Knox Platform for Enterprise (KPE) is a military-grade mobile solution for IT admins to manage and secure Samsung Android phones, tablets and Tizen watches for business.
KPE provides a set of advanced and unique mobile device security management features to the underlying Android OS, for business customers and partners who require higher security standards.
Explore Knox Platform for Enterprise features below, or download the white paper for more details.
Knox Platform for Enterprise leads the mobile security industry with more global government security certifications than any other solution. These include Common Criteria and FIPS 140-2, as well as government certifications from US Department of Defense, UK NCSC, and France ANSSI.
Samsung continually works with international regulatory bodies to meet a wide range of certification requirements designed to protect national interests, public safety, and consumer privacy.
The Knox Platform for Enterprise solution provides a robust set of features on top of the core Android Enterprise platform, to fill security and management gaps and meet the strict requirements of highly regulated industries.
The additional features in KPE have been designed to address more sophisticated security needs for confidential data, providing powerful features for Android for stringent requirements in highly regulated industries.
The following table summarizes unique advantages offered by KPE in addition to Android Enterprise.
|Key Features||KPE PREMIUM||KPE STANDARD||ANDROID ENTERPRISE*||KPE DIFFERENTIATION|
|Hardware-backed trusted environment||Hardware Root of Trust||Fully supported||Fully supported||Partially supported||Device-unique hardware keys and one-time programmable fuses|
|Build trust||Fully supported||Fully supported||Partially supported||Hardware-backed|
|Maintain trust||Fully supported||Fully supported||Partially supported||Runtime kernel protection|
|Prove trust||Fully supported||Fully supported||Partially supported||Hardware-backed, device-identifiable|
|Robust data protection||Data at rest||Hardware-based data isolation||Fully supported||Partially supported||Partially supported||3rd-party container support, granular configuration|
|On-device encryption||Fully supported||Fully supported||Fully supported|
|Sensitive data protection||Fully supported||Fully supported||Not supported||Data-at-rest protection even when device is in use|
|Data in transit||Flexible on-device VPN options||Fully supported||Partially supported||Partially supported||On-demand, dual-chaining, web protect over VPN, on-premise bypass|
|Gov.-certified built-in VPN client||Fully supported||Fully supported||Partially supported||Government-certified features|
|On-device firewall management||Fully supported||Fully supported||Not supported||URL based filtering, per-app control, blocked access logs|
|Comprehensive device management||Wide range of device configurations||Fully supported||Partially supported (with differentiation added)||Partially supported||Advanced authentication options, booting splash customization, etc.|
|Advanced mobile app management||Fully supported||Fully supported||Partially supported (with differentiation added)||Granular app management without Managed Google Play|
|System-level device feature restriction||Fully supported||Partially supported (with differentiation added)||Partially supported||Factory reset (recovery mode), firmware flashing (download mode)|
|Granular device monitoring and control||In-depth device usage||Fully supported||Not supported||Not supported||Audit logs|
|In-depth network usage||Fully supported||Not supported||Not supported||Network platform analytics|
|Optimized remote control||Fully supported||Fully supported||Partially supported||High performance, device-wide control; SECURE_FLAG overriding|
|Versatile credential/ certificate management||Universal Credential Management||Fully supported||Not supported||Not supported||Customizable Keyguard/ ODE|
|HW-based Client Certificate Management||Fully supported||Fully supported||Partially supported||Hardware-backed, wide range of CSR/ CEP support|
|Certified and trusted by experts and government bodies||Fully supported||Partially supported||Partially supported (with differentiation added)||Most "strong" ratings by Gartner|
KPE security begins in the factory with a hardware-backed trusted environment, upon which a chain of stringent security checks are performed on software components leading up to device boot and during run time.
Using Knox Verified Boot, KPE also checks for unauthorized or outdated bootloaders to ensure your device only starts up using valid bootloaders. During device operation, Real-time Kernel Protection (RKP) protects your OS from kernel attacks by monitoring and preventing unauthorized modifications and attacks.
Irretrievable device-unique hardware keys and one-time programmable fuses, only accessible via the TrustZone.
Verify all bootloaders and Kernel. Warranty Bit is flipped if compromised
Real-time Kernel Protection
Prevent unauthorized Kernel access or code modification in run-time. Block authorized system partition modification.
Device Health Attestation
Verify the integrity of device security on demand. Measurements guaranteed per device (device ID mapping)
Knox Platform for Enterprise uniquely protects data at rest by encrypting it not only when a device is powered off, but also when it is powered on but locked. It also provides further protection by allowing enterprise data to be isolated in secure app/ data containers, such as Knox Workspace, which can be managed with security policies separately from the rest of the device.
To secure data in transit, KPE offers several differentiated and even more secure VPN options, such as per-app/container and device-wide VPN, on-demand VPN, VPN on-premise bypass, HTTP proxy over VPN, and VPN chaining.
Knox Platform for Enterprise gives IT admins granular device management at the system level to solve common frustrations when mass deploying devices. Deploy hundreds of differentiated security policies that change and manage device settings, such as email, authentication, connectivity, container, and customization settings.
KPE also gives users granular and enforced Mobile Application Management (MAM) capabilities without Managed Google Play. Set system-level feature restrictions, including Common Criteria mode, and policies to phone mirror with Samsung DeX.
Knox Platform for Enterprise provides powerful tools to monitor end-user activities, including data traffic usage, to ensure all device usage is under IT’s control.
Universal Credential Management (UCM) provides a plug-and-play framework for credential management across a variety of storage media.
The Client Certificate Manager (CCM) is another feature of KPE and augments the security of the Android Keystore. It supports features such as device-unique certificates, hardware tamper-proof fuses and supports a wide range of certificate enrollment protocols like:
Active Directory password on device
New TIMA Keystore per-app API
Container lock, wipe
Advanced Container configurations
Power on and off control
App permission monitor management
Enhanced app permission monitor
Our Knox sales team is ready to collaborate with you to address your biggest business challenges. Please provide your contact details to get started with a free trial or discuss a project with our sales team.