samsung knox and android for work

In-Depth Look at Capabilities:

S a m s u n g KNOX a n d Android for Work

Javier Hernn Gonzlez Carrillo mailto:[email protected] http://www.linkedin.com/in/JavierHernanGonzalezCarrillo - +34 673 403 421
mailto:[email protected]://www.linkedin.com/in/JavierHernanGonzalezCarrillo

Capability Sam sung KNOX Android for Work

Silent Install Using the S a m s u n g KNOX W o r k s p a c e Mobile D ev ice

M a n a g e m e n t (MDM) APIs, IT a d m i n s c a n install a n d

e n a b l e app l ica t ions au tomat ica l l y . Th e simplif ied

enr o l lment p r o c e s s s u p p o r t s the fully a u t o m a t e d

c r e a t i o n of a n e n t e r p r i s e-g r a d e W o r k s p a c e a n d

provis ioning of a p p s a n d policies.

KNOX adds:

S a m s u n g KNOX Mobile Enrol lment a l lows IT A d m i n s

to s t a g e a n d enroll h u n d r e d s or t h o u s a n d s of

e m p l o y e e s au tomat ica l l y by conf igur ing dev i c e

in for ma t ion in the c loud. S a m s u n g a lso pr ov ides a

w e b tool a n d a n a pp l ica t ion to s c a n s m a r t p h o n e

p a c k a g e b a r c o d e s ( the d e v i c e IMEI).

Using the EMM conso le , IT a d m i n s c a n silently install,

r emove , a n d u p d a t e a p p s inside Android for Work.

This capab i l i t y g rea t ly simplif ies the u s e r e x p e r i e n c e

( a n d m a k e s life e a s i e r for IT a d m i n s ) b e c a u s e n o u s e r

intervention is r equ i r ed to u p d a t e o r r e m o v e a pps .

Application

Configuration

KNOX pr ov ides the following capabi l i t i es to IT a dmins :

Install a n d uninstall appl ica t ions.

Restr ict installat ion a n d uninstallat ion of

appl ica t ions.

Disable a n d e n a b l e appl ica t ions.

Q u e r y the cur r en t sta te of a n appl ica t ion.

Control a pp l ica t ion behavior .

Control notif icat ions of appl icat ions.

C o n f i g u r e the e m a i l client.

C o n f i g u r e the SSL VPN Client for C isco, F5

a n d Juniper .

Using the EMM conso le , IT a d m i n s c a n conf igure the

sett ings for a pa r t icu la r appl icat ion. W h e n Android

for Work is conf igured, a p p set t ings a r e p u s h e d to the

device.

Secure App

Installation from

Google Play

With m o r e t h a n 1500 MDM APIs, KNOX g ives IT

a d m i n s control over w h i c h a p p s c a n b e r un inside

the W o r k s p a c e , thus e l iminat ing the p r o b l e m of

s ide loa d in g of un t r us ted a pps .

Additionally, admin ist ra tors c a n d e p l o y a n y a p p

f r o m the G o o g l e P lay store to the W o r k s p a c e , o r

a l low u s e r s to install the G o o g l e P lay a p p inside the

W o r k s p a c e . IT a d m i n c a n a lso install a pp l ica t ions

f r o m a pr ivate a p p store.

G o o g l e h a s i n t r o d u c e d a n e w set of G o o g l e P lay APIs

for EMM provider s to e n a b l e a p p m a n a g e m e n t a n d

distr ibution a n d control a p p d e p l o y m e n t in Android for

Work. As a result, ma l ic io us a p p s c a n n o t b e s ide loa ded .

This n e w pr ocess , c o m b i n e d with the Loll ipop Android for

Work Profile, en a b les IT m a n a g e r s to dep loy a n y

Play a p p in the G o o g l e P lay Store to a s e c u r e Android

c o n t a i n e r wi thout a n y addi t iona l wr a pp ing .

Privacy for

Self-hosted

Apps

KNOX e n a b l e s pr ivate en te r pr ise a p p s to b e installed

o n a device.

Or g a n iza t i on s c o n c e r n e d a b o u t secur i ty for their pr ivate,

i n-h o u s e a p p s c a n c h o o s e to sel f-host t h e s e a p p s e i ther

internally o r t h r o u g h their EMM provider. Either wa y , sel f-

hos ted a p p s c a n b e ex c lu ded f rom publ ic s e a r c h results

in the G o o g l e P lay Store.

Separate Container

for Work Apps

T h e KNOX W o r k s p a c e pr ov ides a n isola ted

e n v i r o n m e n t a n d UI for en te r pr ise u s e cons is t ing

of a s e p a r a t e h o m e scr een , l a uncher , en te r pr ise

a pps , a n d widgets . D a t a o w n e d b y a p p s in the KNOX

W o r k s p a c e is p ro tec ted by ex tens ive Da ta At Rest

(DAR) protect ions. IT a d m i n s c a n u s e ex tens ive

set of W o r k s p a c e conf igurat ion APIs to provision a n d

conf igure the W o r k s p a c e a n d its DAR protect ions.

Android for Work simplif ies mobi le a p p m a n a g e m e n t

a n d secur i t y by providing a s e c u r e profile, o r con ta iner ,

to Android d e v i c e s r unn ing Android 4.0 a n d higher .

IT a d m i n s c a n u s e a n EMM to s e c u r e l y provision a n d

conta iner i z e a p p s o n a n y d e v i c e with a n Android for

Work Profile (Android Lollipop), o r the Android for Work

a p p (Android 4.0 4.4).

Suite of Productivity

Apps (email,

calendar, etc.)

KNOX a pp l ies a b a d g e to a p p s r unn ing in the

W o r k s p a c e to he lp the u s e r d ist inguish t h e m f r o m

p e r s o n a l a pps .

Andro id for W ork f ea t ur e s a suite of sec ur e , b a d g e d

PIM a p p s d e s i g n e d to h e lp w or k er s eas i ly d ist inguish

b e t w e e n p e r s o n a l a n d w o r k a p p s o n the device.

1 Javier Hernn Gonzlez Carrillo mailto:[email protected] http://www.linkedin.com/in/JavierHernanGonzalezCarrillo - +34 673 403 421

Capability Samsung KNOX Android for Work

Data Loss Prevention KNOX MDM pol ic ies c a n r e g u l a t e s h a r i n g of

infor ma t ion b e t w e e n the W o r k s p a c e a n d p e r s o n a l

a pps . This inc ludes s h a r i n g of c a l e n d a r , c o n t a c t s a n d

notif icat ions. Copy / pa s t e c l ipboard d a t a is b locked

f r o m the W o r k s p a c e e n v i r o n m e n t to the p e r s o n a l

environment , a n d v i c e versa .

KNOX adds:

Sensitive Data Protection

Any sensit ive d a t a r e c e i v e d w h e n the W o r k s p a c e

is l o c k e d will still b e p r o t e c t e d b y Sensit ive D a t a

Protect ion (SDP). This w o r k s b y us ing a pub l ic k e y

a l g o r i t h m in w h i c h the pr ivate p a r t of the k e y is

m a i n t a i n e d in a n e n c r y p t e d partition, a n d the pub l ic

p a r t is u s e d to e n c r y p t the n e w sensit ive data . O n c e

the W o r k s p a c e is un lock ed , the d a t a is d e c r y p t e d

with the pr ivate key, a n d r e-e n c r y p t e d us ing the

usua l s y m m e t r i c key, w h i c h is g u a r d e d b y the CMK.

Currently, e m a i l subjects , b o d i e s a n d a t t a c h m e n t s

a r e m a r k e d sensitive. Additionally, the SDP

C h a m b e r prov ides a di rectory, in w h i c h all files a r e

a u t o m a t i c a l l y m a r k e d a s sensitive, a n d p r o t e c t e d b y

SDP.

EMM g o v e r n a n c e pol ic ies m a n a g e a users ability to

s h a r e into a n d outs ide of Android for Work. This inc ludes

t he abil i ty to b lock c opy / pa s t e o r b lock s c r e e n c a p t u r e

for a p p s inside the m a n a g e d profile. (Note tha t copy /

pa s t e c a n b e d isa l lowed f rom the m a n a g e d profile to the

pe rs on a l profile, bu t not v ice versa . )

Container VPN KNOX e n a b l e s addi t iona l m o d e s of g r a n u l a r VPN

capabi l i t i es bo th for the W o r k s p a c e a n d individual

apps . Th e MDM - configurable KNOX VPN suppor ts

mult ip le c o n c u r r e n t VPN c o n n e c t i o n s a l lowing for

IPSec or SSL VPNs wi th con f igurab le a u t o - rec on n ec t

a n d VPN tunnel cha ining .

T h e KNOX VPN s u b s y s t e m a lso s u p p o r t s o ther f o r m s

of p a c k e t p r ocess ing , includ ing split billing a n d

n e t w o r k a c c e s s control.

KNOX adds:

Enterpr ise Billing pr ov ides en te r pr ises a m e c h a n i s m

to s e p a r a t e en te r pr ise d a t a u s a g e f r o m p e r s o n a l

d a t a u s a g e . This e n a b l e s en te r pr ises to c o m p e n s a t e

e m p l o y e e s for c o s t s g e n e r a t e d b e c a u s e of work,

par t icular ly in BYOD c a s e s , o r to only p a y only w o r k-

r e la ted d a t a in C O P E c a s e s .

VPN features of KNOX include:

Adminis t ra tor - con f igured Sys tem VPN.

Adminis t ra tor - con f igured Per- App VPN.

Adminis t rator - conf igured W o r k s p a c e VPN.

Multiple c o n c u r r e n t VPN connect ions .

IP sec a n d SSL VPN suppor t .

Adminis t ra tor - con f igured FIPS a n d non-FIPS VPN

m o d e .

C o m m o n A c c e s s C a r d ( C A C )- b a s e d

authent icat ion.

Alwa ys o n VPN c o n n e c t i o n s with a u t o- r e c o n n e c t .

VPN tunnel cha ining .

Android for Work e n a b l e s g r a n u l a r VPN capabi l i t i es within

t he m a n a g e d profile, w h i c h e l im ina tes the n e e d for a

d e v i c e- w i d e VPN. With t h e s e n e w capabil i t ies, IT c a n

ma in ta in g r e a t e r secur i ty a n d control over c o r p o r a t e

a p p c o m m u n i c a t i o n o n the device.

Selective Wipe IT a d m i n s c a n w ipe interna l a n d ex terna l SD c a r d s

a n d a pp l ica t ion data . T h e entire c o n t a i n e r c a n b e

l o c k e d w h e n c o m p r o m i s e d a n d c a n b e d e l e t e d with

all its data .

Android for Work e n a b l e s IT administr a tor s to easi ly retire

lost o r stolen d e v i c e s a n d r emote l y w i p e all w o r k d a t a

whi le l ea v ing p e r s o n a l c o n t e n t intact o n the device.

With c o r p o r a t e- o w n e d dev ices , IT h a s total d e v i c e-w i d e

controls, w h i c h inc lude a full d e v i c e w i p e if n e c e s s a r y .



Protection Against

Malicious App

Downloads

T h e KNOX W o r k s p a c e isola tes en te r pr ise a p p s

a n d d a t a f r o m p e r s o n a l u s e r a pps . Untrustwor thy

p e r s o n a l u s e r a p p s ou ts ide the W o r k s p a c e c a n n o t

a f f e c t the W o r k s p a c e .

KNOX adds:

R ea l- t ime Kernel Protect ion (RKP) a c h i e v e s th r ee

impor ta nt secur i ty features:

First, RKP c o m p l e t e l y p r events r unn ing

u n a u t h o r i z e d pr iv i leg ed c o d e (i.e., c o d e that

h a s the kernel pr iv i lege) o n the sys tem, w h i c h is

a c c o m p l i s h e d by preven t ing modi f icat ion of the

kernel c o d e , injection of u n a u t h o r i z e d c o d e into

t he kernel, o r execu t i on of the u s e r s p a c e c o d e in

the pr iv i l eged m o d e .

S e c o n d , RKP pr events kernel d a t a f r o m b e i n g

d irect ly a c c e s s e d b y u s e r p r o c e s s e s . This inc ludes

p r event ing d o u b l e m a p p i n g of phys ica l m e m o r y

that conta ins cr i t ica l kernel d a t a into u s e r s p a c e

virtual m e m o r y . This is a n impor ta nt s tep to pr event

kerne l exploits tha t m a p kerne l d a t a reg ions into

ma l ic ious p r o c e s s e s w h e r e t h ey cou ld b e modi f ied

b y a n a t tacker .

Third, RKP moni tor s s o m e cr i t ica l kernel d a t a

s t ruc tu res to ver i fy tha t t h ey a r e not explo i ted by

at tacks. In par t icular , RKP pr o tec ts the d a t a that

def ines the c redent ia ls a s s ign ed to runn ing u s e r

p r o c e s s e s to p r event a t t a c k e r s f r o m e s c a l a t i n g

this c r edent ia l b y m o d i f y i n g this data .

KNOX Warranty Fuse. T h e KNOX w a r r a n t y bit is a o n e-

t ime p r o g r a m m a b l e fuse tha t signifies w h e t h e r the

d e v i c e h a s e v e r b e e n b o o t e d into a n u n a p p r o v e d

state. If the Trusted Boot p r o c e s s d e t e c t s that n o n-

a p p r o v e d c o m p o n e n t s a r e used, o r if ce r ta in cr i t ica l

secur i t y fea tu res s u c h a s SELinux a r e disabled, it

sets the fuse. Thereafter , the d e v i c e c a n n e v e r r un

S a m s u n g KNOX, d e v i c e a c c e s s to the DUHK a n d

DRK in the TrustZone S e c u r e Wor ld is revoked, a n d

en te r pr ise d a t a o n the d e v i c e c a n n o t b e r ecover ed .

Android for Work pr o tec ts bus iness a p p s a n d d a t a f r o m

issues ar is ing f r o m the users p e r s o n a l activity ou ts ide

t he profile, s u c h a s s ide load ing w e b apps , o rder ing f r om

u n k n o w n webs i tes a n d o ther potential ly i n s e c u r e activity.

TIMA Attestation

TIMA Attestation a l lows a d e v i c e to a t test f a c t s

a b o u t its sta te to a r e m o t e server , s u c h a s a n MDM

server . T h e a t testa t ion m e s s a g e conta ins sta te

m e a s u r e m e n t s that c a n b e e v a l u a t e d b y a server ,

w h i c h c a n t h e n d e c i d e w h e t h e r to trust the d e v i c e

o r not.

This m e s s a g e conta ins:

M e a s u r e m e n t s c o l l e c t e d b y Trusted Boot to p r o v e

that only a p p r o v e d s y s t e m sof twa r e w a s l o a d e d

d u r i n g boot.

Secur i ty violation log s f r o m PKM a n d RKP s i n c e the

last reboot .

Status of the KNOX w a r r a n t y violation fuse.

W h e t h e r SE for Android is r unn ing in e n f o r c i n g

m o d e .

Device-ident i fy ing informat ion s u c h a s the IMEI a n d

Wi-Fi MAC a ddr ess .

A l o c a l l y-c o m p u t e d verdict w h e t h e r the d e v i c e

bel ieves it is in a t rustwor thy state.



Protection Against

Malicious App

Downloads

(continued)

Trusted Boot-based KeyStore (TIMA KeyStore)

T h e TIMA KeyStore p r ov ides a pp l ica t ions with s e r v i c e s

for g e n e r a t i n g a n d ma in ta i n in g c r y p t o g r a p h i c keys.

T h e TIMA KeyStore is only e n a b l e d if the Trusted

Boot m e a s u r e m e n t s m a t c h the k n o w n g o o d

va lues in the file t ima _mea s u remen t _ in fo , a n d if t he

KNOX w a r r a n t y f u s e is not set. Thus, c r y p t o g r a p h i c

oper a t ions with k eys in the KeyStore c a n only o c c u r if

the s y s t e m w a s b o o t e d into a n a p p r o v e d state. K eys

s tor ed in the TIMA KeyStore a r e fur ther e n c r y p t e d

with the d e v i c e-u n i q u e h a r d w a r e k e y (DUHK), a n d

c a n only b e d e c r y p t e d f r o m within TrustZone

S e c u r e Wor ld o n the s a m e device . All c r y p t o g r a p h i c

oper a t ions o n the k eys a r e p e r f o r m e d within

TrustZone S e c u r e World.

T h e TIMA KeyStore h a s the s a m e API a s the

fami l ia r Android KeyStore APIs. Therefore, the only

modif icat ion n e c e s s a r y is to spec i f y tha t the TIMA

KeyStore b e u s e d to p r ov ide the service.

Trusted Boot-based Client Certificate Management

(TIMA CCM)

T h e TIMA C C M e n a b l e s s t o r a g e a n d retr ieval of digital

cert i f icates, a s wel l a s encryp t ion , decryp t ion , signing,

a n d verif icat ion in a m a n n e r s imi lar to the func t ions

of a S ma r t C a rd . Th e cer t i f i ca tes a n d a s s oc ia t ed

k eys a r e e n c r y p t e d with a d e v i c e-u n i q u e h a r d w a r e

k e y that c a n only b e d e c r y p t e d f r o m c o d e r unn ing

within TrustZone.

T r u s t Z o n e-b a s e d C C M a lso pr ov ides the ability to

g e n e r a t e a Cert i f icate Signing Reques t (CSR) a n d

the a s s oc ia t ed publ ic /pr ivate k ey pa i rs in o rder to

obta in a digital cert i f icate. A defau l t cert i f icate is

pr ov ided for a pp l ica t ions that d o not require their

o w n cert i f icate.

Prog ra mmin g in ter faces for cert i f icate s to rage a n d

m a n a g e m e n t a r e p r ov ided in the KNOX P r e m i u m SDK.

Appl ica t ion d e v e l o p e r s a r e p r ov ided with industry

s t a n da rd PKCS #11 APIs for cert i f icate m a n a g e m e n t ,

a n d therefore interact with the C C M a s if it w e r e a

virtual S m a r t C a r d . Similar to the TIMA KeyStore, TIMA

C C M oper a t ions a r e p e r m i t t e d only if the d e v i c e w a s

b o o t e d into a n a p p r o v e d state.

EMM Requirement KNOX requires a n EMM p la t fo r m to m a n a g e KNOX

pol ic ies o n the device.

Android for Work requires a multi OS EMM pla t form.


About Samsung Electronics Co., Ltd.

Samsung Electronics Co., Ltd. is a global leader in technology, opening

new possibilities for people everywhere. Through relentless innovation

and discovery, we are transforming the worlds of TVs, smartphones, tablets, PCs, cameras, home

appliances, printers, LTE systems, medical devices, semiconductors and LED solutions. We employ

286,000 people across 80 countries with annual sales of US $216.7 billion. To discover more, please

visit www.samsung.com.

For more information

For more information about Samsung Enterprise Mobility and Samsung KNOX,

visit: www.samsung.com/enterprise and www.samsung.com/knox

Copyright 2015 Samsung Electronics Co. Ltd. All rights reserved. Samsung, Samsung KNOX and Samsung GALAXY GEAR are

either trademarks or registered trademark of Samsung Electronics Co. Ltd. Specifications and designs are subject to change without

notice. Non-metric weights and measurements are approximate. All data were deemed correct at time of creation. Samsung is not

liable for errors or omissions. All brand, product, service names and logos are trademarks and/or registered trademarks

of their respective owners and are hereby recognized and acknowledged.

Javier Hernn Gonzlez Carrillo mailto:[email protected] http://www.linkedin.com/in/JavierHernanGonzalezCarrillo - +34 673 403 421
http://www.samsung.com/http://www.samsung.com/http://www.samsung.com/enterprisehttp://www.samsung.com/knoxmailto:[email protected]://www.linkedin.com/in/JavierHernanGonzalezCarrillo

samsung knox and android for work

Business