The Samsung Knox Platform
On this page
Samsung’s Knox Platform brings defense-grade security on the most popular consumer devices to all enterprises. The Knox Platform provides best-in-class hardware-based security, policy management, and compliance capabilities beyond the standard features commonplace in the mobile device market. The Knox Platform is the cornerstone of a strong mobile security strategy supporting a wide variety of Samsung devices.
Why use the Knox Platform?
The Knox platform helps you and your enterprise avoid the security gaps common on many mobile platforms. Knox received strong ratings in 25 of 28 categories in Gartner’s December 2017 Mobile OSs and Device Security: A Comparison of Platforms and has received strong ratings for the last three years in a row.
The Knox Platform's security hardening supports every aspect of mobile device operation. The Knox Platform enables trust in your mobile endpoints with advanced features like Samsung's patented Real-Time Kernel Protection (RKP) that stands as one of the best kernel protection technologies available from any mobile device vendor. The Knox Platform ensures IT admins can securely bulk deploy the best mobile device hardware, and quickly integrate with existing business infrastructure and apps.
Key benefits for enterprises
- Easily meet your organization's security and compliance requirements, by providing solid platform integrity, strong data protection, and fine-grained policy enforcement.
- Seamlessly activate and manage Knox Platform features through an Enterprise Mobility Management (MDM) system.
- Flexibly support infrastructure, deployment, and management requirements, through centralized remote device control, advanced VPN management, app whitelisting and blacklisting, and granular policies that control all aspects of Samsung devices.
- Effortlessly upgrade from Android Enterprise, leveraging a comprehensive set of Knox Platform benefits without affecting existing deployments.
- Securely deploy the innovative Samsung Desktop Experience (DeX) in new work environments, unifying mobile and desktop computing on one device.
The Knox Platform's cutting-edge security technology continues to be widely adopted and proven by numerous government, security, and financial agencies throughout the world. Samsung continually works with global government organizations and international regulatory bodies to meet a wide range of certification requirements designed to protect public safety and consumer privacy.
Knox Platform differentiators
The Knox Platform provides a robust set of features that are a superset of features on top of the basic Android platform, to fill security and management gaps, resolve pain points identified by enterprises, and meet the strict requirements of highly regulated industries. The following summarizes the key differentiating features:
For a quick overview of how these features compare across different platforms, see Feature Comparison
Learn how the Knox Platform provides an industry-leading ecosystem of products and services to secure devices and ease management.
The Knox Platform defends against security threats and protects enterprise data through layers of security built on top of a hardware-backed trusted environment.
- Trusted environment — A trusted environment separates security-critical code from the rest of the operating system. This ensures sensitive operations, such as encryption and decryption of data, are performed by trusted processes isolated and protected from attack. Trusted environments perform integrity checks prior to executing any software. This enables it to detect malicious modifications of the trusted environment or the software running inside.
- Hardware-backed — A trusted environment is hardware-backed if hardware protections isolate the environment from the rest of the running system. This isolation ensures that vulnerabilities in the main operating system don't directly affect the security of the trusted environment. The environment also ties integrity checks of the software running in the trusted environment to cryptographic signatures stored in the device hardware. Hardware-backed integrity checks prevent an attacker from exploiting software vulnerabilities to bypass protections and load unapproved software into the trusted environment.
The Knox Platform uses a hardware-backed trusted environment and the specific components depend on the device hardware. For example, ARM processors provide a Trusted Execution Environment (TEE) that leverages components such as the ARM TrustZone, ARM Hypervisor Mode, and Embedded Secure Elements. Knox features that use the trusted environment includeReal-time Kernel Protection (RKP),
Device Health Attestation,
Sensitive Data Protection (SDP), and
Network Platform Analytics (NPA).
The Knox Platform uses app isolation to prevent rogue apps from intentionally or inadvertently accessing unauthorized data. The Knox Platform provides several forms of app isolation to create a protected app container space on Samsung devices. Each option is based on the same core isolation technology called Security Enhancements for Android (SE for Android.) SE for Android is an integration of SELinux and Android, expanded to cover Android components and design paradigms. The Knox Platform offers these options:
- Android Enterprise on Samsung devices — Android Enterprise provides app isolation through Work Profiles. These work profiles provide basic isolation of enterprise apps from personal apps. When using Android Enterprise on Samsung devices, Knox features like Real-time Kernel Protection (RKP), secure enterprise productivity apps, and hardware-backed secure storage of certificates/keys are available, making Android Enterprise even better on Samsung devices.
- Knox Workspace — The Knox Workspace builds on Android Enterprise by providing additional security and management enhancements. Specifically, the Knox Workspace benefits from hardware-backed integrity checks. These checks detect any tampering of the device or its security protections and lock down the Knox Workspace to protect confidential data. The Knox Workspace also supports Sensitive Data Protection (SDP), encrypting data during device runtime and decrypting only after the device user authenticates to unlock the Knox Workspace. Furthermore, the Knox Workspace provides more granular device management, for example, forced two-factor authentication for the Knox Workspace, the use of enterprise Active Directory credentials for authentication, and managed import and export of enterprise data in the Knox Workspace.
- SE for Android Management Service (SEAMS) — With SEAMS, you can isolate a single app or small set of trusted apps, to lock down the apps in the same container. App containers created with SEAMS provide the same benefits of the Knox Workspace. Unlike the first two options, however, SEAMS containers have no special GUI. Apps in a SEAMS container appear with the rest of the apps on the device, but are differentiated with a shield badge to show that they're isolated and protected from apps not sharing their same container. You can create as many of these SEAMS containers as you want on-the-fly.
With the Knox Workspace, enterprises can deploy additional security and management policies to enforce requirements, such as those needed to work within highly regulated industries such as finance, healthcare, and government.
Protecting personal and enterprise data on mobile devices can be done through a rich set of Knox features including:
- User authentication — Samsung Knox devices support not just password, PIN, and pattern authentication but also the latest biometric authentication: fingerprints, iris, face, and Intelligent Scan. Options are available for both device lockscreen authentication and separate Knox Workspace authentication. Through the Knox Platform, you can provide enforce two-factor authentication for the Knox Workspace or enterprise AD credentials to ensure stronger data protection.
- Encryption of device data — Samsung Knox devices provide data encryption through Sensitive Data Protection that binds to the hardware-backed Root of Trust and user authentication. This encryption ensures data is decrypted only on the device where the data is stored, and only by the device owner. This Knox Platform model also ensures that any tampering of the device locks down access to sensitive data, preventing decryption and malicious access.
- Encryption of network data — Samsung Knox devices offer the widest selection of advanced VPN features, providing the ability to configure a separate VPN for the Knox Workspace as well as for individual apps, to reinforce data isolation even further. Knox also offers always-on VPN, on-demand VPN, on-premise VPN bypass, HTTP proxy over VPN, multiple active tunnels, strict data leakage controls, and VPN chaining or cascading.
- Device tracking, locking, and erasing — Samsung Knox devices offer the ability to track, geofence, and automatically lock devices based on events and security policies. For example, a device that leaves a specified geographic perimeter is locked, wiped of data, or reset to factory defaults.
Device management and deployment
Enterprises with tens, hundreds, or thousands of employee mobile devices need to manage them easily, securely, and efficiently. Through MDM systems, enterprise IT admins can use a web console to centrally and remotely manage devices over-the-air. IT admins can control Samsung Knox devices comprehensively, managing device features with ease.
This management is possible through the Samsung Knox SDK, which offers over 1500 APIs for granular and flexible control over Samsung devices. This functionality is on top of the basic APIs offered through the Android SDK, providing a more powerful superset of capabilities. An MDM app on an employee device receives IT admin commands from the MDM web console, and calls Knox APIs to deploy commands on Knox devices. This integration enables enterprise IT admins to deploy IT policies to manage and secure every aspect of Knox devices
Device management services
To address a variety of business needs beyond security, the Samsung Knox portfolio is complemented by robust cloud services that ease mobile device deployment, customization, and management. These services include:
- Knox Mobile Enrollment — Through this free service, enterprises can use a web console or API to automate the enrollment of a large number of devices. Once an IT admin registers a device with this service, the device user simply turns it on and connects it to Wi-Fi or 3G/4G to enroll it with an MDM system. There is no manual enrollment of individual devices, and no need for IMEI management and verification – all onerous, time-consuming, and error-prone tasks.
- Knox Configure — Samsung phones, tablets, and wearables can be fully customized to work in numerous vertical markets such as hospitality, retail, and entertainment. Through a web console, Systems Integrators can create purpose-built devices that present a customized user interface, for example, an information kiosk, point-of-sales terminal, or in-flight entertainment system. Almost all aspects of device configuration and the user experience can be customized or restricted, including boot animations incorporating custom enterprise logos, display settings, wallpapers, network configurations, notifications, and software updates.
Workspace is a defense-grade dual persona container product designed to separate, isolate, encrypt, and better protect work data on mobile devices. The work container can be remotely managed by a company, while personal information such as pictures and messages remain private. Workspace provides you with the freedom to customize your work device as you please, without worrying about the integrity or security of your company data.
Knox Workspace requires you to log-in to the container separately when you need to access your files. This ensures that only you may access the files, even if your ordinary phone security log-in is compromised.
Here is an example of the personal side of your phone (left) vs the Workspace (right). Notice that they contain different apps and act almost entirely like separate phones – one for personal and one for work.
Why should I install Workspace on my company phones?
Life is simpler with Knox Workspace. It allows you to carry one device to manage both work and personal transactions, while keeping your organization's data safe and protected. Workspace is a leader in the Bring Your Own Device (BYOD) model that many organizations have adopted, offering defense grade security that is certified by a variety of governments.
What benefits does Workspace provide?
NOTE - For detailed information on using the Knox container and differences with an Android Work profile, see About Knox Workspace.
Some of the benefits Workspace provides include:
- Compliance – The full Workspace solution has received government certification (Common Criteria Certification) and defense certification (FIPS 140-2 Certification, DISA MOS SRG Compliance).
- Convenience – Two devices in one: increased separation between personal and enterprise data.
- BYOD and COPE supported – Installing a Workspace does not interfere with your personal data.
- Full app ecosystem – You can download and use many more apps, including native apps (either proprietary company apps or public apps from supported app stores, web apps, and SaaS apps.
- Better security – Reduced possibility of data leakage due to containerization.
- Better privacy – Reduced potential privacy issues since IT admins can’t access or remove private data inside the Workspace .
Your company also benefits as follows:
- Cost savings – Increased enterprise data security on mobile devices at no extra cost.
- Easy setup – Advanced security features are automatically integrated to help protect enterprise email and data.
Looking for other Knox solutions?
Learn more ...
See how you can use the Knox Platform to build a secure, world-class mobile infrastructure with popular Samsung devices. This White Paper provides an overview of the Knox Platform's security features and how they can resolve common enterprise pain points with mobile deployments. The document focuses on the unique abilities of the Knox Platform; for information about other, common features, see the Samsung Knox website.