Back to top

Security requirements

This section describes the implementation requirements that are necessary to comply with the VPN Security Requirements Guide (SRG).

The following behaviors must be implemented to comply with the VPN SRG rules:

  1. When any of the following violations are found during IKE, a warning notification must be displayed in the status bar and the VPN connection must be suspended:
    • Subject name mismatch violation
    • Key usage violation
    • Revocation verification failed
  2. When the user opens the VPN notification on the status bar, an alert dialog is displayed that shows the reason for the failure and offers the user the choice of whether to allow or deny the VPN connection:
  3. If a certificate has more than one violation, itemize each of the reasons for the violation in a single message box.
  4. If the user chooses to allow the connection, then the VPN service skips validating this set of violations (for this time only).
  5. If the user chooses to deny the connection, then the VPN connection fails and traffic is blocked from any packages that belong to the VPN profile.
  6. The user’s decision to whether to allow or deny a VPN connection only applies to VPN connections in which a violation is identified. If a violation is identified in a different VPN connection, the user receives a separate notification. In other words, a user grants permission for an individual VPN connection to proceed in the case where violations are found in multiple VPN connections.
  7. The alert dialog message can contain only the reason for the violation.
  8. To handle certificate validation failure prompts, the MDM API setServerCertValidationUserAcceptanceCriteria(), whose interface is defined in IKnoxVpnService.aidl, can be used to enable/disable certificate validation based on the condition set

VPN checklist

You must complete the following questions and return your answers to Samsung Knox Product Management at knoxvpn@sisa.samsung.com once your implementation is complete.

  1. List the APIs that your app supports from IKnoxVpnService.aidl.
  2. List the JSON parameters supported in the vendor section.
  3. How many instances does the VPN client support:
    • 1 per user
    • 1 per device
    • Multiple per-user
  4. What type of VPN service do you support?
  5. Generic VPN service (For backwards compatibility and to support Knox 2.0 devices)
  6. Android VPN service with generic VPN context (Best option for Knox 2.2 (and above) devices)
  7. When will you release the client software and which version of the client software supports Knox?
  8. Is the VPN Client going to act as a Knox MDM as well?
  9. Is the VPN Client an Admin application?
  10. If a bug is present, whom do we contact in Tech support?
  11. If a bug is present, how will you collect the relevant logs?
  12. Is the EULA Model supported??
  13. What is the package name of your Application?
  14. Is UID/PID feature supported?
  15. How many tunnels do you support per instances?
  16. Define your Test Server setup.
  17. Do you support Auto-retry behavior?

On this page

Is this page helpful?