WIXLIB

Samsung Knox Platform for Enterprise (KPE) White Paperprotected from apps not sharing their same container. You can create as many of these SEAMScontainers as you want on-the-fly.With the Knox Workspace, enterprises can deploy additional security and management policies to enforcerequirements, such as those needed to work within highly regulated industries such as finance, healthcare,and government.Data protectionEnterprises can protect personal and enterprise data on mobile devices using a rich set of Knox features: User authentication — Samsung Knox devices support not just password, PIN, and pattern authentication but also the latest biometric authentication: fingerprints, iris, face, and IntelligentScan. Options are available for both device lockscreen authentication and separate KnoxWorkspace authentication. Through the Knox Platform, you can provide enforce two-factorauthentication for the Knox Workspace or enterprise AD credentials to ensure stronger dataprotection.Encryption of device data — Samsung Knox devices provide data encryption through SensitiveData Protection that binds to the hardware-backed Root of Trust and user authentication. Thisencryption ensures data is decrypted only on the device where the data is stored, and only by thedevice owner. DualDAR Encryption offers two instances of encryption to achieve an even higherlevel of reliability.Encryption of network data — Samsung Knox devices offer the widest selection of advanced VPNfeatures, providing the ability to configure a separate VPN for the Knox Workspace as well as forindividual apps, to reinforce data isolation even further. Knox also offers always-on VPN, ondemand VPN, on-premise VPN bypass, HTTP proxy over VPN, multiple active tunnels, strict dataleakage controls, and VPN chaining or cascading.Device tracking, locking, and erasing — Samsung Knox devices offer the ability to track,geofence, and automatically lock devices based on events and security policies. For example, adevice that leaves a specified geographic perimeter is locked, wiped of data, or reset to factorydefaults.Manageability highlightsDevice management and deploymentEnterprises with tens, hundreds, or thousands of employee mobile devices need to manage them easily,securely, and efficiently. Through EMM systems, enterprise IT admins can use a web console to centrallyand remotely manage devices over-the-air. IT admins can control Samsung Knox devicescomprehensively, managing device features with ease.This management is possible through the Samsung Knox SDK, which offers over 1500 APIs for granularand flexible control over Samsung devices. This functionality is on top of the basic APIs offered throughthe Android SDK, providing a more powerful superset of capabilities. An EMM app on an employee devicereceives IT admin commands from the EMM web console, and calls Knox APIs to deploy commands onKnox devices. This integration enables enterprise IT admins to deploy IT policies to manage and secureevery aspect of Knox devices.Page 7 of 55

Samsung Knox Platform for Enterprise (KPE) White PaperDevice management servicesTo address a variety of business needs beyond security, the Samsung Knox portfolio is complemented byrobust cloud services that ease mobile device deployment, customization, and management. Theseservices include: Knox Mobile Enrollment — With this free service, enterprises can use a web console or REST API calls to automate device enrollment, either individually or in bulk. After an IT adminregisters a device with this service, the device user simply turns it on and connects it to a Wi-Fi or3G/4G network to enroll it with an EMM system. There is no manual enrollment of individualdevices, and no need for IMEI management and verification – all onerous, time-consuming, anderror-prone tasks.Knox Configure — Samsung phones, tablets, and wearables are fully customizable to work innumerous vertical markets such as hospitality, retail, and entertainment. Through a web console,Systems Integrators can create purpose-built devices that present a customized user interface, forexample, an information kiosk, point-of-sales terminal, or in-flight entertainment system. TheSystems Integrators can customize or restrict almost all aspects of device configuration and theuser experience, including boot animations incorporating custom enterprise logos, display settings,wallpapers, network configurations, notifications, and software updates.Learn moreThis White Paper provides an overview of Knox Platform's security features and how they can help resolvecommon enterprise mobile deployment issues. For information about other Knox features, see theSamsung Knox website.Feature ComparisonThe following table summarizes the advantages provided out-of-box by Samsung Knox devices over nonSamsung devices, and how Knox Platform for Enterprise (KPE) extends Android Enterprise (AE). Formore information, go to the Knox Platform for Enterprise home page.FeatureAll Android EnterpriseFeaturesAE on nonKPEKPESamsung Standard on Premium onSamsungSamsungdevicesdevicesdevices How KPE extends AEKPE extends AE by providing advanced securityand manageability controls.SecuritySecure Lockdown onTamperingRemote Device HealthUpon detecting critical security compromises,the system locks down sensitive areas,preventing enterprise data from being accessedand leaked. In such circumstances, AE restrictsaccess to previously installed keys. KPE extendsAE by preventing whole components fromrunning when tampered.Obtain visibility into which particular devices areexperiencing security issues, such asunauthorized firmware, allowing you toPage 8 of 55

Samsung Knox Platform for Enterprise (KPE) White PaperFeatureKnox Verified BootAudit LogReal-Time KernelProtection (RKP)Sensitive Data Protection(SDP)DualDAR EncryptionEnforced eria ModeApp Isolation Groups(SEAMS)Secure CertificateEnrollment AgentsPage 9 of 55AE on nonKPEKPESamsung Standard on Premium ondevicesSamsungSamsungdevicesdevices How KPE extends AEtroubleshoot the issue immediately. AE providessoftware-based SafetyNet APIs, and KPE extendsAE by providing reliable hardware-based deviceattestation.Knox Verified Boot extends Android VerifiedBoot by verifying integrity before the device isbooted and running, validating the bootloader,TrustZone, and Hypervisor, as well as the kernel.KPE audit log provides comprehensive devicelogs for troubleshooting potential issues andcaptures events needed to satisfy governmentcompliance requirements.KPE extends AE by providing best-in-class kernelattack prevention features, including kernelcode, kernel data, and kernel control flowprotections. RKP drastically limits the number ofpossible attack types against Samsung devices.With basic AE, device data is decrypted once thedevice boots. With KPE's SDP, selected filesremain encrypted at runtime and are decryptedonly after a device user authenticates theiridentity at the device lockscreen, or KnoxWorkspace login. KPE evicts decryption keyswhen the device or Knox Workspace locks, andcomplies with MDFPP requirements for USgovernment and military.With a single instance of encryption, potentialflaws in the implementation can result in asingle point of failure. KPE DualDAR providestwo independent layers of encryption to achievean even higher level of reliability by enablingredundancies in protecting Data-At-Rest. Thisdual encryption is required for classifieddeployments.KPE extends AE by enabling IT admins to forceend-user two-factor authentication for logginginto a Knox Workspace, or Managed Device.Authentication can accomplished either usingbiometrics (fingerprint, iris, face), or withtraditional methods (password, PIN, pattern).KPE extends AE's device controls by exposing aCommon Criteria mode to simplify the processof configuring devices into a compliant state fordefense deployments.Unlike classic app containers utilizing a GUI, KPEextends AE by allowing you to manage"invisible" app isolation groups to protect a setof apps from any other set. Up to 300 groupingsare possible.KPE extends AE's certificate management APIsby providing a certificate enrollment service APIthat closely follow the latest security protocols.There is no reason to enroll certificatesinsecurely, or implement your own protocols.

Samsung Knox Platform for Enterprise (KPE) White PaperFeatureAE on nonKPEKPESamsung Standard on Premium ondevicesSamsungSamsungdevicesdevicesHow KPE extends AEManageabilityManage Device SoftwareUpdatesRemote ControlCustomizationGranular Roaming ControlsAdmin Device LockFirewall ManagementGranular Device Policies A Samsung E-FOTA license enables thecontrolled rollout of firmware updates uponcompletion of internal testing, helps avoidcompatibility problems with proprietary systemsor apps, and minimizes user interactionrequirements for updates. KPE provides granularfirmware controls that AE does not have. Forexample, the ability to set highest acceptedfirmware version, apply specific firmware versionto a set of devices at a specific date/time, andthe option to block automatic firmware updates.KPE extends base remote control capability toallow IT to remotely control employee devices totroubleshoot and fix mobile devices in the field.With KPE, IT admins can customize variousaspects of the device software and UI beyondwhat is available in AE. Enable/disable taskmanager, hardware keys, multi-window mode,etc. Custom boot banner/animation, blockspecific system notifications, customize itemsappearing on the power off dialog screen, mapvolume keys to app task switching, and more.With KPE, IT admins can allow/disallow the useof "roaming" mobile connections that oftenincur high call/text/data rates. AE supportsdisabling mobile data. KPE extends AE byproviding additional controls, such as theblocking of calls, or the blocking of app updatedownloads while allowing other data use. KPEPremium also enables separate roamingcontrols for each APN to support split billing.An admin device lock enables IT to lock out adevice, preventing even valid credentials frombeing used. This is extremely valuable formanaging end-user policy violations, includingthe travel to hostile countries. While AE supportslocking the device screen, it does not lock outthe user. KPE extends AE by allowing an ITadmin to enforce an admin lock.KPE extends AE by providing an industryexclusive ability to set device firewall rules.Using KPE, admins can also be notified whenemployees attempt to visit blocked domains.With KPE’s granular device policies, anenterprise can meet compliance or otherdeployment requirements using unique policies,that are not supported on AE, for SMS/MMSdisclaimers, call restrictions, read and writerestrictions on SD cards, granular Bluetoothprofile restrictions. KPE’s refined device policiescan even manage DeX deployment settings.Page 10 of 55

Samsung Knox Platform for Enterprise (KPE) White PaperFeatureAE on nonKPEKPESamsung Standard on Premium ondevicesSamsungSamsungdevicesdevicesAdvanced WorkspaceConfiguration Unlock using ActiveDirectory Credentials Split Billing (Dual APNs) Network Analytics How KPE extends AEKPE extends AE by providing container-specificpolicy settings. KPE enables strict policyenforcement for Bluetooth, SD Card, USB, andother technologies inside the container, whileallowing the full use of these technologiesoutside the container.With KPE, there is no requirement for employeesto remember separate credentials for Windowslaptops and mobile devices. Additionally, withKPE device users can utilize their existing ActiveDirectory credentials to unlock their devices.KPE extends AE through the support of dualAPN management. KPE enables enterprises topay only for the data usage of approvedbusiness apps. Employees are then responsiblefor fees incurred for personal data usage.KPE allows an IT admin to deploy network threatdetection solutions without granting toolscomplete access to all network traffic.VPNVPN Granularity: Per-App,Per-Container, or WholeDeviceAlways On VPN On-Demand VPN HTTP Proxy over VPN VPN ChainingNear-instantVPN connection timesPage 11 of 55 KPE extends AE to provide very granular VPNcontrols. KPE can be configured with a VPNtunnel not just for a container or individualapps, but for the whole device.KPE utilizes strict controls to block traffic frombypassing a configured VPN, even in caseswhere the VPN client crashes or when the deviceis rebooting. AE does not block traffic when aVPN is down.A KPE VPN can be set to only activate whencertain target apps are launched/running, anddoes not require additional VPN client support.A KPE VPN enables the use of web proxies ontunneled VPN traffic.A KPE VPN allows the use of two VPN tunnels todouble-encrypt traffic, enhance anonymity, andprevent a single security bug in a VPN layerfrom compromising network encryption.The Knox VPN framework allows a near-instantVPN connection, clocking in at one second. Thistime is measured from when the VPNhandshake and authentication completes, towhen the tunnel is established and traffic fromany tunneled apps can pass through the VPN.This time threshold applies to all apps, assuming100 apps enrolled in the VPN profile, whetherthey are part of the Knox Workspace or not.

Samsung Knox Platform for Enterprise (KPE) White PaperCore Platform SecurityRoot of TrustImagine every device in your network simultaneously infected with malware and combing through yourconfidential data. Attacks and exploits continue to mature in sophistication in an attempt to stay ahead ofadvancing mobile device safeguards. So what's the single solution that works on all devices at the sametime? To build a robust Root of Trust stack that minimizes exposure, detects intrusions, and locks downsensitive information.A Root of Trust is the cornerstone of any modern security protocol. It is a series of stringent checks andbalances, beginning at the hardware level rather than the software level. This feature adds a level ofsecurity to devices, making them difficult to subvert as hardware is more immutable than software.A Root of Trust answers many complicated security questions, such as: How do you know if a compromised OS was booted at runtime? Can you trust that your certificates are stored se

Knox features that use the trusted environment include Real-time Kernel Protection (RKP), Trusted Boot, Device Health Attestation, Certificate Management, Sensitive Data Protection (SDP), and Network Platform Analytics (NPA). App isolation The Knox Platform uses app isolation to prevent rogue apps from intentionally or inadvertently accessing