The following section provides an overview of the topics an IT admin should consider when considering enterprise deployment.
The first step in deploying Samsung Knox devices is to decide on both an MDM solution and an appropriate architecture. These selections are beyond the scope of this document. There are many approaches to how the management infrastructure can be configured, from on premise servers to cloud to hybrid approaches combining the two. The specifics of this architecture should be discussed with your MDM solution vendor of choice.
The MDM you choose needs to support the Samsung Knox features that are required for your business use-cases. The more complete the MDM vendor support, the more capabilities that can be controlled on the device as your business grows or changes.
Here is a high level example of the deployment process in a typically enterprise based environment.
|MDM / MDM
||The MDM secures, monitors, manages and supports mobile devices deployed across the organization. By controlling and protecting the data and configuration settings for all mobile devices in the network security risks are reduced. As part of the MDM, an app (usually called an Agent) is installed onto the mobile device. This Agent implements the policies from the MDM and can communicate back to the server, sending status information and logs for review.|
|Secure Tunnel Termination||A secure VPN tunnel should be initialized between the managed Android devices and the Enterprise Environment to prevent unauthorized access to enterprise resources. The connection should be based on certificates deployed on the Android user devices.
Ideally, mutual authentication is deployed, meaning that both the Android user devices authenticate themselves with a certificate but also the gateway to the enterprise environment. Mutual authentication serves to prevent Android user devices to login into an unauthorized enterprise network and on the other hand prevents the unauthorized login of untrusted devices into the enterprise environment.
|Directory Services||The directory services should be set up to store, organize and provide access to information in a directory.|
|Business Applications||Business applications allow enterprise users to fulfill or access certain business tasks pertinent to requirements. This may include management tools, accounting utilities and contact management software/solutions.|
|Certificate Services||Certificate services must be implemented to manage all certificate needs throughout the enterprise environment. This includes issuing new Android device user certificates that are needed to facilitate secure communications through a VPN. It is possible that the certificate services could be provided by a third party instead of a stand-alone internal service for the organization.|
The next step to deploying devices is to decide on the amount of separation required between work data and personal data.
Before you set up your devices in your environment, you need to define your business use cases. What are you deploying your devices for and what restrictions or policies will you need to set? These questions are important to answer, as Knox Platform for Enterprise has over 1000 policies that you can apply, depending on your needs.
These different configuration options change the way Android and Knox handles the separation of personal and enterprise data. They also changes the way policies interact with the device and change the overall of level of management and control.
Device configurations in an enterprise are typically one of the following:
Choosing the correct MDM policies is crucial to ensure that your security requirements are covered adequately. The policies used are completely up to the enterprise, and depend on the amount of control and security required.
For example this image below depicts an MDM console and the policy "enable to disable the installation of applications from untrusted sources".
Here is an examples of a device set up for an employee in financial industry. This device has been configured with a number of policies that strictly control sent and received messages and to prevent any data leakage.
|Device data protection - Provides security functionality to protect data at rest.||
Require On Device Encryption (ODE) - Encrypt data on the device using AES 256.
|Device data protection - Provides security functionality to protect in transit||SMS / MMS and RCS capture - All messages sent or received are recorded for audit.|
|Application Management. The device provides a number of security functions to manage device software.||
Application resource restrictions - All work apps run inside the Knox Workspace.
Disable Google Play - any personal app needs IT approval before it can be installed.
|Access Control. The device can implement access control that reduces mobile user permissions and assists in reducing unauthorized||Device lock - device locks automatically after a defined period of inactivity (1 to 60 minutes) limiting access to device functions accept those that are explicitly authorized such as emergency calls.
Credential complexity - forces users to set a complex password. For example, a 6 digit PIN.
Hotspot Control - Devices can't be configured to use hotspot sharing.
|Enterprise device management. Enterprise administrators can control and audit mobile endpoint configurations and wipe device if needed.||
Remote wipe - An enterprise administrator can send a message to the device to wipe all local storage and the SD card.
Once you have considered the above material, you can begin to provision device user devices. The following list provides some of the most common configuration items for a mobile device
Even after devices are provisioned, it is important to always be aware of what OS they are running and when device updates are available. Monthly and quarterly security updates include patches for Android OS related security issues released by Google, as well as, patches for Samsung-specific security issues. Information on new Samsung device updates and patches can be found at the Samsung Security blog.
There are a number of components to determining the device that is being used and the components on that device (such as the operating system version, the build version, etc.). These are all contained under Settings > About device. The following are version information that can be found:
Samsung Android devices come with large amounts of software apps to provide the full breadth of functionality expected by the customer. Some of the apps come from Google, some from Samsung, and others from the cellular carrier. take note of what apps come on your devices. You may need to audit them before deploying them to users.
To verify the versions of any software on the device (compared to the list from the website), open Settings > Application manager. Under the heading All, you will see every application on the device (both those that are pre-installed and any you have installed). Selecting an application will display its properties. The version number is shown at the top under the name.
Once a device has been deployed, it may be desirable to accept updates to the software on the device to take advantage of the latest and greatest features of Samsung Android. Updates are provided for devices as determined by Samsung and the carriers based on many factors.
When updates are made available, they are signed by Samsung with a private key that is unique to the device/carrier combination (i.e. a Galaxy S9 on Verizon won't have an update signed with the same key as a Galaxy S9 on AT&T). The public key is embedded in the bootloader image, and is used to verify the integrity and validity of the update package.
When updates are made available for a specific device (they are generally rolled out in phases across a carrier network), the user will be prompted to download and install the update. The update package is checked automatically for integrity and validity by the software on the device. If the check fails, the user is informed that there were errors in the update and the update was not installed.
With a policy, it is possible to only allow Firmware Over the Air (FOTA) updates on the device. Other methods for installing updates (such as ODIN or Samsung KIES) are blocked and can't be used to update the firmware. This provides insurance against local, physical attacks that could change the software unknowingly.
It is possible to block FOTA updates on a device by setting allowOTAUpgrade() to be false via the MDM. This can be used either to freeze the software installed or to allow an organization time to test the update before letting it roll out to the user community.
These Samsung Insights posts provide more information on mobile enterprise strategies.