Samsung Knox is a suite of enhancements designed to address the security problems in the current open source Android platform. Samsung Knox offers much enhanced security than SAFE devices and it is ideal for use in enterprises that require high level security. It enables to secure and segregate the personal and corporate data of users by creating an exclusive container for corporate data on personal devices. A container cannot be created on devices enrolled as Device Owner, since the entire device is managed by the organization. It also provides Application Security by allowing the segregation of apps for personal and corporate use. The devices that support Knox and the prerequisites for management of Knox devices are described. Rooted Samsung devices cannot be enrolled under Knox.
Knox Supported Devices
Refer to this for a complete list of devices that support Knox.
Note: Knox container cannot be created from Android 10.0 or later devices, since Samsung and Google have partnered to deploy a common Harmonized Container starting with Samsung Galaxy S8 devices running Android 10.0 or later.
Knox Device Management
Knox Device Management commences with the process of creating a Knox Container within the device. A Knox License is the basic requirement to activate a Knox Container on the device. Knox License management includes the following:
- Creating a Knox Portal Account
- Uploading Licenses to Mobile Device Manager Plus
- Distributing Licenses to Devices/Groups
- Revoking Knox Licenses
- Adding more Knox Licenses
Creating Knox Portal Account
Managing Knox devices requires a Knox Workspace License that can be directly purchased from Knox Marketplace. For purchasing Knox Licenses, it is necessary to create a Knox Portal Account. For creating the account and purchasing licenses, refer to this
Uploading Licenses to Mobile Device Manager Plus
On purchasing the required licenses, it is mandatory to upload the License Key to Mobile Device Manager Plus server to facilitate the distribution of licenses and management of devices. Refer to the steps given below to upload licenses to Mobile Device Manager Plus:
- On the web console, navigate to Knox -> Upload License
- Copy and Paste the License Key in the space provided and specify the number of devices to be managed using the licenses, in Device Count.
- Mention the Expiry Date provided by Samsung, to receive notification regarding License Expiry.
- Click Save
- A Knox container cannot be created on a Samsung device if it is provisioned as Device Owner. The device must be provisioned as Profile Owner. Only one Knox container can be created per device.
- Mobile Device Manager Plus does not validate the License Key details or Expiry Date. Any error in the given data would reflect only when the Knox container is created and the process would fail. If required, you can check the validity of the Knox Workspace License Key using "Check License Key" option after logging in to your Knox Portal Account.
Distributing Licenses to Groups/Devices
Knox licenses can be distributed by following the steps given below:
- On the web console, go to Knox -> Distribute Licenses
- Select the License Distribution Option as Automatically or Manually.
Selecting the option Automatically, enables you to apply Knox licenses automatically to all Knox devices or Groups during enrollment. In case you select Groups, mention the groups to which the licenses must be automatically applied. Choosing Automatic Distribution will distribute the licenses only to devices which will be enrolled henceforth. On selecting the option Manually, licenses can be manually applied to the devices listed in Knox Devices tab after enrollment. This can be done by selecting the devices and then selecting Create Container button.
- Enable the check box to Overwrite the existing Knox container created by user if necessary.
This option is applicable only for Knox v1.0 devices, since other Knox devices support multiple containers. If this check box is not enabled while distributing licenses to Knox v1.0 devices, Knox containers will not be created in the devices. However, the Knox license would get distributed to the device. On overwriting the existing Knox container present in the device, all data present in the existing container is lost and no notification is issued to the user for data backup.
- Click Save
When a license gets applied to a device, then a Knox container is created within the device. Users can access all the corporate data and apps distributed to the device by entering the Knox container.
In case the number of enrolled Knox devices exceeds the count of available licenses, then the licenses would not get applied to the extra devices. This requires you to purchase new licenses and then upload to Mobile Device Manager Plus in order to distribute them to devices.
Revoking Knox Licenses
When a particular user's device no longer needs to be managed, you can revoke the Knox license from that device and reuse it on a different device. Refer to the steps given below to revoke Knox licenses from devices:
- On the web console, go to Knox -> Knox Devices
- Select the devices from which you choose to revoke the licenses.
- Select Remove Container.
The licenses will be revoked from the selected devices. On revoking the licenses, the Knox container would be removed from the devices.
In case you want to redistribute the revoked licenses, choose the required devices and then select Create Container. The licenses would get redistributed to the selected devices.
Adding more Knox Licenses
If you purchase more licenses to manage additional devices, you have to modify the license details which were uploaded earlier. In that case, you may follow the steps mentioned below:
- On the web console, navigate to Knox -> Upload License
- Select Modify and make the required modifications.
- Click Save
Now, the modified licenses would get automatically reapplied to the devices irrespective of the Distribution Settings.
You need to modify only the Device Count while purchasing additional licenses to manage extra devices, as it will not modify the License Key uploaded on Mobile Device Manager Plus.
Knox License Expiry and Renewal
Mobile Device Manager Plus will start displaying notifications regarding the expiry of licenses, 30 days prior to the license Expiry Date. In case the license expires, the Knox Container gets locked and the user will not be able to access the container. Hence, on expiry of Knox licenses, you must purchase new licenses or renew the existing licenses from your Knox Portal Account. Refer to this, to know more.
If you extend the validity of the existing licenses alone, mention the correct Expiry Date while modifying license details and the licenses will be automatically reapplied to the devices. To modify license details, navigate to Knox -> Upload License and click on Modify tab.
We have made your job simpler!
Learn how to perform out-of-the-box Samsung Knox Mobile Enrollment using MDM, in under 5 minutes through this demo video.
Best Practices for Knox
Disabling Device Administrator
If the user disables Device Administrator in the device, then the container will be removed from the device and the license will be disassociated in server. For exercising better management activities on mobile devices, it is recommended to restrict users from disabling Device Administrator from their devices. This limits users' ability to remove ME MDM App from their mobile devices.
Creating exclusive Group for Knox
It is advisable to create a Group dedicated to Knox devices in Mobile Device Manager Plus. This enables easy management of Knox devices by saving time during Profile and App Management.
Restricting contact between Device and Container
Restricting the transfer of data between the device and container ensures higher level of security by not permitting corporate data loss. This can be carried out by configuring corporate Email to be accessed only from the container, disabling sharing of "Contacts" to device while creating profile for Knox Container Restrictions, etc.
Passcode policy for Container
It is advisable to select a Complex Value type passcode to secure containers. Also, it is best to keep the maximum number of failed attempts at the lowest value for better security. Allowing the container to stay idle for the least value of time and setting it to Auto-lock on exceeding the time limit specified, confirms that your container remains protected.
You can enforce stringent restrictions like disabling the use of camera and "share via" list, to keep the Knox Container highly secured.
Upgrading to latest version of Knox
It is highly recommended to upgrade your Android Knox to the latest version, in order to distribute Apps to Knox Container by avoiding the process of "App Wrapping".