NPA EMM integration

EMMs that provide an agent for managing enterprise devices can integrate with the NPA framework to help identify risks. The device-side aspect of the EMM’s role in the NPA system includes providing an NPA profile for each enterprise device. The NPA profile is pushed to the device as a JSON message and it defines which data flows the device is allowed to observe.

Requirements

• The Samsung Knox SDK
• Devices running Knox 2.8 or newer
• An NPA client installed on the device
• Knox NPA permission as set by NetworkAnalyticsConstants.NETWORK_ANALYTICS_PERMISSION_NPA

The Framework Interface

These calls provide an interface with the NPA framework. See the Knox SDK API reference for complete API details including error message details.

Create a Device Profile in the JSON Format

Part of the process by which the NPA client works with the NPA framework on a mobile device involves assigning a profile to the device. The profile must define the following:

• The profile name
• The package name of the app which is designated as the NPA client
• The approved NPA data flows for observation
• A vendor-supplied configuration binary encoded in base64

The EMM agent must describe the profile configuration using the following JSON format during profile registration.

{
    "NETWORK_ANALYTICS_PARAMETERS": {
        "profile_attribute": {
            "profile_name": "gen_profile",
            "package_name": "com.samsung.test.networkmonitor_denali",
            "package_signature": "308201e5..."
            "flags": 0
            },
        "vendor": {}
        }
}

• profile_name — The name of the profile assigned to this managed device
• package_name — The app package which contains the app designated by the EMM to observe the data flows
• package_signature — The public key signature of the NPA client which is authorized by the EMM to observe the data flows. The following snippet shows how to calculate the signature in JSON which registers the profile.

signature sign = this.getPackageManager().getPackageInfo(this.getPackageName(),
            PackageManager.GET_SIGNATURES).signatures[0];
            String packageSignature = sign.toCharString();

• flags — The list of data flows authorized by the EMM for observation by the NPA client. If flags is set to 0 or set to 524287, all data flows can be observed. The difference is that setting flags to 0 allows the observation of data flows that may be introduced in a future release. Setting flags to 524287 limits observation to the set of data flows defined as of the Knox 3.0 release. If you want to set flags to some value other than 0 and 524287, thereby selecting only certain data flows, you must perform a bitwise OR operation using the appropriate value for each data flow flag. See the NetworkAnalyticsConstants.DataPoints class for the list of values. For example, if you want to allow observation of data flows for the flags brecv, dst, and hostname, then the flags value is 41 and it is calculated as follows: 0000000000000000001 | 0000000000000001000 | 0000000000000100000 = 0000000000000101001

Example Profile and JSON Message

The following example message details a NPA monitoring profile. In this example, the flags value 65535 is for the AnyConnect app.

public int registerNetworkMonitorProfile(java.lang.String jsonProfile) {
 "NETWORK_ANALYICS_PARAMETERS": {
  "profile_attribute": {
   "package_name": "com.cisco.anyconnect.vpn.android.avf",
   //Cisco NVM package name
   "package_signature": "3aouiydsoa324askdfja7wiejtr10984ajnoqwh...audhf"
    //Cisco NVM package signature
   "flags": 65535 //specific to Cisco NVM AnyConnect for all data flows
  }
  "vendor": {
   config: "WE1MX1dpbGxfQmVfrW5jb2RlZF9IZXJlCg=="
  }
 }
}

Supported Use Cases

This section provides several examples of how observing data flows is impacted by the configuration of the EMM agent, the NPA client, the container, and their privileges.

Observe Data Flows From Apps Installed in User 0

The following steps explain how to observe data from all the apps and associated processes installed in user 0.

1. In order to observe the network activity of the device, the NPA client must be installed in user 0.

2. The EMM agent must also be installed in user 0.

3. Get the instance of NetworkAnalytics from EnterpriseKnoxManager.

4. Register the profile.

   private EnterpriseKnoxManger mKm = null;
   private NetworkAnalytics mNap = null;
   mKm = EnterpriseKnoxManger.getInstance(this.getApplicationContext());
   mNap = mKm.getNetworkAnalytics();
   mNap.registerNetworkMonitorProfile("jsonprofile");
   

You can unregister the profile by calling NetworkAnalytics.getNetworkMonitorProfiles() to retrieve the profile name and then by calling NetworkAnalytics.unregisterNetworkMonitorProfile().

Observe Data Flows From Apps Installed Device Wide

When the EMM agent and NPA client are both installed as user 0, it is possible to observe all available data flows on the device. The difference here is an extra API call which provides information for an instance of both the container and the device owner.

1. Get the instance of NetworkAnalytics from EnterpriseKnoxManager and KnoxContainerManager.

2. Register the profile.

   private EnterpriseKnoxManger mKm = null;
   private NetworkAnalytics mNap = null;
   private NetworkAnalytics mCNap = null;
   
   mKm = EnterpriseKnoxManger.getInstance(this.getApplicationContext());
   mNap = mKm.getNetworkAnalytics();
   
   KnoxContainerManager mcm = mKm.getKnoxContainerManager($container_id);
   mCNap = mcm.getNetworkAnalytics();
   
   mNap.registerNetworkMonitorProfile("jsonprofile");
   mCNap.registerNetworkMonitorProfile("jsonprofile");
   

You can unregister the profile by calling NetworkAnalytics.getNetworkMonitorProfiles() to retrieve the profile name and then by calling NetworkAnalytics.unregisterNetworkMonitorProfile().

Observe Data Flows From Apps Installed in the CL Container or the Knox COM Container Only

In this configuration, the EMM agent is installed as user 0 and the NPA client is installed inside the container.

1. Get the instance of NetworkAnalytics from KnoxContainerManager.

2. Register the profile configuration.

   private EnterpriseKnoxManager mKm = null;
   private NetworkAnalytics mNap = null;
   
   mKm = EnterpriseKnoxManager.getInstance(this.getApplicationContext());
   KnoxContainerManger mcm = mKm.getKnoxContainerManager($container_id);
   
   mNap = mcm.getNetworkAnalytics();
   mNap.registerNetworkMonitorProfile("jsonprofile");
   

You can unregister the profile by calling NetworkAnalytics.getNetworkMonitorProfiles() to retrieve the profile name and then by calling NetworkAnalytics.unregisterNetworkMonitorProfile().

Observe Data Flows From Apps Installed in PO or on a BYO Device Container

Data flow observation can be limited to the container on a BYO device when both the EMM agent and the NPA client are installed inside the container.

1. Get the instance of NetworkAnalytics from KnoxContainerManager.

2. Register the profile configuration.

   private EnterpriseKnoxManager mKm = null;
   private NetworkAnalytics mNap = null;
   
   mKm = EnterpriseKnoxManager.getInstance(this.getApplicationContext());
   KnoxContainerManger mcm = mKm.getKnoxContainerManager($container_id);
   
   mNap = mcm.getNetworkAnalytics();
   mNap.registerNetworkMonitorProfile("jsonprofile");
   

You can unregister the profile by calling NetworkAnalytics.getNetworkMonitorProfiles() to retrieve the profile name and then by calling NetworkAnalytics.unregisterNetworkMonitorProfile().