Enterprises everywhere are recognizing how mobile technology can empower employees and enhance customer experiences, but they face two big challenges to harness its full potential.
First, as mobile device use cases across an organization become more sophisticated, so do the requirements for configuring, managing and supporting these devices. Secondly, with smartphones and tablets accessing sensitive data and apps more than ever before, mobile security becomes all the more critical.
Samsung Knox was designed to help overcome these two challenges by making Samsung Galaxy smartphones the most secure and manageable on the market. An extension of Android Enterprise (AE) architecture, the Knox platform delivers unique, granular security and management features that meet organizations’ fast-evolving mobility needs.
Knox is Samsung’s brand for a wide suite of technologies, products and services that all work together to build mobility solutions with defense-grade security and management. To understand Knox, we’ll review three different layers:
- The Knox base, built into the hardware and Android OS of all of Samsung’s latest mobile devices
- Knox Platform for Enterprise (KPE), a software toolkit and set of application programming interfaces (APIs) that provide enhanced security and management for enterprises building sophisticated mobility solutions
- Knox cloud-based management tools and services that can be licensed to run on top of the Knox platform
First layer: Security built on Android Enterprise
Built into all Galaxy smartphones, tablets and wearables, the first layer of Knox is a security platform you can trust to protect your business data. Developed on the principles of trusted computing — and with a hardware root of trust (RoT) to verify the device’s integrity at boot-up — Knox provides a secure foundation for enterprise mobile initiatives.
The Knox platform is not something that’s purchased, downloaded or installed; it’s part of every Samsung mobile device. The technologies forming Knox’s base are a combination of Galaxy hardware, firmware and Samsung’s extensions to Android Enterprise, all working together to ensure device manageability, integrity and security.
Malicious code can intrude on any single OS layer, or several of them. Knox’s holistic approach to securing a mobile device’s OS and data protects against diverse threats, from a variety of sources and threat vectors.
Knox starts with protective technologies at the chip level, known as TrustZone, that isolate highly sensitive computations from the rest of the device’s operations. Then, it uses real-time kernel protection to constantly inspect the core of the OS during runtime. Finally, Knox layers in Samsung’s security enhancements for Android, protecting apps and data by strictly defining what each process is allowed to do and what data it can access. These three sub-layers all work together to deliver integrated and hardened security from the moment the device is powered on.
Through these measures, the Knox platform has met certification requirements from NIAP’s Common Criteria and NIST’s FIPS 140-2, and received multiple Defense Information Systems Agency STIGs for classified use. Knox security is, literally, defense-grade.
Second layer: Knox Platform for Enterprise
On top of the Knox base of hardware, firmware and device security added to the core Android Enterprise OS, Samsung has built Knox Platform for Enterprise (KPE). This layer of Knox delivers APIs and additional features that meet the management and security requirements of enterprises — especially highly regulated enterprises in finance and healthcare — as well as government agencies. The KPE layer touches all aspects of Android management and security: granular device configuration, kiosk configurations, security options, device setting restrictions, preconfiguration of VPN, firewall and email apps, app controls and more. All are licensed at no extra charge, and available through mobile device management (MDM) products and apps built using the Samsung Knox software development kit (SDK).
These first two layers of Knox are the key to compliance with the advanced security requirements of programs such as the National Security Agency (NSA)’s Commercial Solutions for Classified (CSfC) program, the National Information Assurance Partnership (NIAP) and the U.K.’s End User Device (EUD) guidance.
Advanced security requires, for example, that a phone support dual layers of encryption when data is at rest or in transit. Agencies and enterprises can satisfy this requirement with the KPE feature Samsung DualDAR (or Dual Data-at-Rest), which double-encrypts data inside a Galaxy device’s work profile, using two independent crypto modules. Knox DualDAR also allows third-party crypto modules for inner layer encryption. For dual-layered encryption of data in transit, Knox includes VPN chaining. These details make Samsung the only mobile phone provider to address requirements like CSfC and EUD to the letter.
Mobile device management for beginners
White Paper
Get started with MDM so your organization can spend less and do more — securely and efficiently. Download Now
Good management is part of strong security, so KPE includes deep customization options. These allow businesses to streamline their device deployments, with the added flexibility of granular device management and enforceable app management capabilities. By integrating with Managed Google Play, for example, IT admins can allowlist and blocklist specific apps for specific users.
Another KPE feature that supports device management is Knox Separated Apps. Enterprises that have deployed Android Enterprise (AE) fully managed devices may want to separate work apps (and their data) from unapproved apps. Knox Separated Apps lets IT admins define these unapproved apps that aren’t fully vetted from a cybersecurity perspective: Think apps such as Uber for ride-sharing or Fly Delta for travel. Knox Separated Apps isolates these useful-but-untrusted apps and their data, while ensuring employees have access to the tools they need on their company-managed mobile devices.
The Knox solution set
Samsung knows that enterprises need their key technology partners to work together. The Knox solution set provides a secure foundation for enterprise mobility management (EMM) tools, both on-premises and in the cloud. Samsung has collaborated closely with many of the leading MDM software providers, including Airwatch, BlackBerry and MobileIron, to ensure tight integration between the Knox platform and their device management tools.
Samsung has developed its own set of cloud-based software solutions to meet specific enterprise needs, all building on top of the technologies in Knox. This solution portfolio, which can be licensed and accessed through the Knox portal, is designed to assist mobility managers throughout a device’s life. Here are the Knox solution portfolio’s key offerings:
- Knox Configure: Providing businesses with advanced configuration and customization capabilities, Knox Configure can help you meet unique business needs, including device setup, rebranding, kiosking and feature restrictions. Your Samsung phones and tablets can be configured remotely — the moment they’re powered on and connected to Wi-Fi or cellular data. You can create profiles to automatically provision their apps and content, remove unnecessary preloaded apps, enroll in an MDM solution and configure virtually any setting. Knox Configure lets you skip lengthy setup wizards, so devices are ready to go in minutes, with all the same exact settings. If a user factory-resets the device, it’s automatically returned to the configuration you designed. You can also transform mobile devices into bespoke business tools, limit a device to running a single app (while locking down device settings) or customize the user experience.
- Knox Mobile Enrollment (KME): Providing free zero-touch deployment, Knox Mobile Enrollment (KME) automatically adds each of your devices to your EMM solution once your IT team has prepopulated its user credentials. End users can skip setup wizards and account registrations, so they get up and running faster. With KME, you can ensure all your devices stay enrolled in your EMM system. If an end user or an outside threat performs a factory reset or uninstalls the EMM agent, KME will reinitiate the enrollment process automatically. Your IT team can also enable Android factory reset protection so that a device can be recovered even if the user’s credentials are lost.
- Knox Guard: When corporate smartphones are lost or stolen, Knox Guard provides an inexpensive option to protect and control access to these devices — and the data they hold. IT managers can use Knox Guard to lock and even wipe devices using technologies that can’t be bypassed, don’t use an installed client and don’t require a network connection. Knox Guard capabilities are built into all Samsung smartphones and tablets, and operate using built-in BIOS and TrustZone security — meaning a factory reset or OS reinstall won’t disable the Knox Guard protections.
- Knox Enterprise Firmware Over-the-Air (E-FOTA): Providing enterprises with control over their software updates, Knox E-FOTA gives your business the power to validate, approve and deploy new versions of your OS across your device fleets, without any end user interaction. You can test and validate firmware updates in advance to uncover potential compatibility issues, and schedule deployments by device group and time of day, minimizing workflow disruptions. You can even factor in other criteria like Wi-Fi access and battery life. Knox E-FOTA is integrated with leading EMM solutions, so you can pull existing device and group information from your EMM to streamline your firmware management.
- Knox Manage: Samsung’s cloud-based EMM solution made for small and medium-sized businesses (SMBs), Knox Manage can be used to manage Android, iOS or Windows 10 devices, though it provides the most comprehensive feature set for Galaxy devices with the integrated Knox platform. Knox Manage provides IT admins with hundreds of policies — including all the essentials, like allowlisting and blocklisting. It also supports remote device control, event-based management, device location tracking and remote wipe.
- Knox Asset Intelligence (KAI): Building on other Knox solutions, KAI is a cloud-based data analytics tool that provides in-depth insights into mobile device performance and usage across an entire fleet from the moment they’re deployed. With real-time reporting capabilities, KAI offers IT admins clear visibility into device-specific data, including connectivity and GPS-based location tracking, device health, battery usage and app stability. Your IT team has access to all of this data in a single, user-friendly cloud console, allowing them to make better-informed decisions. They’re able to view the status of each device, monitor how they’re being used and detect any performance issues.
Knox has come a long way since Samsung introduced the platform back in 2013, but the fundamentals remain the same: Knox secures Android mobile devices through hard-wired protections while also serving specific management and data security needs.
Today, Knox demonstrates Samsung’s commitment to ensuring its enterprise customers’ data is always safe on Galaxy mobile devices, providing peace of mind for IT teams and giving users freedom in both work and leisure.
Get 10 essential tips to keep your mobile device secure in our free guide. And find out more about how Samsung Knox Suite provides an end-to-end solution for complex mobility needs.
