The Samsung Knox Platform
On this page
Samsung’s Knox platform brings defense-grade security on the most popular consumer devices to all enterprises. The Knox Platform provides best-in-class hardware-based security, policy management, and compliance capabilities beyond the standard features commonplace in today's mobile device market. The Knox platform is the cornerstone of a strong mobile security strategy supporting a wide variety of Samsung devices.
Why use the Knox Platform?
The Knox platform helps you and your enterprise avoid the security gaps common on many mobile platforms. The Knox platform v3.2 received 27 out of 30 strong ratings in Gartner’s May 2019 Mobile OSs and Devices Security: A Comparison of Platforms report.
The Knox Platform's security hardening supports every aspect of mobile device operation. The Knox Platform enables trust in your mobile endpoints with advanced features like Samsung's patented Real-Time Kernel Protection (RKP) that stands as one of the best kernel protection technologies available from any mobile device vendor. The Knox Platform ensures IT admins can securely bulk deploy the best mobile device hardware, and quickly integrate with existing business infrastructure and apps.
Key benefits for enterprises
- Easily meet your organization's security and compliance requirements, by providing solid platform integrity, strong data protection, and fine-grained policy enforcement.
- Seamlessly activate and manage Knox Platform features through an Enterprise Mobility Management (EMM) system.
- Flexibly support infrastructure, deployment, and management requirements, through centralized remote device control, advanced VPN management, app whitelisting and blacklisting, and granular policies that control all aspects of Samsung devices.
- Effortlessly upgrade from Android Enterprise, leveraging a comprehensive set of Knox Platform benefits without affecting existing deployments.
- Securely deploy the innovative Samsung Desktop Experience (DeX) in new work environments, unifying mobile and desktop computing on one device.
The Knox Platform's cutting-edge security technology continues to be widely adopted and proven by numerous government, security, and financial agencies throughout the world. Samsung continually works with global government organizations and international regulatory bodies to meet a wide range of certification requirements designed to protect public safety and consumer privacy.
Knox Platform differentiators
The Knox Platform provides a robust set of features that are a superset of features on top of the basic Android platform, to fill security and management gaps, resolve pain points identified by enterprises, and meet the strict requirements of highly regulated industries. The following summarizes the key differentiating features:
For a quick overview of how these features compare across different platforms, see "Feature Comparison" on page 1.
The following sections describe how the Knox Platform provides an industry-leading ecosystem of products and services to secure and ease mobile device management.
The Knox Platform defends against security threats and protects enterprise data through layers of security built on top of a hardware-backed trusted environment.
- Trusted environment — A trusted environment separates security-critical code from the rest of the operating system. This strategic separation ensures only trusted processes that are isolated and protected from attacks and exploits can perform sensitive operations, such as data encryption and decryption. Trusted environments perform integrity checks prior to executing any software. These checks detect malicious attempts to modify the trusted environment and the software running on the device.
- Hardware-backed — A trusted environment is hardware-backed if hardware protections isolate the environment from the rest of the running system. This isolation ensures that vulnerabilities in the main operating system don't directly affect the security of the trusted environment. The environment also ties integrity checks of the software running in the trusted environment to cryptographic signatures stored in the device hardware. Hardware-backed integrity checks prevent an attacker from exploiting software vulnerabilities to bypass protections and load unapproved software into the trusted environment.
The Knox Platform uses a hardware-backed trusted environment and the specific components depend on the device hardware. For example, ARM processors provide a Trusted Execution Environment (TEE) that leverages components such as the ARM TrustZone, ARM Hypervisor Mode, and Embedded Secure Elements. Knox features that use the trusted environment include Real-time Kernel Protection (RKP),
Device Health Attestation,
Sensitive Data Protection (SDP), and
Network Platform Analytics (NPA).
The Knox Platform uses app isolation to prevent rogue apps from intentionally or inadvertently accessing unauthorized data. The Knox Platform provides several forms of app isolation to create a protected app container space on Samsung devices. Each option is based on the same core isolation technology called Security Enhancements for Android (SE for Android.) SE for Android is an integration of SELinux and Android, expanded to cover Android components and design paradigms. The Knox Platform offers these options:
- Android Enterprise on Samsung devices — Android Enterprise provides app isolation through Work Profiles, which provide basic isolation of enterprise apps from personal apps. When using Android Enterprise on Samsung devices, Knox provides features like Real-time Kernel Protection (RKP), secure enterprise apps, and hardware-backed storage of certificates and keys, making Android Enterprise even better on Samsung devices.
- Knox Workspace — The Knox Workspace builds on Android Enterprise by providing additional security and management enhancements. Specifically, the Knox Workspace benefits from hardware-backed integrity checks. These checks detect any tampering of the device or its security protections and lock down the Knox Workspace to protect confidential data. The Knox Workspace also supports Sensitive Data Protection (SDP), encrypting data during device runtime and decrypting only after the device user authenticates to unlock the Knox Workspace. Furthermore, the Knox Workspace provides more granular device management, for example, forced two-factor authentication for the Knox Workspace, the use of enterprise Active Directory credentials for authentication, and managed import and export of enterprise data in the Knox Workspace.
- SE for Android Management Service (SEAMS) — With SEAMS, you can isolate a single app or small set of trusted apps, to lock down the apps in the same container. App containers created with SEAMS provide the same benefits of the Knox Workspace. Unlike the first two options, however, SEAMS containers have no special GUI. Apps in a SEAMS container appear with the rest of the apps on the device, but are differentiated with a shield badge to show that they're isolated and protected from apps not sharing their same container. You can create as many of these SEAMS containers as you want on-the-fly.
With the Knox Workspace, enterprises can deploy additional security and management policies to enforce requirements, such as those needed to work within highly regulated industries such as finance, healthcare, and government.
Enterprises can protect personal and enterprise data on mobile devices using a rich set of Knox features:
- User authentication — Samsung Knox devices support not just password, PIN, and pattern authentication but also the latest biometric authentication: fingerprints, iris, face, and Intelligent Scan. Options are available for both device lockscreen authentication and separate Knox Workspace authentication. Through the Knox Platform, you can provide enforce two-factor authentication for the Knox Workspace or enterprise AD credentials to ensure stronger data protection.
- Encryption of device data — Samsung Knox devices provide data encryption through Sensitive Data Protection that binds to the hardware-backed Root of Trust and user authentication. This encryption ensures data is decrypted only on the device where the data is stored, and only by the device owner. DualDAR Encryption offers two instances of encryption to achieve an even higher level of reliability.
- Encryption of network data — Samsung Knox devices offer the widest selection of advanced VPN features, providing the ability to configure a separate VPN for the Knox Workspace as well as for individual apps, to reinforce data isolation even further. Knox also offers always-on VPN, on-demand VPN, on-premise VPN bypass, HTTP proxy over VPN, multiple active tunnels, strict data leakage controls, and VPN chaining or cascading.
- Device tracking, locking, and erasing — Samsung Knox devices offer the ability to track, geofence, and automatically lock devices based on events and security policies. For example, a device that leaves a specified geographic perimeter is locked, wiped of data, or reset to factory defaults.
Device management and deployment
Enterprises with tens, hundreds, or thousands of employee mobile devices need to manage them easily, securely, and efficiently. Through EMM systems, enterprise IT admins can use a web console to centrally and remotely manage devices over-the-air. IT admins can control Samsung Knox devices comprehensively, managing device features with ease.
This management is possible through the Samsung Knox SDK, which offers over 1500 APIs for granular and flexible control over Samsung devices. This functionality is on top of the basic APIs offered through the Android SDK, providing a more powerful superset of capabilities. An EMM app on an employee device receives IT admin commands from the EMM web console, and calls Knox APIs to deploy commands on Knox devices. This integration enables enterprise IT admins to deploy IT policies to manage and secure every aspect of Knox devices.
Device management services
To address a variety of business needs beyond security, the Samsung Knox portfolio is complemented by robust cloud services that ease mobile device deployment, customization, and management. These services include:
- Knox Mobile Enrollment — With this free service, enterprises can use a web console or REST API calls to automate device enrollment, either individually or in bulk. After an IT admin registers a device with this service, the device user simply turns it on and connects it to a Wi-Fi or 3G/4G network to enroll it with an EMM system. There is no manual enrollment of individual devices, and no need for IMEI management and verification – all onerous, time-consuming, and error-prone tasks.
- Knox Configure — Samsung phones, tablets, and wearables are fully customizable to work in numerous vertical markets such as hospitality, retail, and entertainment. Through a web console, Systems Integrators can create purpose-built devices that present a customized user interface, for example, an information kiosk, point-of-sales terminal, or in-flight entertainment system. The Systems Integrators can customize or restrict almost all aspects of device configuration and the user experience, including boot animations incorporating custom enterprise logos, display settings, wallpapers, network configurations, notifications, and software updates.
This White Paper provides an overview of Knox Platform's security features and how they can help resolve common enterprise mobile deployment issues. For information about other Knox features, see the Samsung Knox website.