25
Feb
KNOX-Thumb

Samsung has announced a slew of improvements to its KNOX enterprise security product at this year's Mobile World Congress. For starters, users can now manage two separate secure containers per device, ideal for consultants with multiple clients or people who just want to better separate work data from personal files.

The total list of changes goes much deeper.

KNOX Updates:

  • Two separate secure containers per device, for example, for consultants who work for several companies or doctors who work for several clinics.
  • No more need to wrap apps inside a container. This means many more apps for users.
  • Any app from Google Play that supports Android’s multi-user framework can be installed and used inside the secure KNOX containers; IT Admins can use app whitelists and blacklists to control what can be installed.
  • A faster and easier way to activate a secure KNOX container on a device.
  • Controlled sharing of data, like Contacts, Calendar events, Notifications, and Clipboard data between the personal and container spaces, configurable to meet enterprise security requirements.
  • Real-time monitoring of the Linux kernel to protect against malware.
  • Secure storage of encryption keys (including those for third party apps) and client certificates (including those for SSL authentication), in the tamper-proof TrustZone built into the device hardware.
  • A multi-vendor VPN framework that lets enterprises choose third-party clients like SSL VPN.
  • An open SmartCard framework that enables enterprises to choose from an array of SmartCard readers.

Samsung is also introducing the KNOX Marketplace, a place where enterprises can discover and purchase KNOX services and other SaaS apps. Centralized billing is available to make company payments easy to keep track of, and IT admins are empowered to determine which users get to use which apps. The latter comes thanks to the KNOX Enterprise Mobility Management initiative, Samsung's list of efforts to make its offering more compelling to small and medium-sized companies.

KNOX Enterprise Mobility Management:

  • Cost savings through cloud-based services; avoiding the capital cost of on-premise labs, servers, and software
  • A cloud-based admin console that provides enterprise IT Admins with control over enterprise mobile devices, user identities, user access privileges, role-based policies, and deployed apps
  • Over 500 KNOX policies that can be set in areas such as containers, user passwords, apps that can be installed, licensing, Exchange ActiveSync accounts, data encryption, Attestation, TIMA, SE for Android, SSO, and VPNs
  • A cloud-based user console that provides device users with the power to manage their own devices, apps, activities, and profiles
  • Single Sign On (SSO), to enable device users to log in only once using their credentials; apps requiring user identification can leverage the provided user credentials
  • Tight integration with KNOX Marketplace, to enable purchased licenses to be readily available in the EMM Admin console
  • Cross-platform support for both iOS and Android devices (Samsung and non-Samsung)

KNOX should now do a better job of just plain making devices safer. The nitty-gritty details are available in the source links below.

Source: Samsung [1],[2]

Bertel King, Jr.
Born and raised in the rural South, Bertel knows what it's like to live without 4G LTE - or 3G, for that matter. The only things he likes sweeter than his tea are his gadgets, and while few objects burn more than a metal phone on a summer day, he prefers them that way anyway.

  • supremekizzle

    FUCK KNOX. Seriously. They should have it as a hardware option for the enterprise user, not a mandatory warranty killer for the root user.

    • mgrviper

      KNOX doesn't prevent users from flashing root-enabled kernels and/or ROMs.

      • supremekizzle

        It limits freedom of what I can do with MY device (insofar as Samsung can deny a warranty repair if Knox is tripped) and is therefore bullshit.

        • Fiorta

          Then buy an unlocked/dev edition phone. Seriously, the arrogance of your post is hilarious.

          • Matthew DiGiacomo

            Can you point me to a dev edition Note 3?

          • jonathan3579

            You talk as though it is just as easy as buying an "unlocked/dev edition" but it's not. If the other post is arrogant, what does that make yours?

          • Fiorta

            I'm not the one bitching about a phone that I knew before buying was locked down. A phone where unlocking/rooting it is not a guarantee.

          • smeddy

            There was no other phone for me but the Note 3, but KNOX nearly cost the sale. It's causes multiple headaches on a feature that gives me no utility.

          • ergu

            Well there are not many options available to someone who wants to own his own phone. the anger in the original post is probably mostly directed at that fact. Today's market just doesn't value the freedom to do what you want with your own device. I think it's just as arrogant of you to admonish him for his frustration, if not more...

            And by the way, as far as i know, the limitations of knox will never be undone by any special edition of a phone. if you want knox, you'll need a non-rooted phone, that's the point of knox, it assumes that your phone is too exposed to safely run enterprise software if it's rooted. Or maybe you're right, and it's the method of rooting that kills knox, and if your phone were pre rooted, it wouldn't be a problem.

            I see it as bs anyway, as I'm pretty sure my rooted, xposed xprivacy setup with minimal permission granted is far safer on an enterprise than any knox configuration.

          • Fiorta

            People tend to forget that for each phone, the % who root is very small. So for
            the average user who doesn't mess with their phone, knox does well.
            Another thing people tend to ignore, is that everyone who does root, not everyone is good at it. Most are not good, don't understand adb and shouldn't even attempt root. Yet these people break/brick phones, offer bs excuses for replacement then wonder why carriers/oem try to lock down phones. So like I said, the arrogance is hilarious.

          • karmicbilling

            My phone was not locked down when I bought it... but it will be if I accept the latest OTA update

          • ProductFRED

            I have a Moto X Developer Edition and a rooted AT&T S4. the Moto X was reasonably priced ($380, $410 without promo, AFTER tax). S4 developer edition is only available on Verizon, and it's $650+tax. Plus unlike Motorola they don't tell you that your warranty is intact even if you root (it's intentionally vague).

        • mustbepbs

          I guess I'm not reading it right.

          So you're upset that your warranty is void after you mess with your device (root/ROM)?

          • xHabeasCorpusx

            I think that he's upset that if he roots his phone or installs a custom rom, and the device needs warranty repair Samsung can deny it EVEN IF the rooting or rom has nothing to do with his device's malfunction.

          • mustbepbs

            That's his own damn fault. If he's gonna mess with the device, and it's clearly stated all over the place that custom ROMs will void your warranty, he made his own bed, regardless of the failure.

            People can't have their cake and eat it too.

          • sabby

            problem was you cannot even revert back to old stock rom
            so even without root you are fucked if you flash back cos some times new update is not perfect and breaks some things and if u go back you will void ur warranty.

          • mustbepbs

            If a new update screws something up, that's when you file for a warranty claim. If you take it into your own hands, you're the only one to blame if your warranty is void.

          • sabby

            that makes no sense..i am just downgrading the version of os nothing more how will it mess up my hardware ?

          • abobobilly

            So you think for tiny "software" issues you should claim your warranty instead of doing it yourself?

            Well, Good for you. Because technically minded individuals may find it easy and "QUICKER" to do it themselves instead of wasting time in Sammy's repair center.

            The point they are making about KNOX is valid. If a 3rd party ROM is messing up your phone, reverting back to STOCK "should" bring back the phone. If it does (bring back the phone) warranty should NOT come out as void.

            Its just a tactic by Samsung to deliver the most responsibility to users. Heck i've seen people NOT getting a warranty claim just because their device crapped out on them, and now Sammy Warranty Center thinks its because "they messed with the device".

          • sabby

            actually..forgive me if this is late reply ..even if you come back from stock rom your warranty is gone .

            so samsung releases an update in march and it messes things up and if i revert back to older firmware knox will break

          • abobobilly

            Because of the flash counter you mean? Because i don't know if that "really" affects the warranty claim as i have personally witnessed a lot of devices passing the warranty claim procedure, even when the device have been tinkered with ... BUT at the time of claiming the warranty, it was running a stock (unrooted) ROM. (A friend claimed warranty of his S3 the same way)

            Though i haven't come across such issues with any S4 or devices running KNOX so you could be right about that.

          • sabby

            no ..you can reset the counter but this is different problem ..

            s3 did not had this system it started with s4 after one software update and some users just for comparison tried to flash older firmware on xda and that is when it started giving some sort of message while in recovery or download mode i am not sure as i dont have s4 but i like reading about this stuff so know a lot about it :P

            also knox in phone does not run after u break it and its permanent some users said its hardware fue or something which gets broken when u flash something and it can never go back ..i dont know what situation is now.

        • Mystery Man

          I'm actually confused. Other than dev editions I don't know what company doesn't void your warranty for unlocking and rooting. I know HTC and Motorola void your warranty.... And Motorola you have to get a code from them to unlock which is worse than Samsung since non triping Knox options are available.

          • KingofPing

            Non-code options exist for most modern HTC devices as well. :)

    • https://plus.google.com/108596272537415356460/posts Jason Farrell

      The odds of your carrier or Samsung itself (for the 1yr manf. warranty) denying a warranty replacement due to either the KNOX or flash counter being tripped is very very small. All evidence is to the contrary on XDA. They just don't care.

      The only downside to the KNOX flag being tripped is that it limits the resale value a tiny bit in the rare case that someone buying it wants to use it in the secure enterprise setting it was made for (which you can't do when it's been tripped).

      • Matthew Fry

        That doesn't change the fact that it's a clearly visible and unchangeable flag in the bootloader. I don't have a a lot of uses for root but I started searching for a way to do it as soon as Knox started complaining about something compromising my system with only the pre-installed apps on the phone. Additionally, I rooted to disable the bloat which they disallow you from removing. It really should be dealt with legally by a consumer advocacy group but until then...

  • MyLeftNut

    KNOX is for the consumers that still download Antivirus apps on their phones. Sadly I know many people who still feel the need to install security apps or they wont feel secured. They are the average consumer that this locked down security "feature" is marketed towards. Enterprise users already have ways for securing their phones.

    • AbbyZFresh

      Android is the least secure mobile OS out there.. Of course there will be Antivirus apps available.

      • Mystery Man

        Wrong

      • abobobilly

        Least Secure? And how did you make that assessment? Heck how many times did you find a "virus" on your Android phone?

        • AbbyZFresh

          It has the most malware because of its open source nature. Probably also part of the reason why it still lags. Viruses can easily be hidden until you may end up clicking an unknown link that releases it.

          At least Apple has a head on their shoulders on keeping iOS secure and smooth. Google needs to try harder.

          • abobobilly

            The "Malicious Apps" you are talking about, are the cracked apps you download from internet. And i believe if you are downloading cracked apps, you are "sensible enough" to know which app to download and which link to click, and should you click one, "check" it before opening it.

            Anyone failing to do that, is pure DUMB in my books, and i won't be surprised if they install an AntiVirus in their phones to let them know about simple logic.

            Apple is only able to keep its iOS secure, is by keeping a tight check and balance on their apps and store. But does that really make it secure? Because people still JailBreak their iPhones and install apps from other sources. So there you have it, your argument about "Apple has a head on their shoulders" completely invalid.

            My point is that Security is only good as long as YOU keep it that way. "If you can't protect yourself, you don't expect others to protect you". Just like that, if you can't understand What security means, you can't expect other products to provide you that.

          • sabby

            open source has nothing to do with malware
            open source also has nothing to do with openness android has you are really confusing things here

  • Weress1057

    мʏ ɴ­­­­­­e­­­­­­ιɢнвօʀ'ѕ мօтн­­­­­­e­­­­­­ʀ мαĸ­­­­­­e­­­­­­ѕ $67 ­­­­­­e­­­­­­ʋ­­­­­­e­­­­­­ʀʏ нօυʀ օɴ тн­­­­­­e­­­­­­ ʟαքтօք. ѕн­­­­­­e­­­­­­ нαѕ в­­­­­­e­­­­­­­­­­­­e­­­­­­ɴ ғιʀ­­­­­­e­­­­­­ɖ ғօʀ 7 мօɴтнѕ вυт ʟαѕт мօɴтн н­­­­­­e­­­­­­ʀ ιɴƈօм­­­­­­e­­­­­­ աαѕ $15з0з ʝυѕт աօʀĸιɴɢ օɴ тн­­­­­­e­­­­­­ʟαքтօք ғօʀ α ғ­­­­­­e­­­­­­ա нօυʀѕ. ա­­­­­­e­­­­­­вքαɢ­­­­­­e­­­­­­ SaveJury&#46com

  • casytsm

    As someone who uses KNOX for actual business purposes, working for a large company, I think this is where Samsung can stand out. Every person I work with that I have shown KNOX says that would have made them buy the S4. The functionality of it is actually awesome. All these people who are hating on KNOX have clearly never used it, or are not working professionals that understand the utility of it.

    • Matthew Fry

      I am clearly not a working professional that understands the utility of it. How does this make Samsung stand out?

      Samsung makes a billion different models of phone. There's no reason why they can't make a different model for business or potential business use.

      • casytsm

        In the most basic use Knox allows you to have a secure user space on your phone. This means that I can have my corporate email on my phone and the only time I have to type my pin is when I have to access my corporate email. This means that my phone is not required to have a lock screen like every other phone on the market that is required to have a pin. Along with this it means I can have all my data partitioned separately on my phone. All my business emails, notes, calender, photos, videos and much more doesn't dilute the personal area on my phone. Businesses care about data security and if Samsung can make smarter and safer phones they will sell in corporate America.
        You asked why can't they make one specifically for business purposes but my question is 'why would' they make a separate one for businesses. In you own words they make a billion versions so by your comment you shuld be pleased that they aren't creating another one. I do agree though their product line is spread way too thin.

        • Matthew Fry

          I getcha. It seems like a very very slim minority of users that would have these requirements though. They could easily disable it by default and provide a one time enable key in the box. That way the 90% of people that buy the phone without the intention to use it for business are not required to have it.

          • casytsm

            I get the arguments against it from a modding standpoint. I'm a little confused though. Why does everyone keep saying it's jammed down consumers throats? It was just an app sitting on my home screen and was not enabled until I went in and told it that I want to use Knox (I had to download a 100mb file) . I can't speak for the S5 (obviously) but it was just a dormant app on my phone until I told it to turn on. Maybe other people have had experiences and I would like to hear those. Most consumers will have no idea what it is and won't ever open the app and will never have to deal with it. The only people it actually affects is people who want to access the boot loader. It's a number we'll never know but i'd like to know how big that market is.

          • Matthew Fry

            My personal experience on my Note 3 is that it complained about apps compromising my security with only what Samsung had pre-installed about once every 30 minutes. This annoyed me to no end and led me to root to make it stop. Which then I found out would, on certain firmware versions, be impossible to do without tripping a flag that is easily found by booting to the bootloader and potentially voiding my warranty. All this to just stop annoying popups that Samsung is forcing me see over and over. I stressed out about it because I'm on Jump and if they decide not to take it I've wasted my time and money. I finally found a T-Mobile specific way to root without triggering the flag but until I had I was considering getting a non-Samsung device instead. I learned later that the notification can be disabled for a 30 day period but even that is just a hassle that I shouldn't have to deal with.

            I also learned later that people had traded in their phones with tripped bits with no issue. Now that I think about it, some business professional buying a used phone is going to be unhappy if the bit is tripped and Knox won't function...

  • Tower72

    Personally had I known that Samsung and Verizon were going to lock out the bootloader in the most recent update AND add this Knox crap, I would have just stuck with my HTC One.. I am sure it has its uses on the enterprise level, but as for the rest of us that have this as a personal phone, it should be optional..I really dont like having stuff jammed down my throat and being told "here ya go..deal with it"

  • http://galaxynote3tips.blogspot.com/ Martens Nkem

    While they are at it, they should add a way to permanently disable it, am tired of it taking that space on my notification bar like am ever gonna use it

    • casytsm

      Go into KNOX - > KNOX settings- >disable quick toggle. Let me know if that doesn't work. Gets rid of the toggle on my phone. You on an s4?

      • http://galaxynote3tips.blogspot.com/ Martens Nkem

        Thanks Bruv, you are a lifesaver...am on the Note 3...Thanks

  • smeddy

    I get the market for KNOX, but it's just an effing PITA for 90% of the market.