- Welcome
- Basics
- Device apps
- Overview
- Knox licenses
- Knox SDK
- Overview
- About the SDK
- What's new
- What's new
- Migrations
- Android 11
- Android Enterprise
- Device admin deprecation
- DA deprecation and Samsung
- DA deprecation and VMware
- FAQs
- FAQ Index
- What is DA Deprecation?
- What is being deprecated with device admin?
- What is API level 29, as it relates to DA deprecation?
- What is the impact of DA deprecation to Knox?
- As a Knox partner, what do I need to do?
- What happens to DA apps when upgraded to Android Q?
- When can I safely upgrade to Android Q?
- What if a device already has Android Q?
- Can my DA app coexist with a UEM app running as DO?
- Are there changes to Knox Configure due to DA deprecation?
- Can I use my DA app alongside Knox Configure?
- Does KME still support device enrollment using DA?
- As DA is not in Android Q, can I enroll via KME to Work Profile?
- Get started
- Sample app tutorials
- Features
- Independent Software Vendors
- ML Developers
- Introduction
- Whitepaper
- Model Protection APIs
- Protect ML model
- ML Encryption Tool
- Knox ML Encryption Tool Revision
- FAQs
- Are there any additional steps for Linux to give execute permissions to conversion tool?
- Do I to change my app to run the encrypted model?
- Where are the encrypted files saved?
- Which devices support Knox for Model Protection?
- Which ML file types are supported by Knox for Model Protection?
- Which operating systems (OS) support Knox ML Model Conversion Tool?
- Independent Software Vendors (DA)
- MDM Providers
- System Integrators
- VPN Providers
- Storage Providers
- API Reference
- Tools
- FAQs
- FAQ Index
- General
- What is the Samsung Knox SDK?
- Where can I obtain a white paper for Samsung Knox?
- What versions of Android support the Knox SDK?
- How can I check if my device firmware is an engineering or commercial build?
- How can I access the binaries before they are released?
- What is a deprecated API method?
- What kind of support is offered after an API is deprecated?
- Why were the API classes deprecated?
- What are the features by default set to hidden/disabled in ProKiosk mode?
- What are credentials?
- What is Knox TIMA CCM?
- Is Knox supported on other platforms, such as windows?
- Which hardware control features can be managed inside Knox Workspace, using the Knox SDK?
- Why do a few Knox SDK APIs not work on some devices?
- Can Google Play used to deploy Knox apps?
- Can I use managed configurations for Samsung Knox features?
- Can a third-party app use the Knox SDK to get LDAP information?
- How do I enable users to select a 3rd party keyboard?
- How does my device's serial number change with Knox 3.2.1?
- If I don’t use the UCM APIs of the Knox SDK, what are my options for credential storage?
- What are the changes in Samsung Calendar data sharing in Knox SDK 3.8?
- What are the alternative Google APIs for Samsung Knox Wi-fi deprecation?
- Installation
- How do I use an SDK packaged as an Eclipse IDE add-on with the Android Studio IDE?
- Is it possible to install an app silently on a device using Knox SDK?
- Why am I still able to download an app even though I have added it to blacklist with the method addAppPackageNameToBlackList(), from the Knox SDK?
- How can an app find out which apps are installed in and outside a container, using the Knox SDK?
- How can an app block the installation of a non-trusted app, using the Knox SDK?
- What does "Security policy prevents installation of this application" mean?
- Can I prevent an end user from installing certificates, with the Knox SDK?
- Does API method installApplication(String packageName) download apps from the play store and install them silently?
- Does the API method setApplicationUninstallationDisabled disable the uninstallation of apps inside the container, when using the Knox SDK?
- Why is the installCertificate API method not successfully installing a certificate on my device?
- Licensing
- How do I use license keys?
- What is the KPE Premium license key and why should I use it?
- What is the backwards compatible key?
- When do I need to use the backwards compatible key?
- Do I need to associate my app with a backwards compatible key?
- How have license key names changed?
- Which keys can be used in combination with each other?
- What is automatic license seat release?
- What are license permissions?
- What is the difference between Standard and Premium permissions?
- How do I declare permissions?
- Deprecated licenses
- Operations
- Are the Knox SDK browser policies applicable to Chrome as well?
- How can an enterprise disable roaming access over an enterprise APN, using the Knox SDK?
- Can an app using the Knox SDK clear an email signature?
- Can I add system or pre-installed app packages, using the Knox SDK, to the notification blacklist?
- Can I use Google push notifications inside a Knox Workspace container?
- Can I use SDP for an app that is outside the Knox container?
- Can multi-window mode be disabled through blocklisting, using the Knox SDK?
- Does my launcher app need a special intent to work in Kiosk mode?
- Does the API method enforceMultifactorAuthentication(), in the Knox SDK, come into effect immediately?
- How can I disable GPS on the device using the Knox SDK?
- How can I move an app from the user's personal mode to the Knox container using an API in the Knox SDK?
- How does the Knox API method EmailPolicy.setAllowEmailForwarding work?
- How does the Knox SDK method, setAllowChangeDataSyncPolicy(), sync contacts with the container so they are visible on the personal side?
- How do I disable the USB port except for charging, using the Knox SDK?
- How do I use the Knox SDK to allow or block phone numbers?
- How do I use the SDK to prevent launching the screen saver when an app is running?
- Is an APN validated when I use the Knox SDK to add it to a device?
- Is it possible to block application access to data while roaming, using the Knox SDK?
- Is there a limit to the number of applications that can be blocked or allowed using the Knox SDK?
- Is there any way to create IMAP, POP, or Exchange accounts in the emulator?
- What does the RCPPolicy.NOTIFICATIONS argument do in the API method setAllowChangeDataSyncPolicy?
- What Keystores can I use?
- What kind of phone numbers are allowed after setting setEmergencyCallOnly(true) in the Knox SDK?
- What secure hardware can I use with the UCM APIs to store credentials?
- What should I do if I find API errors?
- Why are app shortcuts not showing up in Kiosk mode for the Knox SDK?
- Why are Knox Customization policies still active on my device even after my app is uninstalled?
- Why can't you enable the camera inside a container when it is blocked in the personal space?
- Why does the allowOTAUpgrade API method, in the Knox SDK, have no effect when allowFirmwareRecovery() is set to false?
- Why does the API method call setEnableApplication(), using the Knox SDK, disable the app?
- Why does the createVpnProfile method, in the Knox SDK, fail when a Profile name has whitespace?
- Why does the SDK return a NullPointerException when I access the SMS/MMS content URI?
- Why is video recording also blocked when I use the Knox SDK to block audio recording?
- Standard features
- Can I force a device to update to the latest firmware?
- Can multi-window mode be disabled through blacklisting, using the Knox SDK?
- Does the API method setApplicationUninstallationDisabled disable the uninstallation of apps inside the container, when using the Knox SDK?
- What is the difference between hideStatusBar() and hideSystemBar() in the Knox SDK?
- What Knox SDK API methods are available to manage device firmware?
- Why do a few Knox SDK APIs not work on some devices?
- Will the legacy ELM and KLM keys still work with the Knox Platform for Enterprise (KPE) key?
- Premium features
- Customization
- Security
- As a developer, how can I access the device root key?
- Can an app prevent access to specific networks, using the Knox SDK?
- Can fingerprint be used as a substitute for other forms of screen unlock methods, when using the Knox SDK?
- Can I use the Knox SDK to disable the "Unlock Via Google" password unlock option?
- Can I use the Knox SDK to encrypt the SD card?
- Can I use the Knox SDK to modify the fingerprint passcode requirements?
- Does a Knox container enforce authentication by default?
- Do the SDP APIs support a security standard?
- How can I ensure that certificates are stored in the TIMA KeyStore, using the Knox SDK?
- How does SDP secure the cryptographic keys used for data encryption?
- How do you programmatically unlock the container after the maximum amount of failed attempts, using the Knox SDK?
- What does "Security policy prevents installation of this application" mean?
- What is the maximum length allowed for a Wi-Fi SSID, when using the Knox SDK?
- What is the scope of the setPasswordVisibilityEnabled() API method, in the Knox SDK?
- When I call the Knox SDK API method setExternalStorageEncryption, why doesn't the device prompt the user to encrypt?
- Why are HTTPS requests bypassing global proxy settings in the Knox SDK?
- Why doesn't the Knox method "isActivePasswordSufficient" check for forbidden strings?
- Why do I see "Cannot safely connect to server" when I create an email account using SSL??
- Why is my timeout of 15 minutes not working for the resetContainerPassword() method, using the Knox SDK?
- Why is the Knox API method setMaximumTimeToLock() not showing the time I configured?
- SDP
- UCM
- VPN
- VPN Provider
- Does the Knox framework store any type of data passed during profile creation?
- Do I need a license to use the Knox VPN SDK?
- How can I verify if the VPN connection that is starting belongs to the Knox profile or the default Android VPN profile?
- How do I add all apps inside AND outside the container to a VPN profile?
- How is the Knox container affected by VPN On-Premise Bypass?
- How should the network state change be handled by the VPN Client Integration?
- If the framework takes the responsibility of starting the VPN connection, and since it is MDM-controlled, how will the user be able to connect to the VPN if a time-out or networking error occurs?
- Under what circumstances does the framework trigger the start connection?
- What API do I use to create a On-Premise Bypass VPN profile?
- What is VPN On-Premise Bypass?
- When should the various Android VPN service APIs be called?
- Workspace
- Samsung DeX
- Containers
- How does an app detect if a container was created using the Knox SDK?
- How do I install the MDM agent inside the Knox container?
- I have created a "container only mode" container and I am locked inside, using the Knox SDK. How do I exit?
- Why do I get error KnoxContainerManager.ERROR_INTERNAL_ERROR(-1014) while creating a container?
- KBAs
- Knox POS SDK
- Knox Capture SDK
- Knox Tizen SDK
- Overview
- About the SDK
- What's new
- Get started
- Tutorials
- API Reference
- Sample Apps
- FAQs
- FAQ Index
- General
- How is Tizen related to Knox?
- Which devices support the Knox Tizen SDK for Wearables?
- What version of the Tizen SDK should I install before installing the Samsung Knox Tizen SDK for Wearables?
- Should I install any extension SDK before installing the Samsung Knox Tizen SDK for Wearables?
- What are the modes in which you can use the Samsung wearable device?
- What are the supported Wi-Fi security types?
- How do I get the attestation blob?
- What is a nonce and why is it valid for a short time period?
- What is ProKiosk mode?
- Licensing
- Samsung India Identity SDK
- Overview
- About the SDK
- What's new
- Get started
- Features
- API Reference
- Sample Apps
- FAQs
- FAQ Index
- General
- Installation
- Licensing
- Usage
- How do I verify if my device supports Samsung India Identity SDK?
- Should I capture the IRIS image of one or both eyes?
- When do I use the UIDAI Staging server and UIDAI Production server?
- What are the URLs that need to be whitelisted for enterprise-managed devices using the Samsung India Identity SDK APIs?
- Who is impacted by the upgrade of the biometric public devices to registered devices?
- Is there any hardware change required to upgrade the public devices to registered devices?
- What are the application (APK) changes required to upgrade the public devices to registered devices?
- Web services
- Managed configurations
- Introduction
- Deploy managed configurations
- FAQs
- FAQ Index
- What are managed configurations?
- Why should I use managed configurations?
- How do managed configurations work?
- Can I use managed configurations for Samsung Knox features?
- What is a managed configurations XML schema file?
- Which Samsung apps support managed configurations?
- How do I deploy managed configurations on an MDM console?
- Where can I get the XML schemas for Samsung apps that support managed configurations?
- Is there sample code showing how an MDM web console can deploy an iframe that renders a managed configurations XML schema?
- What email app is preloaded on Samsung devices?
- Knox Service Plugin
- Samsung Email
DualDAR architecture
Dual Encryption allows enterprises to ensure their work data is secured with two layers of encryption, even when the device is in a powered off or unauthenticated state. With single layer of encryption, potential flaws in the implementation may result in a single point of failure. Two layers of protection reduces the possibility of enterprise work data becoming compromised. The Knox Platform for Enterprise is achieving an even higher level of reliability by enabling more redundancies. DualDAR protects sensitive data with two layers of encryption. These security layers are independent and protect stored information when the device is in a powered off or unauthenticated state.
The Samsung Knox DualDAR solution provides two separate layers of encryption and key generation. All data placed inside the Workspace is dually encrypted by both layers. The outer layer of the DualDAR solution is built on top of Android's FBE and enhanced by Samsung to meet MDFPP requirements. The inner layer of encryption is based on a framework that will allow an independent third party to install a separate cryptographic module. If no third party module is installed, an separate inner layer of encryption is secured by a FIPS 140-2 certified cryptographic module included by the Samsung Knox framework.
Inside the workspace there are two storage locations available to an app, Credential Encrypted (CE) storage and Device Encrypted (DE) storage. The Workspace storage is DualDAR protected and works as CE storage, from an apps standpoint. The Knox framework prevents apps from writing data to any storage space that is not protected by DualDAR.
Architecture
Samsung Knox DualDAR leverages Android File Based Encryption (FBE) architecture. On a FBE enabled device, every device has two storage locations available to an app:
- Credential Encrypted (CE) storage: Default storage location and only available after a user has unlocked the device.
- Device Encrypted (DE) storage: Storage location available both during Direct Boot mode and after the user has unlocked the device.
By default, in Android 9.0 (on a Samsung FBE enabled device) all data is stored in CE storage. CE storage is protected by user credentials, allowing data to only be available after the user has authenticated the device at start-up. After the device is unlocked, CE storage is available as normal. Access to CE storage can be revoked by evicting the CE key from memory. CE key eviction occurs during a device reboot, inactivity timeout, or explicitly removed by an IT admin.
DE storage is available at all times, even prior to user authentication. An application that is aware of encryption (referred to as crypto aware) can choose to store data in either CE or DE storage. For example, a crypto aware alarm app can store non sensitive information such as date and time information in DE storage so that the alarm can ring even when the device is locked and an end user has not unlocked the device. For more information on Android FBE please see this article.
Samsung Knox DualDAR Workspace container storage works as CE storage from an application standpoint. Knox framework will prevent applications from writing data to non-DualDAR protected DE storage. For certain use cases, where an app is aware of both CE and DE storages and needs to write unclassified content to DE storage, the Knox framework allows IT admins to vet/allow an app so it has permission to write to DE storage. This ensures that no app will write sensitive or classified content to DE storage without IT admin approval.
Encryption layers
Outer layer
The outer layer of Samsung Knox DualDAR is built on Android FBE and enhanced by Samsung to meet MDFPP requirements. This layer is implemented through the SoC dedicated to flash storage encryption. Where the SoC could be Qualcomm Integrated Crypto Engine (ICE) or Exynos Flash Memory Protector (FMP). Data encryption at this layer is AES 256 XTS and file encryption keys are encrypted using AES-GCM 256.
Inner layer
The inner layer of encryption is based on a framework that will allow an independent third party to install a separate cryptographic module. If no third party module is installed, the inner layer of encryption is performed by a FIPS 140-2 certified cryptographic module included on the device by Samsung. For the Samsung included FIPS certified cryptographic module, data encryption at this layer will be AES XTS 256. File encryption keys are encrypted using AES-GCM 256. It is expected that third party crypto modules would also be FIPS 140-2 validated, though this is up to the customer and vendor providing the library.
Data Lock Concept
When the Workspace container is configured for DualDAR, access to app data inside the container will only be available when the container is unlocked (i.e. the user is actively using the container). When the container (or device as a whole) is locked, the container encryption keys are evicted from memory. In a data lock state, the Samsung device remains powered on but the user is locked out of both the Workspace and device. All sensitive data is protected in Credential Encrypted (CE) storage within the Workspace. CE storage is not available until the user provides both their device and Workspace credentials. The Samsung device can enter this state under two conditions:
- Device reboot: During device reboot the CE keys are evicted and the Workspace and device are locked.
- Data lock timeout: The Samsung DualDAR solution allows admins to configure a data lock timeout. After the screen is locked, the data lock timeout starts. Upon the specified time expiry, the CE keys are evicted and Workspace and device are locked.
In order to gain access to the CE storage and access sensitive/classified data, the end user is required to authenticate to both layers (device and Workspace).
Supported Devices
DualDAR is supported on Galaxy S10, N10, S20, and future flagship models.
Supported Deployment Modes
The DualDAR solution is an add on to the Knox Platform for Enterprise (KPE) and is available in the following configurations.
Knox Workspace
In this configuration the enterprise enables an end user's personal devices for work by creating a container (Workspace). All work data is secured inside the workspace. An EMM agent acts as a Profile Owner (PO) and manages only the container with limited control of the device outside of the Workspace. All data inside the Workspace will be dually encrypted after DualDAR is enabled.
Knox Workspace on a fully managed device
In this configuration, the enterprise manages the entire device, included the Workspace container on the device. With this setup, there are two instances of an EMM agent. One instance runs as a Device Owner (DO) managing the entire device and another instance runs as a Profile Owner (PO) managing the Workspace. All data inside the Workspace will be dually encrypted after DualDAR is enabled.
Authentication
To access DualDAR protected data, the end user must authenticate into each layer of the device and Workspace separately. Customers can enable DualDAR in two deployment modes, Knox Workspace or Knox Workspace on Fully Managed Device as seen above.
Both deployment modes require the end user to provide the first password to authenticate the device and the second password to authenticate the Knox Workspace. IT admin can set password policies separate for each password, and continue to enforce unique password complexity, length, history, etc. for each layer. The first and second passwords are user generated based on the IT admins password policy restrictions.
DualDAR Licensing
Samsung Knox DualDAR is offered as an add on to Knox Platform for Enterprise (KPE). Customers that need DualDAR can purchase a KPE-DualDAR license, and receive KPE-DualDAR features in addition to all KPE Premium features. Customers that don’t need DualDAR can simply purchase a KPE license. Customers that have already deployed KPE and want to add DualDAR to their existing licence can do so by requesting their account team to add the DualDAR permission to their existing licence. This prevents the need to reactivate a new KPE-DualDAR licence.
High-Level Provisioning Overview
IT admin using their Enterprise Mobility Management (EMM) solution can enable DualDAR during provisioning for both Knox Workspace or Knox Workspace on Fully Managed Devices. The Knox Workspace on Fully Managed Device configuration requires the device to be factory reset prior to provisioning (unless the device is new). The IT admin first provisions a DO with an EMM agent and then create a Knox Workspace on the Fully Managed Device. As part of Knox Workspace creation the IT admin can enable DualDAR.
For the Knox Workspace configuration, the IT admin enables an end user's personal device for work by creating a container (Workspace). As part of Knox Workspace creation the IT admin can enable DualDAR. Once provisioned, all data inside the Workspace is DualDAR protected. In order for the end user or IT admin to disable DualDAR, the device must be factory reset or the Workspace must be uninstalled/removed.
Need more help?
For more information, see the:
