- Basics
- About Knox
- Knox licenses
- Knox white paper
- Sign up for Samsung Knox
- Latest release notes
- General Knox FAQ
- General Knox KBAs
- Submit a support ticket
- User Acceptance Testing
- For IT admins
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Create a new profile
- Assign profiles to groups and organizations
- Enroll devices
- Shared Android device quickstart
- Non-shared Android device enrollment quickstart
- Android Management API device enrollment quickstart
- Apple User Enrollment quickstart
- View device information
- Apply profiles to organizations
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Device management
- Accept or reject devices
- Upload devices
- Delete devices
- Complete device management
- Send notifications
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQ
- KBAs
- Support
- Knox Guard REST API
- Samsung Care+ for Business
- For Knox Partners
- Knox Deployment Program
- Knox MSP Program
Knox White Paper
Standard Android comes with basic VPN abilities that are adequate for most consumers. But many enterprises need better security and more flexible VPN controls for larger deployments. The Knox VPN framework includes the most advanced enterprise-focused feature set, which ensures that VPN connections are efficient, reliable, secure, and compliant with industry regulations and best practices. The Knox Platform VPN framework allows the integration of third-party VPN clients in addition to the built-in VPN client.
Unique advantages of Knox VPN framework
The Knox Platform VPN framework supports all common VPN types, protocols, and configuration options. When deploying VPN solutions, enterprise IT admins must ensure VPN deployments work smoothly, don't waste server resources, limit the VPN solution licensing costs, and enforce strict security policies that prevent data leakage.
The following is an example showing how Knox on-demand VPNs save cost:
The Knox Platform provides the following differentiating VPN features and advantages:
- The flexibility to use a VPN tunnel for the entire device (work profile as well as fully managed device) or a single app only.
- The cost saving benefit of using VPN tunnels on-demand, only when apps in a VPN profile are running.
- The convenience to bypass VPN tunnels when a device is on-premise in a local corporate network.
- The strict coverage of corner cases to prevent data leakage outside of VPN tunnels, even during a device boot.
- The ability to connect multiple tunnels simultaneously.
- The extra security of chaining VPNs (also known as cascading or nesting VPNs) for greater anonymity, for example, in classified deployments.
- The power of configuring web proxies over VPN:
- Web proxy configurations are tunnel-specific.
- Web proxy support for NTLM authentication, basic authentication, PAC, and PAC with authentication.
- The ability to configure SSL/IPSEC VPN profiles on multiple devices.
- The advantage of extending VPN tunnels from a mobile device to a tethered laptop, in situations where a laptop does not have network connectivity.
The following Knox VPN features are also available, but are dependent on the VPN client:
- QoS or traffic tracking and shaping. The Knox VPN framework can inform the VPN client when any installed apps generate any traffic.
- Automatic reconnection of VPN tunnels when the server side disconnects. Server-side disconnections are more difficult to detect and handle than device-side disconnections, which are usually related to detectable conditions like loss of connectivity or the presence of new network connections, such as a new Wi-Fi connection.
Robust handling of enterprise requirements
Regardless of the features you choose, the VPN should act predictably even when the unexpected occurs. The following are some common scenarios where Knox Platform enhancements ensure proper VPN behavior:
- VPN tunnels handle system events such as power saving mode entry or exit, package addition or removal, connectivity changes, and admin app changes.
- VPN profiles can specify which non-present apps must (not) use a VPN tunnel if they are ever installed.
- Even the free, built-in VPN client supports all the advanced VPN features listed in the previous list items.
- Robust blocking rules prevent data from leaking to the outside of the tunnel. Common gaps in coverage that
Knox Platform VPNs correctly handle include:
- A VPN client crash or other client app issues
- A tunnel that has not yet been established, for example, during boot
- A VPN client that is unable to connect to a VPN server
- A proxy port that is blocking
- Handle captive portal prior to VPN tunnel establishment.
High-security built-in VPN client
The built-in Android VPN client (also called Android VPN Management for Knox) is available on all Samsung devices, and is also integrated with the Knox Platform VPN framework, enabling the extra properties available within the Knox platform. The built-in VPN client, even without the Knox VPN framework, is differentiated from what Android offers, providing these advanced VPN features:
- FIPS 140-2 certified device cryptography components
- CPA certification at the Foundation grade, based on its successful Common Criteria evaluation against the Protection Profile for IPsec VPN Clients v1.4
- Security characteristics of IPSec VPN client version 2.5, as set by the NCSC
- Internet Key Exchange (IKE and IKEv2) and Suite-B algorithms:
- IPsec IETF RFCs – IKEv1
- IKEv1 – Main and aggressive IKE exchange modes with pre-shared key, certificates, Hybrid RSA, and EAP-MD5 authentications
- IKEv2 with PSK and certificate-based authentication
- IKEv2 – Pre-shared key, certificates, EAP-MD5 EAP-MSCHAPv2 authentication methods, and mobile extensions
- IKEv1 Suite B Cryptography supported with PSK and ECDS signature-based authentications
- IKEv2 Suite B Cryptography supported with ECDSA signatures
