April 15, 2017

What's new in Knox 2.8?

Samsung Knox News

By Knox Technical Publications Staff

Introducing Samsung Knox 2.8, which includes a number of platform updates and feature updates for individual SDKs. The Knox 2.8 platform is built into the new Samsung Galaxy S8 and S8+ devices and platform features are built into the device software. Other devices will receive firmware updates pending on the release schedule of each mobile service provider. To check the Knox version that’s currently running on your device, go to Settings > About device > Software info

Let’s take a look at the 2.8 updates! 

Platform-based features are built into the device OS. All flagship devices include the following features:


Advanced security

  • Control flow protection

The Knox platform now prevents Return Oriented Programming (ROP) exploits. This enhancement restricts an attacker’s ability to hijack the control-flow of an OS kernel by encrypting return addresses before putting them on the stack.

  • VPN support over IPv6 networks

When using the Knox VPN framework, device users can now access network resources over an IPv6 network. Previously, any IPv6 servers proposed during the VPN tunnel negotiation were rejected.

  • Trustzone app rollback preventions

The Knox platform now checks the Trusted Application (TA) version and blocks older TA versions which may provide exploitable vulnerabilities.


Convenience for device users

  • Power Saving mode

Enterprises can allow power saving mode to extend battery life, or disallow power saving mode to optimize manageability. In power saving mode, for example, an EMM agent does not work normally and cannot receive policy updates from the IT admin server.

  • Accessibility apps access to Knox Workspace

IT admins can now allowlist the accessibility apps that can access the Knox Workspace container, for example, to read what is displayed on the screen while in the container. Previously, to reduce vulnerabilities, the Knox Workspace container blocked access from all third-party accessibility apps except Google TalkBack.

  • Microsoft Exchange ActiveSync (EAS) as default storage for Contacts/Calendar

If an EAS account is set up on a device, it is now used as the default storage for the contacts, events, and tasks in the Contacts and Calendar apps. Previously, the device was the default storage and device users could lose this data after switching devices or deleting the Knox Workspace container.


Data Loss Prevention

  • Data Loss Prevention logs

Enterprises can now view audit logs to browse events associated with DLP-protected content. Both informational events about content accessed as well as critical security events about unauthorized access are logged.

  • Data Loss Prevention from browser

Enterprises can define a list of trusted web sites to which device users can upload classified content from the Internet app inside the Knox Workspace container.


Frictionless deployment

  • Support for enrolling both KC and KME on the same device

Customers can now register the same device (IMEI or Serial No) to both Knox Mobile Enrollment (KME) and Knox Configure (KC) portals. This feature enables customers to use Knox Configure and deploy their EMM using KME on the same device.


Management controls and compliance

  • Advance certificate enrollment and management

Enhances network security between an Enrollment over Secure Transport (EST) client and EST server per RFC 7030. Enterprises can use the EST protocol to initiate a Certificate Signing Request and manage credential generation and communications.

  • URL disclaimer in SMS/MMS messages

This feature is designed for regulated industries like banking, which need to attach a disclaimer to every SMS or MMS sent by their regulated employees, in order to comply with industry standards. Typically, the disclaimer links to a web page providing the full text of an organization’s legal disclaimer.

  • Emails sent outside a secure domain

This feature addresses financial industry requests to warn employees when they send emails outside their secure domain. Any destination email address lacking an approved address suffix is highlighted automatically in the native Email app.

  • Enterprise billing on dual SIM devices

Previously, the SIM1 card was used for enterprise billing by default. With this enhancement, you can select the SIM2 card for enterprise billing.


SDKs and Tools

Knox Customization Configurator

Knox Customization Configurator 1.6.1 and 1.6.2 releases include a number of improvements for System Integrators, IT admins, and end users.

  • Advanced KCC License management

A number of user experience improvement related with License and License check logic enhancements. These enhancements reduce the user experience of license count errors and end users can now assign licenses again to same devices which have already been activated on those devices.

  • Enhanced ProKiosk mode

The Knox Customization Configurator now supports the following customizing features: Automatic Power on, USB connection, Application URL restriction, Disable Flight mode, Disable OMC mode, Advanced Wi-Fi settings, and Custom booting/shutdown animations in ProKiosk mode.