Our approach to security and management addresses real-world challenges that enterprises are faced with when it comes to mobility solutions. Most enterprises are offering a BYOD or COPE program today. And Android devices are heavily in demand by business users – in fact IDC estimates that this year, Android will sell more phones in business segment than Apple will sell in total.
And yet, there is a clear division of what is important to business users and IT when it comes to mobility.
IT wants devices that:
Provide strong security and control
Integrate easily with existing infrastructure
Keep deployment, maintenance and upgrade costs low
Users, on the other hand, want devices that:
- Make me productive
- Protect my privacy
- Give me a wide choice of features
In many cases, these requirements are working against each other. That is what makes KNOX so valuable in enterprise scenarios. Using KNOX, you get the best of both worlds – the security and control IT is looking for and the sleek design, productivity, and cutting edge features that users want in Galaxy smartphones and tablets.
2. 2016 enterprise mobility trends
Android adoption in business continues to grow
IT and user mobility needs
do not easily align
User
Productivity
Privacy
Choice
IT
Security
Integration
Low cost
* Leading analytics firm
Android’s dominance is
expected to grow to 82%
of all phones by 2019.*
3.
4. KNOX is Samsung’s defense-grade
mobile security platform built into our
new devices making them the most
secure Android devices available.
KNOX Platform
Real-time device protection from the moment you turn it on
5. KNOX Workspace
defense-grade container
• Isolate, encrypt, and protect corporate data.
• Defense-grade, dual persona container.
• IT control of security of corporate data and
resource access.
• Personal information controlled entirely by
user.
6. KNOX Cloud Solutions
(KNOX Express and KNOX Premium)
My KNOX
KNOX Workspace
KNOX Customization
SMB
Enterprise, Government
and other verticals
Security and productivity for all business users
Individuals
KNOX platform
KNOX Enabled App
7. KNOX maximizes Android security
Key differentiators:
• Defense-grade, hardware
anchored security
• Fully enterprise-ready
• Cost control and ease of
deployment
• Best end-user experience
Enterprise-ready
Deep IT Integration/support
and best end-user experience
Application security
Secure app access and
data protection
Device security
Secure hardware design and
manufacturing with boot, load,
and run-time defenses
8.
9. What’s new in KNOX?
Key features in KNOX 2.6
Increased
end user
productivity
Industry-leading
Android for
Work support
and integration
A more
powerful
partner
ecosystem
Advanced
security
Granular
management
for tighter
control
10. Industry-leading Android for Work
support and integration
Google Play for Work support
KNOX Workspace supports Google Play for
Work for better IT app deployment and
employee app discovery and download.
Android for Work hardened by KNOX
Android for Work managed profiles now
integrates deeper into the KNOX platform for
boot and run time protections, enhanced
encryption, and improved security.
11. Advanced security
KNOX Mobile Enrollment improvements
More safety measures protect the process of bulk enrollment of
devices from network attacks.
VPN HTTP Proxy Authentication
HTTP Proxy configurations over VPN for KNOX Workspace now
support proxy authentication.
Kernel address space layout randomization
The KNOX platform now ensures that the memory address of kernel
data structures and code are randomized from one device to
another.
Enhanced Real-time Kernel Protection (RKP)
RKP monitors some critical kernel data structures to verify that they
are not exploited by attacks. This feature extends RKP security to
Namespace Data Structure protection.
12. Increased end-user productivity
Multi Window support
for KNOX
End users now can use apps in
KNOX Workspace alongside
apps outside KNOX
Workspace.
Enable speech-to-text
in KNOX Workspace
End users can use Google
Voice with apps inside KNOX
Workspace.
Clipboard / copy and
paste outside to inside
IT admins now can allow end
users to copy/ paste from
outside KNOX Workspace into
KNOX Workspace.
13. Granular management for tighter control
Trust Anchor
Management
On BYOD devices used for play
and work, the end user and IT
admin can choose to trust
different sets of Certification
Authority (CA) certificates.
Data Loss
Prevention (DLP)
Enables IT admins to enforce
tighter policies on the KNOX
container and its apps to restrict
and prevent enterprise data loss
or leakage.
Per-app roaming
control
Now IT admins can control
which apps are allowed to use
mobile data when the user is
connected to a roaming
network.
14. A more powerful
partner ecosystem
KNOX Enabled Apps enhancements
Enhancements to KEA give app developers
increased flexibility.
KNOX Customization SDK
App developers gain the ability to customize apps for
Standard and Premium SDKs.
Attestation API
Developers can use this to determine whether a device is
secure enough to enable their app to run.
15. KNOX works on many Samsung devices
30+ Samsung models supported in countries around the world
16.
17. Wide support from leading MDM vendors
Strong community
of MDM partners
makes it possible
to quickly enable
KNOX in any
enterprise
Key partners
integrate their own
secure containers
with KNOX platform
3rd party
container
MDM
18. Ecosystem of enterprise solution partners
Business Apps
VPN Smart Card/CACAuthentication Secure Voice/SMS Enterprise Billing
Advanced Mobile SecurityIAM/SSO
19. The most secure Android – only with Samsung
Supports any business user on
innovative, widely adopted Samsung
devices.
Meets the security requirements of IT
and productivity needs of users –
maximizing Android security and
productivity.
New features supported with our latest
devices, including the Galaxy S7, S7
edge, S6, S6 edge, S6 edge+ and
Note 5.
For more information visit www.samsungknox.com
Editor's Notes
Today we are going to give you an overview of our latest advancements with Samsung KNOX, the most secure Android solution – delivered through the most popular Android device manufacturer, Samsung
Our approach to security and management addresses real-world challenges that enterprises are faced with when it comes to mobility solutions. Most enterprises are offering a BYOD or COPE program today. And Android devices are heavily in demand by users. Eight of every 10 phones on the market are Android devices, and that trend is expected to hold steady through to 2019.
And yet, there is a clear division of what is important to business users and IT when it comes to mobility.
IT wants devices that:
Provide strong security and control
Integrate easily with existing infrastructure
Keep deployment, maintenance and upgrade costs low
Users, on the other hand, want devices that:
- Make me productive
- Protect my privacy
- Give me a wide choice of features
In many cases, these requirements are working against each other. That is what makes KNOX so valuable in enterprise scenarios. Using KNOX, you get the best of both worlds – the security and control IT is looking for and the sleek design, productivity, and cutting edge features that users want in Galaxy smartphones and tablets.
Samsung manufactures and configures its devices in its own factories, which gives Samsung total control over the state of the device software leaving the factory.
From the hardware root of trust to the Android framework and all the layers in between, Samsung KNOX has security and protection measures in place.
• Device integrity to ensure devices have not been compromised at any point from manufacturer to user.
• Trusted boot process to guarantee that the precise, full set of allowed software is loaded and run.
• Corporate data security to keep strict separation and isolation of personal and corporate applications and data.
• Enterprise-ready features, such as SSL VPN support, On-Device Encryption, and Single Sign-On, to meet mobile security compliance requirements.
With Samsung KNOX you get real time device protection from the moment you turn on the device.
From the hardware root of trust to the Android framework and all the layers in between, Samsung KNOX has security and protection measures in place.
KNOX Workspace is a defense-grade dual persona container product designed to separate, isolate, encrypt and protect work data from attackers. This work/play environment ensures work data and personal data don’t mix and that only the work container can be managed by the company. Personal information such as pictures and messages are not managed or controlled by the IT department. The KNOX Workspace product is tightly integrated into the KNOX platform when activated.
Samsung offers solutions built on the KNOX platform to meet the needs of any industry or organization type. Samsung also offers protection for third-party apps with the KNOX Enabled App container solution.
KNOX solutions deliver security for individual users (My KNOX), for SMB organizations (KNOX Express and KNOX Premium) that need cloud-based options to reduce administrative overhead, and for enterprises and governments (KNOX Workspace) that require highly customized and locked down mobility solutions (KNOX Customization).
As the clear leader in security and enterprise readiness among all Android OEMs, Samsung KNOX builds on Android to deliver a comprehensive security solution that addresses these real-world issues for the most demanding enterprise customers. The most secure Android solution is delivered by Samsung, on Samsung devices with KNOX. Key differentiators include:
Defense grade, hardware anchored security foundation
Hardware to application level security – Security measures in every layer of the Android stack and Samsung device hardware
OEM controlled (e.g. root key and certificates)
Internationally recognized certifications including:
FIPS* 140-2 : US Federal Gov’t Requirement (Nov, 2011)
DISA* STIG* : US DoD Security Requirement (May, 2013)
Common Criteria* MDFPP* : Requirement to access US classified information (Feb, 2014)
DISA* Approved Product List : Approved Mobile Product in US DoD systems (Jun, 2014)
CSFC* List : the only Approved mobile product to access US classified data (Sep, 2014)
ISCCC : Security solution certificate by the China Information Security Certification Center (December 2015)
ANSII: First level security certification from the French national security agency (December 2015)
Ensures that system software is authentic (come from a trusted source and it is not been modified)
Fully enterprise-ready: Extensive support and integration with popular IT solutions
Deeper integration with key MDM solutions
Wide range of VPN support (Cisco, F5, Juniper, Strongswan, Mocana, etc..)
Single Sign On (Microsoft, Kerberos, CA, Centrify, More to come vs google set of services only)
Rich integration with Exchange email (certificate based authentication)
Microsoft AD for container login
Cost control and ease of deployment
Enterprise billing capabilities
Bulk enrollment of devices with KNOX Mobile Enrollment
The best end user experience
Familiar and intuitive experience for apps with options for preferred UI layout (e.g. folder view that makes it even more seamless/easy to access work apps)
Many of the great Samsung device end user security and productivity features (e.g. multi-tasking, fingerprint scanner, S-pen, keyboard case accessory) work with KNOX
Details on Certifications below:
--------------------------------------------
FIPS 140-2
National Institute of Standards and Technology (NIST) publication FIPS 140-2 defines security requirements for cryptographic modules. Samsung Kernel Cryptographic Module (Cert #1915) Samsung Kernel Cryptographic Module (Cert #2214) Samsung devices also make use of FIPS certified cryptography ...
Certification
UK CESG
CESG is the National Technical Authority for Information Assurance within the UK. CESG has published the following End User Device (EUD) security guidance for Samsung devices. Samsung Devices with Android 4.2 Samsung devices with KNOX Samsung devices with KNOX 2.x Additional resources Samsung KNOX ...
Certification
Common Criteria
Common Criteria certification that complies with the Protection Profile for Mobile Device Fundamentals. ... with KNOX 2 Samsung has obtained the following Common Criteria certification that complies ...
Certification
Australian Signals Directorate
ASD has published the following announcement endorsing the Protection Profile for Mobile Device Fundamentals as well as recognizing evaluations against this Protection Profile. Samsung Galaxy Devices with Qualcomm Snapdragon Processors including the Galaxy S4, Galaxy Note 3, and the Galaxy NotePRO ...
Certification
Finland
Finnish Communications Regulatory Authority (FICORA) has successfully evaluated Samsung Knox against protective level IV defined by the Finnish Security Auditing Criteria (KATAKRI II).-8 ...
Certification
U.S. Department of Defense (DoD)
The DoD Defense Information Systems Agency ’s (DISA) Field Security Office (FSO) publishes Security Technical Implementation Guide (STIG). Samsung has obtained approval for the following STIGs. Samsung Android (with KNOX 1.0) STIG Version 1 Zip file Checklist details Samsung Android (with KNOX 1.x ...
Samsung continually updates the KNOX portfolio to address requirements for enabling secure mobility in a way that satisfies IT’s need for control, while also bolstering worker productivity. We’ve just released several significant updates that we’ll cover in the next few slides, but the value these new capabilities provide help organizations capitalize on the potential offered by Android 6.0 Marshmallow.
We’ve grouped these features into five key themes that we’ll address over the next few slides…
In KNOX 2.4 we introduced support for Android for Work, allowing users to install both services on their devices without any conflict. In KNOX 2.6 we’ve further augmented that support with deeper integration between KNOX and AfW.
Google Play for Work inside KNOX Workspace:
Allows Enterprises/IT admins to perform app management (silent
install/uninstall, whitelist/blacklist) using Google Play for work
inside KNOX workspace. Play for work shows filtered list of apps
for the users to download.
AfW hardened by KNOX:
By default, the Managed Profile on a Samsung device now benefits from KNOX as follows:
- Access to the Managed profile is contingent on the integrity of the
device
- Sensitive Data Protection can be utilized by apps inside managed
profile without any need for additional license activation
- Managed profile uses TIMA Keystore for storing certificates by
default
- Certificates are stored, by default, in the TIMA Keystore
- Exposes and uses Secure Data Policy APIs for AfW apps
Our priority around KNOX 2.6 was to reinforce our already robust platform and address potential vulnerabilities. KNOX products and services continue to evolve to address new mobile security threats.
We’ve improved the security around KNOX Mobile Enrollment to address network and enrollment time vulnerabilities. These include certificate pinning and mutual authentication of network requests made from the device to the Samsung Mobile Enrollment server.
For KNOX Workspace, HTTP Proxy configurations over VPN now support proxy authentication via NT LAN Manager and basic authentication. The NT LM provides a suite of authentication and session protocols for HTTP Proxy over VPN.
We’ve also enhanced real time kernel protection, which monitors critical kernel data structures to verify they are not exploited by attacks. It also prevents access to privileged mode and prevents privileged folders from being moved to a different location. This new enhancement extends RKP protection to the Security Data Structure and Namespace data.
With kernel address space layout randomization (or KASLR), we’ve randomized and obfuscated the address space layout of kernel modules and data. Attacks on kernel data structures in part depend on determining the address of the data the attackers wish to modify. On devices without KASLR, the data structures are identical, making it an easy job for attackers. KASLR protects and reinforces the KNOX platform by randomizing the memory address of kernel data structures and code.
KNOX Workspace supports key productivity features for more seamless work and personal interactions.
Our new Multi Window support means end users can view a video on the personal side of their device, while taking notes on an app inside the container.
Google Voice now works on apps inside the KNOX Workspace container, allowing users to dictate speech into text.
And IT admins can now set permissions to allow users to copy and paste text from outside the KNOX Workspace into apps inside the KNOX Workspace container. Copying from the container to the personal space remains restricted, keeping confidential data confidential.
We’ve created more tools for IT admins to manage apps and data on devices including policies to enforce security updates and other app controls.
Trust Anchor Management allows IT admins and end users to choose different sets of CA certificates on BYOD devices. This provides both groups with the freedom of choice to control their own space.
IT can now also determine which apps are allowed to use mobile data when a device is connected to a roaming network. This ensures that a user’s personal apps don’t use enterprise mobile data during business travel, helping manage costs.
We’ve added Data Loss Protection, a set of policies and associated APIs that enables enterprises to enforce file and document management policies for apps in the container. These include expiration dates, forwarding rules, app whitelisting and more. What this means is if a user downloads and stores an email attachment using an email app in the KNOX container, they will not be able to forward that attachment to their personal email. This helps enterprises have tighter control of their content, and helps mitigate human error or data breaches.
And also in KNOX 2.6 we’ve created more tools to better enable our ISV, SO and MDM partners to build secure and custom solutions for their customers.
Enhancements to KNOX Enabled App have been designed to give developers more flexibility. New features include user access to internal memory in personal mode, and the ability for users to save app data and settings when an app is upgraded to KEA.
We’ve upgraded the KNOX Customization SDK to allow for even more customization capabilities. This includes enhanced system control to add or remove widgets and shortcuts to the home screen, auto-boot on power-on, add or remove items from the status bar, and allow removal of the Edit button. Partners may also add items in Settings for Professional Kiosk mode.
In addition, the new Attestation API enables ISVs and individual developers to establish an attestation server with an attestation-only license. This allows them to determine device functionality before proceeding with the sensitive functionality of the application.
KNOX works on many Samsung devices – including the new Galaxy S7 and S7 edge, the Galaxy S6 phones, and Note 5 – so that you can be assured that your devices are fully secured and equipped for business.
We will continue to expand support for KNOX across as many Samsung mobile devices as we can.
KNOX also has strong support for our partner community. MDM vendor support means that IT can centrally monitor and manage Samsung devices and enforce security and compliance controls. Samsung works closely with each of these vendors to ensure they can rapidly take advantage of any new features in the KNOX platform.
These MDM vendors have added important functionality to enterprise mobility, leveraging KNOX features to ensure:
- Manageability of KNOX Workspace
- Planned support for Galaxy S6 edge+ and Note 5
- KNOX 2.x integration
From a solution and app perspective, Samsung also works closely with a broad set of ISVs to ensure that you can arm your workers with the applications they need to be secure and productive. There also are popular business productivity and security apps available on Google Play.
So to recap, KNOX makes it possible to support any business user – whether an individual, an SMB, or an enterprise – on many of the wildly popular, innovative mobile devices that Samsung has in the market. It maximizes the baseline security available in Android, ensuring that companies have all of the data security, application security, and enterprise-ready features necessary to enable Samsung devices to interact securely with their networks. The new features available for IT administrators and users are available now with Galaxy S7, S7 edge, S6, S6 edge, S6 edge+ and Note 5 devices. In the meantime, you can visit samsungknox.com for the latest information.