Enterprises everywhere are recognizing how mobile technology can empower employees and enhance customer experiences, but they face two big challenges in order to fully harness its potential.

First, as mobile device use cases across an organization become more sophisticated, so too do the requirements for configuring, managing and supporting these devices. Secondly, with smartphones and tablets accessing sensitive data and apps more than ever before, mobile security becomes all the more critical.

Samsung Knox was designed to help overcome these two challenges by making Samsung Galaxy smartphones the most secure and manageable on the market. An extension of Android Enterprise (AE) architecture, the Knox platform delivers unique, granular security and management features that meet the needs of organizations’ fast-evolving mobility needs.

To understand Knox, though, it’s important to separate the Knox platform — which is built into all Samsung’s latest mobile devices — from the Knox cloud-based management tools and services that can be licensed to run on top of the Knox platform.

Security built on Android Enterprise

Built into all Galaxy smartphones, tablets and wearables, Knox is a security platform you can trust to protect your business data. Developed on the principles of trusted computing — and with a hardware root of trust to verify the device’s integrity at boot-up — Knox provides a secure foundation for enterprise mobile initiatives.

Mobile device management for beginners

icon of a document
White Paper

Get started with MDM so your organization can spend less and do more — securely and efficiently. Download Now

Malicious code can intrude on any single OS layer, or through several of them. Knox’s holistic approach to securing a phone’s OS and data protects against diverse security threats, which can come from a variety of sources and threat vectors. This chip-based protective architecture, also known as TrustZone, isolates highly sensitive computations from the rest of the device’s operations. Then, it uses real-time kernel protection to constantly inspect the core of the OS during runtime. Finally, Knox encompasses Samsung’s security enhancements for Android, protecting apps and data by strictly defining what each process is allowed to do and what data it can access.

Through these measures, the Knox platform has met certification requirements from NIAP’s Common Criteria and NIST’s FIPS 140-2, and received multiple Defense Information Systems Agency STIGs for classified use. Knox security is, literally, defense-grade.

The Knox Platform for Enterprise

On top of the core Android Enterprise platform, Knox Platform for Enterprise (KPE) provides a robust set of features to meet the security needs of government organizations, as well as in other highly regulated industries such as finance and healthcare.

This includes the National Security Agency (NSA)’s Commercial Solutions for Classified (CSfC) program, the National Information Assurance Partnership (NIAP) and the U.K.’s End User Device (EUD) guidance. Their security requirements stipulate, for example, that a phone support dual layers of encryption when data is at rest or in transit.

With Samsung DualDAR (or Dual Data-at-Rest), the data inside a Galaxy device’s work profile is encrypted twice, using two independent crypto modules. Knox DualDAR also allows third-party crypto modules for inner layer encryption. For dual-layered encryption of data in transit, Knox supports VPN chaining. These details make Samsung the only mobile phone provider to address requirements like CSfC and EUD to the letter.

KPE’s deep customization options allow businesses to streamline their device deployments, with the added flexibility of granular device management and enforceable app management capabilities, with or without Managed Google Play integration. By adding Managed Google Play, you can whitelist and blocklist specific apps for specific users. KPE also allows IT admins to set system-level feature restrictions, including Common Criteria mode, and apply unique policies to Samsung DeX, Samsung’s mobile desktop solution.

At the same time, some enterprises that have deployed Android Enterprise (AE) fully managed devices may want to separate work apps from unapproved apps. IT admins define unapproved apps as employee-needed apps that aren’t fully trusted and vetted from a cybersecurity perspective. Normally, allowing those kinds of apps isn’t an option, because enterprise IT policies based on AE require the device to be fully managed.

Samsung is offering a more flexible approach on Android 11 with a solution called Knox Separated Apps. This solution securely organizes and isolates apps on a fully managed Samsung device so that separated apps cannot access work data.

KPE also provides advanced network management capabilities, including controls over roaming and Access Point Name (APN) management.

The Knox solution set

The Knox platform doesn’t replace the need for enterprise mobility management (EMM) tools, but it provides a secure foundation. Samsung has collaborated closely with many of the leading mobile device management (MDM) software providers, including Airwatch, BlackBerry and MobileIron, to ensure close integration between the Knox platform and their device management tools.

At the same time, Samsung has developed its own set of cloud-based software solutions to meet specific enterprise needs. This Knox solution portfolio, which can be licensed and accessed through the Knox portal, is designed to assist mobility managers throughout a device’s life. Here are the Knox solution portfolio’s key offerings:

  • Knox Configure: Providing businesses with advanced configuration and customization capabilities, Knox Configure can help you meet unique business needs, including device setup, rebranding, kiosking and feature restrictions. Your Samsung phones and tablets can be configured remotely — the moment they’re powered on and connected to Wi-Fi or cellular data. You can create profiles to automatically provision their apps and content, remove unnecessary preloaded apps, enroll in an MDM solution and configure virtually any setting. Knox Configure lets you skip lengthy setup wizards, so devices are ready to go in minutes, with all the same exact settings. If a user factory-resets the device, it’s automatically returned to the configuration you designed. You can also transform mobile devices into bespoke business tools, limit a device to running a single app (while locking down device settings) or customize the user experience.
  • Knox Mobile Enrollment (KME): Providing zero-touch deployment for free, Knox Mobile Enrollment (KME) automatically adds each device to your EMM solution once your IT team has prepopulated its user credentials. End users can skip setup wizards and account registrations, so they get up and running faster. With KME, you can ensure all your devices stay enrolled in your EMM system. If an end user or an outside threat performs a factory reset or uninstalls the EMM agent, KME will reinitiate the enrollment process automatically. Your IT team can also enable Android factory reset protection so that a device can be recovered even if the user’s credentials are lost.
  • Knox Manage: Samsung’s cloud-based EMM solution made for small-to-midsize businesses (SMBs), Knox Manage can be used to manage Android, iOS or Window 10 devices, though it provides the most comprehensive feature set for Samsung Galaxy devices with the integrated Knox platform. Knox Manage provides IT admins with hundreds of policies, including all the essentials like whitelisting and blocklisting solutions. It also supports remote device control, event-based management, device location tracking and remote wipe capabilities.
  • Knox E-FOTA: Providing enterprises with control over their software updates, Knox E-FOTA gives your business the power to validate, approve and deploy new versions of your OS across your device fleets, without any end-user interaction. You can test and validate firmware updates in advance to uncover potential compatibility issues, and schedule deployments by device group and time of day, minimizing workflow disruption. You can even factor in other criteria like Wi-Fi access and battery life. Knox E-FOTA is integrated with leading EMM solutions, so you can pull existing device and group information from your EMM to streamline your firmware management processes.

Knox has come a long way since Samsung introduced the platform back in 2013, but the fundamentals remain the same: Knox secures Android mobile devices through hard-wired protections while serving specific management needs.

Today, Knox demonstrates Samsung’s commitment to ensuring its enterprise customers’ data is always safe on Galaxy mobile devices, providing peace of mind for IT teams and giving users freedom in both work and leisure. You can fully optimize mobile deployments by purchasing the Knox Suite of solutions, which includes KME, Knox Manage, KPE and Knox E-FOTA.

Learn best practices for thwarting mobile security breaches and responding when they occur in our free guide, Building a Cyber Incident Response Plan. Or, read these eight quick tips for securing remote workforces.

Posts By

Balamurugan Thinagarajan

Balamurugan Thinagarajan is Product manager for Tactical Edition and OS Customization and Director of Software Product Management at Samsung Electronics America. He has 19 years of experience in enterprise mobility and previously helped integrate and deploy security solutions to address the technology needs of the U.S. Department of Defense and other U.S. government agencies.

View more posts by Balamurugan Thinagarajan