samsung knox and android for work
TRANSCRIPT
-
In-Depth Look at Capabilities:
S a m s u n g KNOX a n d Android for Work
Javier Hernn Gonzlez Carrillo mailto:[email protected] http://www.linkedin.com/in/JavierHernanGonzalezCarrillo - +34 673 403 421
mailto:[email protected]://www.linkedin.com/in/JavierHernanGonzalezCarrillo -
Capability Sam sung KNOX Android for Work
Silent Install Using the S a m s u n g KNOX W o r k s p a c e Mobile D ev ice
M a n a g e m e n t (MDM) APIs, IT a d m i n s c a n install a n d
e n a b l e app l ica t ions au tomat ica l l y . Th e simplif ied
enr o l lment p r o c e s s s u p p o r t s the fully a u t o m a t e d
c r e a t i o n of a n e n t e r p r i s e-g r a d e W o r k s p a c e a n d
provis ioning of a p p s a n d policies.
KNOX adds:
S a m s u n g KNOX Mobile Enrol lment a l lows IT A d m i n s
to s t a g e a n d enroll h u n d r e d s or t h o u s a n d s of
e m p l o y e e s au tomat ica l l y by conf igur ing dev i c e
in for ma t ion in the c loud. S a m s u n g a lso pr ov ides a
w e b tool a n d a n a pp l ica t ion to s c a n s m a r t p h o n e
p a c k a g e b a r c o d e s ( the d e v i c e IMEI).
Using the EMM conso le , IT a d m i n s c a n silently install,
r emove , a n d u p d a t e a p p s inside Android for Work.
This capab i l i t y g rea t ly simplif ies the u s e r e x p e r i e n c e
( a n d m a k e s life e a s i e r for IT a d m i n s ) b e c a u s e n o u s e r
intervention is r equ i r ed to u p d a t e o r r e m o v e a pps .
Application
Configuration
KNOX pr ov ides the following capabi l i t i es to IT a dmins :
Install a n d uninstall appl ica t ions.
Restr ict installat ion a n d uninstallat ion of
appl ica t ions.
Disable a n d e n a b l e appl ica t ions.
Q u e r y the cur r en t sta te of a n appl ica t ion.
Control a pp l ica t ion behavior .
Control notif icat ions of appl icat ions.
C o n f i g u r e the e m a i l client.
C o n f i g u r e the SSL VPN Client for C isco, F5
a n d Juniper .
Using the EMM conso le , IT a d m i n s c a n conf igure the
sett ings for a pa r t icu la r appl icat ion. W h e n Android
for Work is conf igured, a p p set t ings a r e p u s h e d to the
device.
Secure App
Installation from
Google Play
With m o r e t h a n 1500 MDM APIs, KNOX g ives IT
a d m i n s control over w h i c h a p p s c a n b e r un inside
the W o r k s p a c e , thus e l iminat ing the p r o b l e m of
s ide loa d in g of un t r us ted a pps .
Additionally, admin ist ra tors c a n d e p l o y a n y a p p
f r o m the G o o g l e P lay store to the W o r k s p a c e , o r
a l low u s e r s to install the G o o g l e P lay a p p inside the
W o r k s p a c e . IT a d m i n c a n a lso install a pp l ica t ions
f r o m a pr ivate a p p store.
G o o g l e h a s i n t r o d u c e d a n e w set of G o o g l e P lay APIs
for EMM provider s to e n a b l e a p p m a n a g e m e n t a n d
distr ibution a n d control a p p d e p l o y m e n t in Android for
Work. As a result, ma l ic io us a p p s c a n n o t b e s ide loa ded .
This n e w pr ocess , c o m b i n e d with the Loll ipop Android for
Work Profile, en a b les IT m a n a g e r s to dep loy a n y
Play a p p in the G o o g l e P lay Store to a s e c u r e Android
c o n t a i n e r wi thout a n y addi t iona l wr a pp ing .
Privacy for
Self-hosted
Apps
KNOX e n a b l e s pr ivate en te r pr ise a p p s to b e installed
o n a device.
Or g a n iza t i on s c o n c e r n e d a b o u t secur i ty for their pr ivate,
i n-h o u s e a p p s c a n c h o o s e to sel f-host t h e s e a p p s e i ther
internally o r t h r o u g h their EMM provider. Either wa y , sel f-
hos ted a p p s c a n b e ex c lu ded f rom publ ic s e a r c h results
in the G o o g l e P lay Store.
Separate Container
for Work Apps
T h e KNOX W o r k s p a c e pr ov ides a n isola ted
e n v i r o n m e n t a n d UI for en te r pr ise u s e cons is t ing
of a s e p a r a t e h o m e scr een , l a uncher , en te r pr ise
a pps , a n d widgets . D a t a o w n e d b y a p p s in the KNOX
W o r k s p a c e is p ro tec ted by ex tens ive Da ta At Rest
(DAR) protect ions. IT a d m i n s c a n u s e ex tens ive
set of W o r k s p a c e conf igurat ion APIs to provision a n d
conf igure the W o r k s p a c e a n d its DAR protect ions.
Android for Work simplif ies mobi le a p p m a n a g e m e n t
a n d secur i t y by providing a s e c u r e profile, o r con ta iner ,
to Android d e v i c e s r unn ing Android 4.0 a n d higher .
IT a d m i n s c a n u s e a n EMM to s e c u r e l y provision a n d
conta iner i z e a p p s o n a n y d e v i c e with a n Android for
Work Profile (Android Lollipop), o r the Android for Work
a p p (Android 4.0 4.4).
Suite of Productivity
Apps (email,
calendar, etc.)
KNOX a pp l ies a b a d g e to a p p s r unn ing in the
W o r k s p a c e to he lp the u s e r d ist inguish t h e m f r o m
p e r s o n a l a pps .
Andro id for W ork f ea t ur e s a suite of sec ur e , b a d g e d
PIM a p p s d e s i g n e d to h e lp w or k er s eas i ly d ist inguish
b e t w e e n p e r s o n a l a n d w o r k a p p s o n the device.
1 Javier Hernn Gonzlez Carrillo mailto:[email protected] http://www.linkedin.com/in/JavierHernanGonzalezCarrillo - +34 673 403 421
mailto:[email protected]://www.linkedin.com/in/JavierHernanGonzalezCarrillo -
Capability Samsung KNOX Android for Work
Data Loss Prevention KNOX MDM pol ic ies c a n r e g u l a t e s h a r i n g of
infor ma t ion b e t w e e n the W o r k s p a c e a n d p e r s o n a l
a pps . This inc ludes s h a r i n g of c a l e n d a r , c o n t a c t s a n d
notif icat ions. Copy / pa s t e c l ipboard d a t a is b locked
f r o m the W o r k s p a c e e n v i r o n m e n t to the p e r s o n a l
environment , a n d v i c e versa .
KNOX adds:
Sensitive Data Protection
Any sensit ive d a t a r e c e i v e d w h e n the W o r k s p a c e
is l o c k e d will still b e p r o t e c t e d b y Sensit ive D a t a
Protect ion (SDP). This w o r k s b y us ing a pub l ic k e y
a l g o r i t h m in w h i c h the pr ivate p a r t of the k e y is
m a i n t a i n e d in a n e n c r y p t e d partition, a n d the pub l ic
p a r t is u s e d to e n c r y p t the n e w sensit ive data . O n c e
the W o r k s p a c e is un lock ed , the d a t a is d e c r y p t e d
with the pr ivate key, a n d r e-e n c r y p t e d us ing the
usua l s y m m e t r i c key, w h i c h is g u a r d e d b y the CMK.
Currently, e m a i l subjects , b o d i e s a n d a t t a c h m e n t s
a r e m a r k e d sensitive. Additionally, the SDP
C h a m b e r prov ides a di rectory, in w h i c h all files a r e
a u t o m a t i c a l l y m a r k e d a s sensitive, a n d p r o t e c t e d b y
SDP.
EMM g o v e r n a n c e pol ic ies m a n a g e a users ability to
s h a r e into a n d outs ide of Android for Work. This inc ludes
t he abil i ty to b lock c opy / pa s t e o r b lock s c r e e n c a p t u r e
for a p p s inside the m a n a g e d profile. (Note tha t copy /
pa s t e c a n b e d isa l lowed f rom the m a n a g e d profile to the
pe rs on a l profile, bu t not v ice versa . )
Container VPN KNOX e n a b l e s addi t iona l m o d e s of g r a n u l a r VPN
capabi l i t i es bo th for the W o r k s p a c e a n d individual
apps . Th e MDM - configurable KNOX VPN suppor ts
mult ip le c o n c u r r e n t VPN c o n n e c t i o n s a l lowing for
IPSec or SSL VPNs wi th con f igurab le a u t o - rec on n ec t
a n d VPN tunnel cha ining .
T h e KNOX VPN s u b s y s t e m a lso s u p p o r t s o ther f o r m s
of p a c k e t p r ocess ing , includ ing split billing a n d
n e t w o r k a c c e s s control.
KNOX adds:
Enterpr ise Billing pr ov ides en te r pr ises a m e c h a n i s m
to s e p a r a t e en te r pr ise d a t a u s a g e f r o m p e r s o n a l
d a t a u s a g e . This e n a b l e s en te r pr ises to c o m p e n s a t e
e m p l o y e e s for c o s t s g e n e r a t e d b e c a u s e of work,
par t icular ly in BYOD c a s e s , o r to only p a y only w o r k-
r e la ted d a t a in C O P E c a s e s .
VPN features of KNOX include:
Adminis t ra tor - con f igured Sys tem VPN.
Adminis t ra tor - con f igured Per- App VPN.
Adminis t rator - conf igured W o r k s p a c e VPN.
Multiple c o n c u r r e n t VPN connect ions .
IP sec a n d SSL VPN suppor t .
Adminis t ra tor - con f igured FIPS a n d non-FIPS VPN
m o d e .
C o m m o n A c c e s s C a r d ( C A C )- b a s e d
authent icat ion.
Alwa ys o n VPN c o n n e c t i o n s with a u t o- r e c o n n e c t .
VPN tunnel cha ining .
Android for Work e n a b l e s g r a n u l a r VPN capabi l i t i es within
t he m a n a g e d profile, w h i c h e l im ina tes the n e e d for a
d e v i c e- w i d e VPN. With t h e s e n e w capabil i t ies, IT c a n
ma in ta in g r e a t e r secur i ty a n d control over c o r p o r a t e
a p p c o m m u n i c a t i o n o n the device.
Selective Wipe IT a d m i n s c a n w ipe interna l a n d ex terna l SD c a r d s
a n d a pp l ica t ion data . T h e entire c o n t a i n e r c a n b e
l o c k e d w h e n c o m p r o m i s e d a n d c a n b e d e l e t e d with
all its data .
Android for Work e n a b l e s IT administr a tor s to easi ly retire
lost o r stolen d e v i c e s a n d r emote l y w i p e all w o r k d a t a
whi le l ea v ing p e r s o n a l c o n t e n t intact o n the device.
With c o r p o r a t e- o w n e d dev ices , IT h a s total d e v i c e-w i d e
controls, w h i c h inc lude a full d e v i c e w i p e if n e c e s s a r y .
2 Javier Hernn Gonzlez Carrillo mailto:[email protected] http://www.linkedin.com/in/JavierHernanGonzalezCarrillo - +34 673 403 421
mailto:[email protected]://www.linkedin.com/in/JavierHernanGonzalezCarrillo -
Capability Sam sung KNOX Android for Work
Protection Against
Malicious App
Downloads
T h e KNOX W o r k s p a c e isola tes en te r pr ise a p p s
a n d d a t a f r o m p e r s o n a l u s e r a pps . Untrustwor thy
p e r s o n a l u s e r a p p s ou ts ide the W o r k s p a c e c a n n o t
a f f e c t the W o r k s p a c e .
KNOX adds:
R ea l- t ime Kernel Protect ion (RKP) a c h i e v e s th r ee
impor ta nt secur i ty features:
First, RKP c o m p l e t e l y p r events r unn ing
u n a u t h o r i z e d pr iv i leg ed c o d e (i.e., c o d e that
h a s the kernel pr iv i lege) o n the sys tem, w h i c h is
a c c o m p l i s h e d by preven t ing modi f icat ion of the
kernel c o d e , injection of u n a u t h o r i z e d c o d e into
t he kernel, o r execu t i on of the u s e r s p a c e c o d e in
the pr iv i l eged m o d e .
S e c o n d , RKP pr events kernel d a t a f r o m b e i n g
d irect ly a c c e s s e d b y u s e r p r o c e s s e s . This inc ludes
p r event ing d o u b l e m a p p i n g of phys ica l m e m o r y
that conta ins cr i t ica l kernel d a t a into u s e r s p a c e
virtual m e m o r y . This is a n impor ta nt s tep to pr event
kerne l exploits tha t m a p kerne l d a t a reg ions into
ma l ic ious p r o c e s s e s w h e r e t h ey cou ld b e modi f ied
b y a n a t tacker .
Third, RKP moni tor s s o m e cr i t ica l kernel d a t a
s t ruc tu res to ver i fy tha t t h ey a r e not explo i ted by
at tacks. In par t icular , RKP pr o tec ts the d a t a that
def ines the c redent ia ls a s s ign ed to runn ing u s e r
p r o c e s s e s to p r event a t t a c k e r s f r o m e s c a l a t i n g
this c r edent ia l b y m o d i f y i n g this data .
KNOX Warranty Fuse. T h e KNOX w a r r a n t y bit is a o n e-
t ime p r o g r a m m a b l e fuse tha t signifies w h e t h e r the
d e v i c e h a s e v e r b e e n b o o t e d into a n u n a p p r o v e d
state. If the Trusted Boot p r o c e s s d e t e c t s that n o n-
a p p r o v e d c o m p o n e n t s a r e used, o r if ce r ta in cr i t ica l
secur i t y fea tu res s u c h a s SELinux a r e disabled, it
sets the fuse. Thereafter , the d e v i c e c a n n e v e r r un
S a m s u n g KNOX, d e v i c e a c c e s s to the DUHK a n d
DRK in the TrustZone S e c u r e Wor ld is revoked, a n d
en te r pr ise d a t a o n the d e v i c e c a n n o t b e r ecover ed .
Android for Work pr o tec ts bus iness a p p s a n d d a t a f r o m
issues ar is ing f r o m the users p e r s o n a l activity ou ts ide
t he profile, s u c h a s s ide load ing w e b apps , o rder ing f r om
u n k n o w n webs i tes a n d o ther potential ly i n s e c u r e activity.
TIMA Attestation
TIMA Attestation a l lows a d e v i c e to a t test f a c t s
a b o u t its sta te to a r e m o t e server , s u c h a s a n MDM
server . T h e a t testa t ion m e s s a g e conta ins sta te
m e a s u r e m e n t s that c a n b e e v a l u a t e d b y a server ,
w h i c h c a n t h e n d e c i d e w h e t h e r to trust the d e v i c e
o r not.
This m e s s a g e conta ins:
M e a s u r e m e n t s c o l l e c t e d b y Trusted Boot to p r o v e
that only a p p r o v e d s y s t e m sof twa r e w a s l o a d e d
d u r i n g boot.
Secur i ty violation log s f r o m PKM a n d RKP s i n c e the
last reboot .
Status of the KNOX w a r r a n t y violation fuse.
W h e t h e r SE for Android is r unn ing in e n f o r c i n g
m o d e .
Device-ident i fy ing informat ion s u c h a s the IMEI a n d
Wi-Fi MAC a ddr ess .
A l o c a l l y-c o m p u t e d verdict w h e t h e r the d e v i c e
bel ieves it is in a t rustwor thy state.
3 Javier Hernn Gonzlez Carrillo mailto:[email protected] http://www.linkedin.com/in/JavierHernanGonzalezCarrillo - +34 673 403 421
mailto:[email protected]://www.linkedin.com/in/JavierHernanGonzalezCarrillo -
Capability Sam sung KNOX Android for Work
Protection Against
Malicious App
Downloads
(continued)
Trusted Boot-based KeyStore (TIMA KeyStore)
T h e TIMA KeyStore p r ov ides a pp l ica t ions with s e r v i c e s
for g e n e r a t i n g a n d ma in ta i n in g c r y p t o g r a p h i c keys.
T h e TIMA KeyStore is only e n a b l e d if the Trusted
Boot m e a s u r e m e n t s m a t c h the k n o w n g o o d
va lues in the file t ima _mea s u remen t _ in fo , a n d if t he
KNOX w a r r a n t y f u s e is not set. Thus, c r y p t o g r a p h i c
oper a t ions with k eys in the KeyStore c a n only o c c u r if
the s y s t e m w a s b o o t e d into a n a p p r o v e d state. K eys
s tor ed in the TIMA KeyStore a r e fur ther e n c r y p t e d
with the d e v i c e-u n i q u e h a r d w a r e k e y (DUHK), a n d
c a n only b e d e c r y p t e d f r o m within TrustZone
S e c u r e Wor ld o n the s a m e device . All c r y p t o g r a p h i c
oper a t ions o n the k eys a r e p e r f o r m e d within
TrustZone S e c u r e World.
T h e TIMA KeyStore h a s the s a m e API a s the
fami l ia r Android KeyStore APIs. Therefore, the only
modif icat ion n e c e s s a r y is to spec i f y tha t the TIMA
KeyStore b e u s e d to p r ov ide the service.
Trusted Boot-based Client Certificate Management
(TIMA CCM)
T h e TIMA C C M e n a b l e s s t o r a g e a n d retr ieval of digital
cert i f icates, a s wel l a s encryp t ion , decryp t ion , signing,
a n d verif icat ion in a m a n n e r s imi lar to the func t ions
of a S ma r t C a rd . Th e cer t i f i ca tes a n d a s s oc ia t ed
k eys a r e e n c r y p t e d with a d e v i c e-u n i q u e h a r d w a r e
k e y that c a n only b e d e c r y p t e d f r o m c o d e r unn ing
within TrustZone.
T r u s t Z o n e-b a s e d C C M a lso pr ov ides the ability to
g e n e r a t e a Cert i f icate Signing Reques t (CSR) a n d
the a s s oc ia t ed publ ic /pr ivate k ey pa i rs in o rder to
obta in a digital cert i f icate. A defau l t cert i f icate is
pr ov ided for a pp l ica t ions that d o not require their
o w n cert i f icate.
Prog ra mmin g in ter faces for cert i f icate s to rage a n d
m a n a g e m e n t a r e p r ov ided in the KNOX P r e m i u m SDK.
Appl ica t ion d e v e l o p e r s a r e p r ov ided with industry
s t a n da rd PKCS #11 APIs for cert i f icate m a n a g e m e n t ,
a n d therefore interact with the C C M a s if it w e r e a
virtual S m a r t C a r d . Similar to the TIMA KeyStore, TIMA
C C M oper a t ions a r e p e r m i t t e d only if the d e v i c e w a s
b o o t e d into a n a p p r o v e d state.
EMM Requirement KNOX requires a n EMM p la t fo r m to m a n a g e KNOX
pol ic ies o n the device.
Android for Work requires a multi OS EMM pla t form.
4 Javier Hernn Gonzlez Carrillo mailto:[email protected] http://www.linkedin.com/in/JavierHernanGonzalezCarrillo - +34 673 403 421
mailto:[email protected]://www.linkedin.com/in/JavierHernanGonzalezCarrillo -
About Samsung Electronics Co., Ltd.
Samsung Electronics Co., Ltd. is a global leader in technology, opening
new possibilities for people everywhere. Through relentless innovation
and discovery, we are transforming the worlds of TVs, smartphones, tablets, PCs, cameras, home
appliances, printers, LTE systems, medical devices, semiconductors and LED solutions. We employ
286,000 people across 80 countries with annual sales of US $216.7 billion. To discover more, please
visit www.samsung.com.
For more information
For more information about Samsung Enterprise Mobility and Samsung KNOX,
visit: www.samsung.com/enterprise and www.samsung.com/knox
Copyright 2015 Samsung Electronics Co. Ltd. All rights reserved. Samsung, Samsung KNOX and Samsung GALAXY GEAR are
either trademarks or registered trademark of Samsung Electronics Co. Ltd. Specifications and designs are subject to change without
notice. Non-metric weights and measurements are approximate. All data were deemed correct at time of creation. Samsung is not
liable for errors or omissions. All brand, product, service names and logos are trademarks and/or registered trademarks
of their respective owners and are hereby recognized and acknowledged.
Javier Hernn Gonzlez Carrillo mailto:[email protected] http://www.linkedin.com/in/JavierHernanGonzalezCarrillo - +34 673 403 421
http://www.samsung.com/http://www.samsung.com/http://www.samsung.com/enterprisehttp://www.samsung.com/knoxmailto:[email protected]://www.linkedin.com/in/JavierHernanGonzalezCarrillo