By Knox Technical Publications Staff
Introducing Samsung Knox 2.8, which includes a number of platform updates and feature updates for individual SDKs. The Knox 2.8 platform is built into the new Samsung Galaxy S8 and S8+ devices and platform features are built into the device software. Other devices will receive firmware updates pending on the release schedule of each mobile service provider. To check the Knox version that’s currently running on your device, go to Settings > About device > Software info
Let’s take a look at the 2.8 updates!
Platform-based features are built into the device OS. All flagship devices include the following features:
- Control flow protection
The Knox platform now prevents Return Oriented Programming (ROP) exploits. This enhancement restricts an attacker’s ability to hijack the control-flow of an OS kernel by encrypting return addresses before putting them on the stack.
- VPN support over IPv6 networks
When using the Knox VPN framework, device users can now access network resources over an IPv6 network. Previously, any IPv6 servers proposed during the VPN tunnel negotiation were rejected.
- Trustzone app rollback preventions
The Knox platform now checks the Trusted Application (TA) version and blocks older TA versions which may provide exploitable vulnerabilities.
Convenience for device users
- Power Saving mode
Enterprises can allow power saving mode to extend battery life, or disallow power saving mode to optimize manageability. In power saving mode, for example, an EMM agent does not work normally and cannot receive policy updates from the IT admin server.
- Accessibility apps access to Knox Workspace
IT admins can now allowlist the accessibility apps that can access the Knox Workspace container, for example, to read what is displayed on the screen while in the container. Previously, to reduce vulnerabilities, the Knox Workspace container blocked access from all third-party accessibility apps except Google TalkBack.
- Microsoft Exchange ActiveSync (EAS) as default storage for Contacts/Calendar
If an EAS account is set up on a device, it is now used as the default storage for the contacts, events, and tasks in the Contacts and Calendar apps. Previously, the device was the default storage and device users could lose this data after switching devices or deleting the Knox Workspace container.
Data Loss Prevention
- Data Loss Prevention logs
Enterprises can now view audit logs to browse events associated with DLP-protected content. Both informational events about content accessed as well as critical security events about unauthorized access are logged.
- Data Loss Prevention from browser
Enterprises can define a list of trusted web sites to which device users can upload classified content from the Internet app inside the Knox Workspace container.
- Support for enrolling both KC and KME on the same device
Customers can now register the same device (IMEI or Serial No) to both Knox Mobile Enrollment (KME) and Knox Configure (KC) portals. This feature enables customers to use Knox Configure and deploy their EMM using KME on the same device.
Management controls and compliance
- Advance certificate enrollment and management
Enhances network security between an Enrollment over Secure Transport (EST) client and EST server per RFC 7030. Enterprises can use the EST protocol to initiate a Certificate Signing Request and manage credential generation and communications.
- URL disclaimer in SMS/MMS messages
This feature is designed for regulated industries like banking, which need to attach a disclaimer to every SMS or MMS sent by their regulated employees, in order to comply with industry standards. Typically, the disclaimer links to a web page providing the full text of an organization’s legal disclaimer.
- Emails sent outside a secure domain
This feature addresses financial industry requests to warn employees when they send emails outside their secure domain. Any destination email address lacking an approved address suffix is highlighted automatically in the native Email app.
- Enterprise billing on dual SIM devices
Previously, the SIM1 card was used for enterprise billing by default. With this enhancement, you can select the SIM2 card for enterprise billing.
SDKs and Tools
Knox Customization Configurator
Knox Customization Configurator 1.6.1 and 1.6.2 releases include a number of improvements for System Integrators, IT admins, and end users.
- Advanced KCC License management
A number of user experience improvement related with License and License check logic enhancements. These enhancements reduce the user experience of license count errors and end users can now assign licenses again to same devices which have already been activated on those devices.
- Enhanced ProKiosk mode
The Knox Customization Configurator now supports the following customizing features: Automatic Power on, USB connection, Application URL restriction, Disable Flight mode, Disable OMC mode, Advanced Wi-Fi settings, and Custom booting/shutdown animations in ProKiosk mode.