Your incident response playbook

Get your free guide on creating an effective cybersecurity response protocol.

Download Now
Mobile Security

Knox 101: Understanding Samsung’s Enterprise Mobile Security Stack

Samsung Knox was conceived to solve a simple problem: Android was not perceived as a trusted OS for the enterprise. The same openness and flexibility that made Android an attractive proposition for developers and consumers presented enterprise security and management challenges.

From its introduction back in 2013, Knox was designed to address these concerns, creating a more secure version of Android for enterprise use, and providing enterprise customers the management and deployment features they demanded.

To understand Knox, it’s important to separate the Knox platform — which is built into the hardware and software of all Samsung’s latest mobile devices — from the Knox software and services that can be licensed to run on top of that platform.

The Most Secure Android Available

The Knox platform is not something that is purchased, downloaded, or installed: it’s part of each Samsung mobile device. Effectively, the Knox platform can be thought of as Samsung’s implementation of Android, ensuring device integrity and security.

Developed on the principles of trusted computing and with a Hardware Root of Trust to verify the integrity of the device at boot-time, the Knox platform provides a secure foundation for enterprise mobile initiatives.

What makes the Knox platform unique? First, it leverages a process architecture known as TrustZone, in which highly sensitive computations are isolated from the rest of the device’s operations. Second, it uses real-time kernel protection to constantly inspect the core of the OS during run time. Third, it encompasses Samsung’s security enhancements for Android, protecting applications and data by strictly defining what each process is allowed to do and what data it can access.

Through these measures, the Knox platform has helped reverse perceptions of Android. It’s also met certification requirements from NIAP’s Common Criteria and NIST’s FIPS 140-2, and received multiple Defense Information Systems Agency STIGs for classified use. When we say it’s defense-grade security, we mean it.

The Knox Platform for Enterprise

Knox Platform for Enterprise (KPE) is the latest version of our advanced security and management features for Samsung devices. KPE includes a number of Samsung-specific security enhancements, and complements Google’s Android Enterprise program, including Android’s built-in containerization tools such as Android Work Profile. For enterprises requiring high security, Knox Workspace (an optional feature of KPE) provides an encrypted container to isolate business applications and data. This creates a dual persona device: Work data is protected in the encrypted container, while employees can still download and use personal apps on their device. Within Knox Workspace is a Samsung-unique feature called Sensitive Data Protection (SDP), that allows work data to be encrypted within Knox Workspace during runtime, meaning the device is powered on, as opposed to the industry norm, which only encrypts data at rest when the device is powered down.

In addition, KPE offers a suite of features (separately licensed) that extend the security in Android for enterprises with more demanding requirements. For example, with KPE, enterprise IT managers can tightly integrate their Windows Active Directory domains and let end users unlock their phones with their Windows AD credentials. Features such as VPNs are extended beyond the basic Android feature set, for example, by adding per-application and on-demand VPN features.

Get Your Ultimate Guide to Knox Customization

icon of a documentWhite Paper

Learn how to optimize tablets for your unique business needs using Samsung Knox Configure. Download Now

We are continuing to enhance Knox based on the feedback we get from customers. For example, in Knox 3.2, released in August 2018, we made it easier for IT managers to comply with the European Union’s GDPR by adjusting how Privacy Policy notifications are shown to end users and how users give consent when setting up Knox features on their smartphones. We also added features to help highly regulated industries in logging text messages from users’ phones, and to help security-conscious enterprises who need to completely disable all types of Wi-Fi and Bluetooth/Bluetooth Low Energy scanning.

The Knox Solution Set

The Knox platform does not replace the need for enterprise mobility management (EMM) tools, but it provides a secure foundation. In fact, we’ve collaborated closely with many of the leading mobile device management software providers, including Airwatch, BlackBerry and MobileIron, to ensure close integration between the Knox platform and their device management tools.

At the same time, Samsung has developed its own set of cloud-based software solutions to meet specific enterprise needs. This Knox solution portfolio, which can be licensed and accessed through the Knox portal, is designed to assist mobility managers throughout the life cycle of the device. Here are the key offerings:

  • Knox Configure: Knox Configure is a tool for remotely provisioning and configuring a large fleet of Samsung mobile devices. Knox Configure is typically used at the deployment phase to create a gold master image that is pushed out to your phones or tablets when they’re first powered on, anywhere in the world. It can also be used to create single-purpose devices, such as kiosks or point-of-sale (POS) terminals, by locking down other functionalities on the device, and has local functionality that lets you push configurations to devices that don’t have an internet connection through Bluetooth or NFC. Knox Configure can be used as a one-time tool to push specific configuration to a device when it’s first installed, or in “dynamic” mode, which allows IT managers to change configuration profiles in the Knox Configure portal and have the changes pushed over-the-air by clients.
  • Knox Mobile Enrollment: A free tool, Knox Mobile Enrollment provides a quick, simple and secure way to automatically enroll many devices to your EMM. Its two major benefits are eliminating the time spent manually enrolling devices, and ensuring devices are managed from the moment the user powers one up.
  • Knox Manage: Samsung’s cloud-based EMM solution targeted towards SMB, Knox Manage, can be used to manage Android, iOS or Window 10 devices, though of course, it’s most effective on Samsung Galaxy devices with the integrated Knox platform. Knox Manage provides IT admins with hundreds of policies, including all the essentials such as whitelisting and blacklisting apps and websites. It also allows remote device control, event-based management, device location tracking and remote wipe capabilities.

Samsung Knox has come a long way since we introduced the platform back in 2013, but the fundamental underpinnings remain the same: securing Android mobile devices through protections built in at the hardware level. Knox has evolved further through our portfolio of licensed solutions that solve specific management needs.

Today, Knox is Samsung’s commitment to ensuring our enterprise customers’ data is safe on Galaxy mobile devices, providing IT peace of mind and users freedom to work and play the way they want.

Learn all the different ways Samsung Knox can support your enterprise’s security efforts.

Posts By

Jonathan Wong

Jonathan Wong is director of product marketing at Samsung, and is passionate about technology that drives productivity for the mobile workforce. He has been involved in launching numerous hardware and software solutions, including the industry-leading Samsung Knox mobile security platform and the Samsung DeX mobile desktop solution. Based in NYC, he enjoys rocking out on the guitar whenever he gets the chance.

View more posts by Jonathan Wong