Knox Platform for Enterprise

Premium mobile device security and management for Android

Our best mobile security solution has been designed to meet the stringent needs of leading governments and regulated industries.

Trusted by security experts and government agencies

Received 25 of 28
“Strong”
ratings in Gartner report* See the ratings

Knox Platform for Enterprise leads the mobile security industry with more global government security certifications than any other solution. These include Common Criteria and FIPS 140-2, as well as government certifications from US Department of Defense, UK NCSC, and France ANSSI.

Common Criteria
DISA (USA)
FIPS 140-2 (USA)
NCSC (UK)
ANSSI (France)
CCN (Spain)
AIVD (Netherlands)
NCSA (Finland)
ISCCC (China)
Kazakhstan

Samsung continually works with international regulatory bodies to meet a wide range of certification requirements designed to protect national interests, public safety, and consumer privacy.

KPE goes beyond Android Enterprise

The Knox Platform for Enterprise solution provides a robust set of features on top of the core Android Enterprise platform, to fill security and management gaps and meet the strict requirements of highly regulated industries.

The additional features in KPE have been designed to address more sophisticated security needs for confidential data, providing powerful features for Android for stringent requirements in highly regulated industries.

feature comparison

Feature comparison table

The following table summarizes unique advantages offered by KPE in addition to Android Enterprise.

KEY FEATURES

Legend

 Fully supported
 Partially supported (with diffentiation added)
 Partially supported
 Not supported
Key Features KPE PREMIUM KPE STANDARD ANDROID ENTERPRISE* KPE DIFFERENTIATION
Hardware-backed trusted environment Hardware Root of Trust fully supported fully supported partially supported Device-unique hardware keys and one-time programmable fuses
Build trust fully supported fully supported partially supported Hardware-backed
Maintain trust fully supported fully supported partially supported Runtime kernel protection
Prove trust fully supported fully supported partially supported Hardware-backed, device-identifiable
Robust data protection Data at rest Hardware-based data isolation fully supported partially supported partially supported 3rd-party container support, granular configuration
On-device encryption fully supported fully supported fully supported  
Sensitive data protection fully supported fully supported no Data-at-rest protection even when device is in use
Data in transit Flexible on-device VPN options fully supported partially supported partially supported On-demand, dual-chaining, web proect over VPN, on-premise bypass
Gov.-certified built-in VPN client fully supported fully supported partially supported Government-certified features
On-device firewall management fully supported fully supported no URL based filtering, per-app control, blocked access logs
Comprehensive device management Wide range of device configurations fully supported partially supported with diffentiation partially supported Advanced authentication options, booting splash customization, etc.
Advanced mobile app management fully supported fully supported partially supported with diffentiation Granular app management without Managed Google Play
System-level device feature restriction fully supported partially supported with diffentiation partially supported Factory reset (recovery mode), firmware flashing (download mode)
Granular device monitoring and control In-depth device usage fully supported not supported not supported Audit logs
In-depth network usage fully supported not supported not supported Network platform analytics
Optimized remote control fully supported fully supported partially supported High performance, device-wide control; SECURE_FLAG overriding
Versatile credential/ certificate management Universal Credential Management fully supported not supported not supported Customizable Keyguard/ ODE
HW-based Client Certificate Management fully supported fully supported partially supported Hardware-backed, wide range of CSR/ CEP support
Certified and trusted by experts and government bodies fully supported partially supported partially supported with diffentiation Most “strong” ratings by Gartner

Hardware-backed trusted environment

Hardware Root of Trust

KPE Premium: fully supported

KPE Standard: fully supported

Android Enterprise*: partially supported

KPE differentiation:

Device-unique hardware keys and one-time programmable fuses

Build Trust

KPE Premium: fully supported

KPE Standard: fully supported

Android Enterprise*: partially supported

KPE differentiation:

Hardware-backed

Maintain Trust

KPE Premium: fully supported

KPE Standard: fully supported

Android Enterprise*: partially supported

KPE differentiation:

Runtime kernel protection

Prove Trust

KPE Premium: fully supported

KPE Standard: fully supported

Android Enterprise*: partially supported

KPE differentiation:

Hardware-backed, device-identifiable

Robust Data Protection

Data at rest

Hardware-based data isolation

KPE Premium: fully supported

KPE Standard: partially supported

Android Enterprise*: partially supported

KPE differentiation:

3rd-party container support, granular configuration

Data at rest

On-device encryption

KPE Premium: fully supported

KPE Standard: fully supported

Android Enterprise*: fully supported

Data at rest

Sensitive Data Protection

KPE Premium: fully supported

KPE Standard: fully supported

Android Enterprise*: not supported

KPE differentiation:

Data-at-rest protection even when device is in use

Data in transit

Flexible on-device VPN options

KPE Premium: fully supported

KPE Standard: partially supported

Android Enterprise*: partially supported

KPE differentiation:

Data-at-rest protection even when device is in use

Data in transit

Gov.-certified built-in VPN client

KPE Premium: fully supported

KPE Standard: fully supported

Android Enterprise*: partially supported

KPE differentiation:

Government-certified features

Data in transit

On-device firewall management

KPE Premium: fully supported

KPE Standard: fully supported

Android Enterprise*: not supported

KPE differentiation:

URL based filtering, per-app control, blocked access logs

Comprehensive device management

Wide range of device configurations

KPE Premium: fully supported

KPE Standard: partially supported (with diffentiation)

Android Enterprise*: partially supported

KPE differentiation:

Advanced authentication options, booting splash customization, etc.

Advanced mobile app management

KPE Premium: fully supported

KPE Standard: fully supported

Android Enterprise*: partially supported

KPE differentiation:

Granular app management without Managed Google Play

System-level device feature restriction

KPE Premium: fully supported

KPE Standard: partially supported (with diffentiation)

Android Enterprise*: partially supported

KPE differentiation:

Factory reset (recovery mode), firmware flashing (download mode)

Granular device monitoring and control

In-depth device usage

KPE Premium: fully supported

KPE Standard: not supported

Android Enterprise*: not supported

KPE differentiation:

Audit logs

In-depth network usage

KPE Premium: fully supported

KPE Standard: not supported

Android Enterprise*: not supported

KPE differentiation:

Network platform analytics

Optimized remote control

KPE Premium: fully supported

KPE Standard:fully supported

Android Enterprise*: partially supported

KPE differentiation:

High performance, device-wide control; SECURE_FLAG overriding

Versatile credential/ certificate management

Universal Credential Management

KPE Premium: fully supported

KPE Standard: not supported

Android Enterprise*: not supported

KPE differentiation:

Customizable Keyguard/ ODE

HW-based Client Certificate Management

KPE Premium: fully supported

KPE Standard: fully supported

Android Enterprise*: partially supported

KPE differentiation:

Hardware-backed, wide range of CSR/ CEP support

Certified and trusted by experts and government bodies

KPE Premium: fully supported

KPE Standard: partially supported

Android Enterprise*: partially supported

KPE differentiation:

Most “strong” ratings by Gartner

*Android Open Source Project (AOSP) without Knox Platform for Enterprise

Hardware-backed trusted environment

KPE security begins in the factory with a hardware-backed trusted environment, upon which a chain of stringent security checks are performed on software components leading up to device boot and during run time.

Using Knox Verified Boot, KPE also checks for unauthorized or outdated bootloaders to ensure your device only starts up using valid bootloaders. During device operation, Real-time Kernel Protection (RKP) protects your OS from kernel attacks by monitoring and preventing unauthorized modifications and attacks.

Manufacturing time

hardware root of trust
HARDWARE ROOT OF TRUST

Irretrievable device-unique hardware keys and one-time programmable fuses, only accessible via the TrustZone.

Boot time

buold trust
BUILD TRUST

Trusted Boot
Verify all bootloaders and Kernel. Warranty Bit is flipped if compromised

Run-time

maintain trust
MAINTAIN TRUST

Real-time Kernel Protection
Prevent unauthorized Kernel access or code modification in run-time. Block authorized system partition modification.

Run-time

prove trust
PROVE TRUST

Device Health Attestation
Verify the integrity of device security on demand. Measurements guaranteed per device (device ID mapping)

Robust data protection

Knox Platform for Enterprise uniquely protects data at rest by encrypting it not only when a device is powered off, but also when it is powered on but locked. It also provides further protection by allowing enterprise data to be isolated in secure app/ data containers, such as Knox Workspace, which can be managed with security policies separately from the rest of the device.

To secure data in transit, KPE offers several differentiated and even more secure VPN options, such as per-app/container and device-wide VPN, on-demand VPN, VPN on-premise bypass, HTTP proxy over VPN, and VPN chaining.

Comprehensive device management

Knox Platform for Enterprise gives IT admins granular device management at the system level to solve common frustrations when mass deploying devices. Deploy hundreds of differentiated security policies that change and manage device settings, such as email, authentication, connectivity, container, and customization settings.

KPE also gives users granular and enforced Mobile Application Management (MAM) capabilities without Managed Google Play. Set system-level feature restrictions, including Common Criteria mode, and policies to phone mirror with Samsung DeX.

Powerful device monitoring & control

Knox Platform for Enterprise provides powerful tools to monitor end-user activities, including data traffic usage, to ensure all device usage is under IT’s control.

Versatile credential and certificate management

Universal Credential Management (UCM) provides a plug-and-play framework for credential management across a variety of storage media.

The Client Certificate Manager (CCM) is another feature of KPE and augments the security of the Android Keystore. It supports features such as device-unique certificates, hardware tamper-proof fuses and supports a wide range of certificate enrollment protocols like:

Find out more about how Knox Platform for Enterprise differentiates from Android Enterprise.

Features


Comprehensive device management

Active Directory password on device

Allows changing Active Directory passwords on the device instead of a PC.

Enterprise roaming

Controls which apps are allowed to use mobile data when the user is connected to a roaming network.

New TIMA Keystore per-app API

Support added to limit access to the digital credentials in the TIMA Keystore to a single app.

Container lock, wipe

Lock or wipe the container in case the device is lost or stolen.

Advanced Container configurations

Configurations for browser, Email, password, WiFi, VPN, firewall, etc.

Power on and off control

Customize the power ON/OFF for the devices with the Custom APIs.

App permission monitor management

Permissions monitoring is now available for apps inside the container.

Enhanced app permission monitor

New APIs for IT to block the data leakage.

DeX management

Check whether the device is in DeX mode. Block DeX mode. Enforce Ethernet data connection. Prevent certain apps from running in DeX.

VIEW MORE FEATURES
 

DeX management

Add or remove app shortcuts. Change the loading screen. Control screen timeout settings.

DeX management

Configure align type of DeX launcher screen. Add a browser shortcut with a specific URL on DeX home screen.

RCS message capturing

IT admins can capture Rich Communication Services (RCS) messages.

Control BLE and Wi-Fi scanning

Control Wi-Fi and Bluetooth background services.

Power saving mode management

Enterprises can allow power saving mode to extend battery life, or disallow power saving mode to optimize manageability.

Select Home screen mode

Set a Home screen mode to Home screen only or Home screen and applications.

Hardware key remapping at device level

Previously supported only in ProKiosk mode, but is now also available at the device level.

Set favorite apps

Control the application shortcuts that are displayed in the bottom row of the Home screen.

Delete selected Home screen page

Remove a page from the launcher including all shortcuts and contents.

Robust data protection

Harmonized Container

Samsung and Google have partnered to deploy a common architecture for secure containers starting with S8 devices running Oreo.

UX updates for Knox Workspace

Support compliance with GDPR (General Data Protection Regulation). The contents of Knox PP (Privacy Policies) has changed for handling user data.

Enable Iris authentication to access Knox

Iris authentication for accessing Knox container

Versatile credential / certificate management

Support for ECC

Support added for Elliptic Curve Cryptography (ECC), including storage for such keys in the protected TIMA CCM keystore.

Enhanced EST protocol

Enhances network security between an Enrollment over Secure Transport (EST) client and EST server per RFC 7030.

Samsung-supplied UCM plugin eSE

Samsung's Universal Credential Management (UCM) embedded Secure Element (eSE) plugin allows apps to access eSE of Samsung mobile devices.

Availability

Server options

Server options

Cloud or on-premise
License types

License types

Monthly or yearly
Supported MDMs/EMMs

Supported MDMs/EMMs

View all MDMs/EMMs

Get started

Knox Platform for Enterprise

30-day free trial

Start a free full-feature trial of Knox Platform for Enterprise.

 

Knox Platform for Enterprise

Commercial license

Purchase a monthly or yearly license from your local Knox reseller.

 

Have any more questions?
View Knox Platform for Enterprise FAQs

Or contact a business sales expert

Our Knox sales team is ready to collaborate with you to address your biggest business challenges. Please provide your contact details to get started with a free trial or discuss a project with our sales team.

Success story

Manufacturing

Anton Paar's salespeople are on the road four days a week, and it is crucial that their mobile devices are managed and protected

*Gartner, Inc. Mobile OSs and Device Security: A Comparison of Platforms, Patrick Hevesi, December 20, 2017
Technical Support

Technical support

Already a Knox user? Log in to your Samsung Knox account to submit a support technical ticket.