Knox can control how a device connects to the network. This includes restricting both phone or data functionality to fit your business needs. For example, this screenshot below demonstrates how to create a single purpose device that can only receive incoming calls and data – outgoing calls and data are blocked. This is useful in situations where only one way communication is needed.
The Knox Network Platform Analytics (NPA) framework enables insights into device misuse, misconfiguration, and threats. The framework is used by powerful networking products to increase the visibility of device health and lower the risk of undetected issues. This is all achieved without violating the privacy of the data being transmitted across mobile and enterprise networks. NPA not only helps detect network issues, but it also helps with endpoint devices and software.
Read more about NPA in the Knox White Paper.
Requirements
Samsung’s release partner for NPA is Cisco. Cisco's network security products can now interface with Knox NPA to provide endpoint visibility of Knox devices. This visibility can be achieved even when a VPN is encrypting endpoint traffic. These insights can be exposed to admins via the Cisco StealthWatch console and remediated steps performed via Cisco ICE.
Other Knox partners are preparing NPA-based solutions to help solve other common problems associated with mobile device deployments.
Features
Container configuration | Device type | Available data flows | |
---|---|---|---|
Knox 2.8 or 2.9 container | CL device | Only observe apps that are inside the container so long as the MDM agent is installed outside the container and the NPA client is installed inside the container. | |
Android Enterprise or Knox 3.0 container as PO (user 10) | BYO device | Only observe apps that are inside the container so long as the MDM agent and NPA client are both installed inside the container. | |
Android Enterprise or Knox 3.0 container as DO (user 0) | CL device | Device-wide data observation when no container is present. | |
Android Enterprise* or Knox 3.0 container as both DO and PO (user 0 and user 10) |
CL device | Device-wide data observation so long as the MDM agent and the NPA client are both outside the container. | |
* Support for Android Enterprise in this configuration is available starting in the Knox 3.2 release. |
Samsung Knox can set firewalls to help you manage incoming and outgoing traffic. Read more about Firewall management in the Knox White paper.
Here are some examples of the types of firewalls you can set:
For example, this Screen shot below only allows traffic in the S browser from a very specific IP range.
Knox allows you to strictly control Wi-Fi on your devices. You can enable / disable features such as:
For example, this screenshot below shows a Wi-Fi configuration with strict settings. Wi-Fi hotspots and auto connections are disallowed. There is also a Wi-Fi minimum security level set to WPA. This prevents users from connecting to public and insecure networks.
You can also turn off Wi-Fi Background scanning, if your MDM supports this feature. This can be used to prevent any attacks that attempt to hijack background processes.
Knox allows you to strictly control Bluetooth on your devices. You can enable / disable features such as:
You can even control a UUID white-list/black-list for specific hardware or protocols. In this example below we have:
One feature that is important to consider disabling is a users ability to share files via Bluetooth. Disabling this prevents users from using the built in 'share-via" function on Android as shown below.
You can also turn off Bluetooth Background scanning, if your MDM supports this feature. This can be used to prevent any malicious attacks that attempt to highjack background processes.
Near Field Communications (NFC) allows your device to communicate with NFC peripherals. Knox enables direct control of the NFC chip embedded in your device. This feature is typically enabled by default and can be disabled with a policy.
Message capture
Knox 3.2 allows IT Admins to capture and record SMS / RCS and MMS messages (including attachable multimedia files). For many industries, such as the financial services, the ability to record and audit sent and received messages is required by law.
SMS
Knox provides many advanced SMS policies. Policies frequently used by organizations include:
You can manage browser settings to help you control your data. For example, with Knox you can specify a proxy URL to run all your browser traffic through. Using a enterprise proxy can help:
In this example below, all browser traffic is routed through the following IP: 92.168.1.67:80.
See Knox Workspace: Enterprise billing for information on this topic.