Network management
Network and data control
Knox can control how a device connects to the network. This includes restricting both phone or data functionality to fit your business needs. For example, this screenshot below demonstrates how to create a single purpose device that can only receive incoming calls and data – outgoing calls and data are blocked. This is useful in situations where only one way communication is needed.
Network Platform Analytics
The Knox Network Platform Analytics (NPA) framework enables insights into device misuse, misconfiguration, and threats. The framework is used by powerful networking products to increase the visibility of device health and lower the risk of undetected issues. This is all achieved without violating the privacy of the data being transmitted across mobile and enterprise networks. NPA not only helps detect network issues, but it also helps with endpoint devices and software.
Read more about NPA in the Knox White Paper.
Requirements
- An updated MDM console which allows the enterprise IT admin to select an NPA client and administer NPA functions.
- An updated MDM agent which supports the Knox NPA framework.
Samsung’s release partner for NPA is Cisco. Cisco's network security products can now interface with Knox NPA to provide endpoint visibility of Knox devices. This visibility can be achieved even when a VPN is encrypting endpoint traffic. These insights can be exposed to admins via the Cisco StealthWatch console and remediated steps performed via Cisco ICE.
Other Knox partners are preparing NPA-based solutions to help solve other common problems associated with mobile device deployments.
Features
| Container configuration | Device type | Available data flows | |
|---|---|---|---|
| Knox 2.8 or 2.9 container | CL device | Only observe apps that are inside the container so long as the MDM agent is installed outside the container and the NPA client is installed inside the container. | |
| Android Enterprise or Knox 3.0 container as PO (user 10) | BYO device | Only observe apps that are inside the container so long as the MDM agent and NPA client are both installed inside the container. | |
| Android Enterprise or Knox 3.0 container as DO (user 0) | CL device | Device-wide data observation when no container is present. | |
|
Android Enterprise* or Knox 3.0 container as both DO and PO (user 0 and user 10) |
CL device | Device-wide data observation so long as the MDM agent and the NPA client are both outside the container. | |
| * Support for Android Enterprise in this configuration is available starting in the Knox 3.2 release. | |||
Firewalls
Samsung Knox can set firewalls to help you manage incoming and outgoing traffic. Read more about Firewall management in the Knox White paper.
Here are some examples of the types of firewalls you can set:
- IPs and ports: Only allow specific IPs or ports on your network.
- Domain based firewalls: Only allow traffic from certain domains.
- DNS Settings: Specify a domain server address of all apps or registered app.
For example, this Screen shot below only allows traffic in the S browser from a very specific IP range.
Wi-Fi
Knox allows you to strictly control Wi-Fi on your devices. You can enable / disable features such as:
- Wi-Fi
- Wi-Fi Direct
- Wi-Fi auto connection
For example, this screenshot below shows a Wi-Fi configuration with strict settings. Wi-Fi hotspots and auto connections are disallowed. There is also a Wi-Fi minimum security level set to WPA. This prevents users from connecting to public and insecure networks.
You can also turn off Wi-Fi Background scanning, if your MDM supports this feature. This can be used to prevent any attacks that attempt to hijack background processes.
Bluetooth
Knox allows you to strictly control Bluetooth on your devices. You can enable / disable features such as:
- PC connection
- Data transfer
- Search mode
- Tethering
You can even control a UUID white-list/black-list for specific hardware or protocols. In this example below we have:
- Allowed: Bluetooth audio head sets
- Blocked: Bluetooth-based file transfers that could leak data.
One feature that is important to consider disabling is a users ability to share files via Bluetooth. Disabling this prevents users from using the built in 'share-via" function on Android as shown below.
You can also turn off Bluetooth Background scanning, if your MDM supports this feature. This can be used to prevent any malicious attacks that attempt to highjack background processes.
NFC
Near Field Communications (NFC) allows your device to communicate with NFC peripherals. Knox enables direct control of the NFC chip embedded in your device. This feature is typically enabled by default and can be disabled with a policy.
NOTE - Due to hardware requirements, NFC can only be turned on or off for the whole device. For example, it is not possible to activate NFC only inside the Workspace.
SMS / MMS / RCS
Message capture
Knox 3.2 allows IT Admins to capture and record SMS / RCS and MMS messages (including attachable multimedia files). For many industries, such as the financial services, the ability to record and audit sent and received messages is required by law.
SMS
Knox provides many advanced SMS policies. Policies frequently used by organizations include:
- Adding an automatic company disclaimer to the bottom of every outgoing text.
- Restricting number of texts per day.
- Auditing and recording all incoming/outgoing SMS messages.
Browser Proxy settings
You can manage browser settings to help you control your data. For example, with Knox you can specify a proxy URL to run all your browser traffic through. Using a enterprise proxy can help:
- Increase security by limiting terrific to a predefined set of IP ranges.
- Control employee internet usage.
- Balance load on company servers.
In this example below, all browser traffic is routed through the following IP: 92.168.1.67:80.
NOTE - This feature only works on Chrome and Samsung Internet.
Enterprise billing (Dual APN)
See Knox Workspace: Enterprise billing for information on this topic.