations
- the Android Keychain API for key and certificate operations
The vendor providing the secure element solution (including the applet) implements a UCM plugin, which registers their solution as a Keystore provider. Apps can simply refer to the vendor’s provider when calling Keystore API.
A significant benefit of the UCM framework is that it uniquely enables storage vendors to develop a plugin that provides access to their storage space and cryptographic operations, without forcing app developers to change their code or forcing IT admins or end users to update their apps. The plugin essentially acts as the link between the UCM framework and a specific storage device.
The UCM framework consolidates and standardizes credential services to provide a streamlined interface for:
- EMM or ISV apps — These apps configure, provision, and consume credentials, managing credential storage access permissions, and activating advanced UCM permissions. The apps can enforce the installation, removal, or per-app access control of a credential.
- Storage provider plugin — These apps are provided by storage vendors to link the UCM framework to their storage solution, to manage stored credentials.
- Secure storage — This feature currently includes the Samsung eSE and Smart Card readers described in Secure elements section. You can easily support other storage options through additional vendor plugins.
The Knox SDK provides credential storage vendors a set of UCM APIs to make current and future storage options available on Samsung devices, hiding the implementation details of their solution so that mobile app developers can transparently access stored credentials through standard APIs, such as the Android Keychain. Similarly, developers can use the Java Cryptography Extension APIs to offload cryptographic operations to a capable Smart Card. This abstraction, made possible by the UCM framework, eliminates the need for complex vendor-specific code within mobile apps, meaning enterprise customers have a wide range of existing apps available to them and can easily develop in-house apps without worrying about the underlying storage implementation.
UCM allowlist
The UCM framework uses two types of allowlists, which uniquely manage access controls for credential storage and offer fully customizable access permissions:
- App allowlist — Enforces which apps can access each secure storage type. Every secure storage device maps to its respective UCM plugin, that a secure storage solution provider creates and maintains.
- Credential allowlist — Enforces each app's access to credentials, providing app-specific access permissions. By enforcing access control, admins can prevent credential usage by malicious or untrusted apps.
