This section provides information on managing run-time protection processes embedded in the Knox Platform for Enterprise. Note that this is not an exhaustive list of all Knox features, but rather a starting point for IT Admins to use when deploying devices. Check with your MDM for a full list of supported features.
Knox helps keep your data safe with a series of secure boot-time protection process.
After booting, various run-time protections continue to monitor devices.
IT admins do not have to manage any specific settings regarding these processes. These features are built into the device hardware and software in the factory. For security reasons, they cannot be modified with an MDM or any equivalent management policies.
However, take note of the following topics below. These can help you manage the software on your devices and ensure boot and run-time process operate properly.
Samsung Enterprise Firmware-Over-The-Air is an enterprise solution that controls OS versions on Samsung mobile devices to maximize cost efficiency and to ensure the latest security patches are deployed to devices on schedule. IT admins can test updates before deployment, ensuring compatibility between in-house apps and new OS versions. Check if your MDM supports E-FOTA. Read more about device software update management in the Knox White Paper.
NOTE – Samsung E-FOTA requires a separate license key.
In this example below, we are using E-FOTA and Knox Manage to push the Android 7.1.1 firmware to our device fleet. Notice how we have selected Force as the Firmware update type. This option prevents the user from canceling the update.
With policies you can protect your devices from unintended firmware updates. Here are some options.
You can specify whether the Android security policy is updated automatically or by only by user input.
Admins use Device Health Attestation to check if a mobile device's runtime state has been compromised. A device check is initiated by either:
There are several actions you can take if a problem is detected.
For example, here are the above options avaialble in Knox Manage.
Most MDM's allow you to check devices to ensure they remain in compliance according to your company polices. For example, Knox Manage allows you to check many features such as when a policy was last pushed or if a Knox container is currently active.
You can enable or disable logs used for a deeper, forensic analysis of a device. Audit Log also provides additional features to manage logging, such as enabling, disabling and getting log size and file.
Each message will appear as a line on the log file like the following example:
1424494060432 5/4/1/3938/0/NetdCallbackReceiver/Linkstate Wi-Fi hotspot
App Permission Monitor is a feature that provides device users with alerts when apps attempt to access a predefined permission while in background mode. This can be used inside and outside of the Knox Workspace. End users can now receive alerts specific to when apps attempt to access predefined permissions in the Knox Workspace.
The following features are available for IT admins:
The Samsung Knox warranty bit is a security feature that detects when unofficial software has been installed on your phone. This helps prevent malicious attempts from accessing your data.
The Knox Warranty Bit detects if a non-Knox kernel has been loaded onto the device. It is a one-time programmable bit e-fuse, which can only be turned from 0X0 to 0X1 (i.e. triggered). If a non-Knox boot loader or kernel is installed on the device, Knox can no longer guarantee the security of the Knox Workspace. As a result, the Warranty Bit is triggered to 0X1, indicating that this device can no longer use the Knox Workspace service.
If the Knox bit has been triggered:
Everything else outside the Workspace should be the same as before.
To know whether the Warranty Bit has been activated, please follow the next steps:
If the Warranty Bit is fired, the device displays Knox WARRANTY VOID: 0x01.
If that is the case, there is no way to revert the Warranty Bit and Knox won't work on this device. The only way to get the device back to its original settings is to replace the PBA (Printed Board Assembly) on the device; hardware replacement will be required.
To find out what version of the Knox platform your device is running, go to: Settings > About Device > Software Information > Knox Version. To identify the SDK version that corresponds with the Knox API Level of your target devices, see the Knox version mapping table on SEAP.
Use these Samsung Insights posts to learn more about the securing mobile devices.