This section outlines some basic requirements to consider when deploying devices in an enterprise. It is a helpful starting point for IT admins who may not be as familiar with enterprise configurations and architecture.
The first step in deploying Samsung Knox devices is to decide on both an MDM solution and an appropriate enterprise architecture. These selections are beyond the scope of this document. There are many approaches to how management infrastructure can be configured, from on premise servers to cloud to hybrid approaches combining the two. The specifics of this architecture should be discussed with your MDM solution vendor of choice.
|Secure Tunnel Termination||
Certificates should implemented as a manner of authentication to enterprise services. These may include:
- Facilitating secure communications through a VPN.
Certificates can be provided by a third party or created by the organization itself.
In an Enterprise deployment, Google provides three modes of Android Enterprise, Work Profile, Managed Device and Fully Managed Device with Work Profile.
You can read more about these implementations and how they relate to Knox on the About Workspace page.
Choosing the correct MDM policies is crucial to ensure your security requirements are covered adequately.
For example, this image below shows an MDM console and the policy that controls if users can install apps from untrusted source. Disabling this feature ensures that only apps approved by the IT admin can be installed. This helps prevent accidental installation of malicious content.
|Security consideration||Security Policy|
|Data protection - Provide functionality to protect data at rest and data in transit.||
Require On Device Encryption (ODE) - Encrypt data on the device using AES 256.
SMS / MMS and RCS capture - All messages sent or received are recorded for audit.
Require VPN - Use a VPN anytime work data is accessed or transmitted on the device.
|App Management - Provide functionality to manage device apps.||
Application resource restrictions - All work apps run inside the Knox Workspace.
Disable Google Play - Any personal app needs IT approval before it can be installed.
|Access Control - Implement access control to reduce user permissions and assist in reducing unauthorized access.||Device lock - Device locks automatically after a defined period of inactivity (1 to 60 minutes) limiting access to device functions accept those that are explicitly authorized such as emergency calls.
Credential complexity - Forces users to set a complex password. For example, a 6 digit PIN.
Hotspot Control - Devices cannot be configured to use hotspot sharing.
|Network monitoring - Control and audit mobile endpoint configurations.||Enable logs and auditing - Monitor and generate records related to security-relevant events within the device.|
|Disaster recovery - Protect data in event of lost or stolen device.||
Remote wipe - Track devices from the MDM and remotely wipe all local storage and the SD card.
If two similar policies are applied to a device, which one takes precedence?
If a device is managed by two MDM's or if it is managed by an MDM and also by EAS policies, the stricter policy takes precedence.
For example, lets say 2 different password policies are pushed to a device in the same day.
The MDM policy that is stricter takes precedent. In this case, it is policy 1.
Provisioning devices is the last step in the enterprise deployment journey. This is when you apply all of the security principals listed above and then physically give the device to the user.
This list outlines the most common steps taken when provisioning a device for the first time.
These Samsung Insights posts provide more information on mobile enterprise strategies.