Guidance

End User Devices Security Guidance: Samsung devices with KNOX 2.x

Created:  28 Jul 2015
Updated:  11 Aug 2016
CESG Archive

Archive content originally produced by CESG that has not yet been absorbed into the new NCSC web pages.

Configuration guidance for the use of Samsung devices with KNOX 2.x for remote working at OFFICIAL.

Getting Started

Before reading this guidance, take the time to look at our overall Introduction to End User Device Security. This will give you some context on the thinking behind our advice and better enable you to apply the guidance to your particular circumstances.

Contents

 

1. Introduction

This Guidance is designed to help Risk Owners and Administrators understand the risks, security advantages and recommended configuration of the KNOX2.x within a remote working environment at the OFFICIAL and OFFICIAL SENSITIVE classification. 

This guidance was developed following testing performed on a Samsung Galaxy S5 device and is applicable to Samsung KNOX Workspace enabled devices running Android 5.0 and higher with KNOX 2.4 and higher.

 

2. About this guidance

Risk owners are encouraged to read the Risk Owners' Summary and Enterprise Considerations sections. Administrators and system integrators are encouraged to read the whole document.

It is important to remember that any guidance points given here are just recommendations; none of the suggestions are mandatory. Risk owners and administrators should agree a configuration which balances the business requirements, usability and security of the platform and use this guidance for advice where needed.

 

3. Risk owners' summary

When using KNOX2.x as part of a remote working scenario, the following architectural choices are recommended to minimise risk:

  • All data-in-transit to and from the device should be routed over a secure enterprise VPN to ensure the confidentiality and integrity of the traffic, and to allow the devices and data on them to be protected by enterprise protective monitoring solutions.
  • Arbitrary third-party application installation by users is not permitted on the device. An enterprise application catalogue should be used to whitelist and distribute approved applications to devices.

Samsung KNOX Workspace enabled devices were assessed against each of the 12 security recommendations. Once testing had been completed there were no significant risks associated with the device when set up using the recommended settings.

 

4. Administrators' deployment guide

Overview

To meet the principles outlined in the End User Devices Security Framework, several recommendations are given in the table below.

Security Principle Explanation
Assured data-in-transit protection The Samsung Galaxy S6, S6 Edge and Note4 devices' built-in VPN client have Foundation Grade approval. This built-in device client can be configured as a Samsung KNOX VPN client via a compatible MDM solution.

 

To route all data via the VPN, the ‘Per-App’ VPN should be configured for all applications on the device, both inside and outside the KNOX Workspace container. Using the per-app VPN in this configuration ensures that traffic from all applications is routed through the VPN. Applications will not have internet access until the VPN has connected.

 

Organisations may wish to set up two VPN profiles, one for all applications on the device, and a second for all applications within the KNOX Workspace container. This setup would allow traffic from less-trusted applications to be separated from the applications in the KNOX Workspace container that handle OFFICIAL material.
Assured data-at-rest protection The KNOX Workspace container is encrypted by default, so applications and data relating to OFFICIAL material should be kept within it. Outside the KNOX Workspace use the device’s native data encryption. The KNOX native email client has been enabled to use the Sensitive Data Protection (SDP) feature and applications can take advantage of the SDP-protected "Chamber" folder to protect data while locked as well as when the device is turned off.

 

Only the Galaxy S6 and S6 Edge devices have Foundation-grade approval of their encryption.
Authentication Devise a scheme which requires a strong password to access sensitive data.

 

For example:

 

- a numeric PIN to access the device, then a strong password to access the KNOX Workspace container

 

- a strong password to access the device, then a shorter password or token to access the KNOX Workspace container

 

The scheme selected should be based on the usage model of the device; if the user keeps most of their sensitive data in the KNOX Workspace container, and would like easier access to non-sensitive applications and data outside the container then follow the first scheme above. Conversely, if the user does nearly all their work outside the container then the device password must be stronger; the second scheme should be followed.

 

Whichever scheme is selected, the strong password must be complex, with a length of at least 9 characters including uppercase, lowercase and symbols. The KNOX password must be enforced with a complexity to meet the business need. Configure the device to self-wipe, and the KNOX Workspace container to be disabled, after a number of incorrect password attempts.

 

KNOX Workspace makes use of ARM TrustZone-based components together with the user's credentials to protect cryptographic material and strengthen the protection of data contained within it.
Secure boot This requirement is met by the platform without additional configuration.
Platform integrity and application sandboxing KNOX 2.x has several security features to verify the integrity of the phone software and hardware. Configure the MDM software to enable “Remote Attestation” to verify the integrity of the platform before creating the KNOX Workspace container.

 

The MDM client application is not verified by the KNOX platform as being unmodified. A social engineering attack could result in a compromised MDM client being installed. To prevent this, device enrolment should only be performed by an administrator and users should not be permitted to re-enrol.
Application Whitelisting Samsung KNOX enabled devices allow an MDM to fully control applications both inside and outside the KNOX Workspace container including maintaining an application installation whitelist.

 

Optionally, the administrator can allow the user to install applications installed on the personal side of the device into the KNOX Workspace container, or enable the use of Google Play in the KNOX Workspace container. If either option is enabled, the administrator can still control installation via whitelisting.

 

All enterprise applications should be deployed within the KNOX Workspace container; enterprise applications outside the KNOX Workspace container should be limited.

 

Some MDM servers allow an enterprise application catalogue to be established to permit users access to an approved list of applications via the MDM client. If the Play Store or KNOX Store is enabled, an MDM should be used to control and monitor which applications a user can install.
Malicious code detection and prevention Where possible an enterprise application catalogue can be used which should only contain vetted applications. If the Google Play or KNOX store is enabled, a whitelist should be used to control what applications may be downloaded. Content-based attacks can be filtered by scanning capabilities in the enterprise.

 

Several third-party anti-malware products exist which attempt to detect malicious code for this platform and can be used if desired.

 

Applications hosted in the Google Play marketplace are scanned for potentially harmful or malicious activity prior to being made available for download.
Security policy enforcement MDM software can be used to enforce security policies on both the device and KNOX Workspace and prevent the user from altering security-related settings.

 

Not all MDM products support the full range of KNOX and Android settings. Choose an MDM provider which supports the required configuration settings for your particular deployment to ensure they are applied securely.
External interface protection Wi-Fi, NFC, Bluetooth and the use of USB interfaces can all be disabled. At a minimum, USB debugging should be disabled via policy.
Device Update Policy MDM software can be used to audit which apps and OS versions are installed on a device. Some MDM servers may provide an application update policy to ensure that apps are updated.

 

The user is responsible for installing OTA updates, but the administrator can prevent OTA updates and view what OS version a user has installed via MDM.
Event collection for enterprise analysis The MDM server can be used to retrieve information from the device such as installed applications, the last time the device has been seen by the MDM, policy compliance, and location information. The extent of the available event collection will depend on the MDM in use.

 

Additionally some MDM servers support the additional Audit and Logging features which Samsung KNOX adds to the Android platform. Logs created on the device, including failed unlock attempts, can be retrieved using an MDM which supports this feature.
Incident Response Samsung KNOX Workspace enabled devices support remote wipe when used in conjunction with a suitable MDM, which can be configured to selectively wipe the KNOX Workspace container, the device, or both, and uninstall the entire KNOX Workspace container. The SD card may also be wiped if configured in policy.

 

In addition to this, Samsung KNOX Workspace enabled devices offer a device attestation mechanism, enabling the device to attest its integrity to the MDM, or include tamper incident logs which can be responded to.

 

Access to the enterprise network can be prevented by revoking the VPN client certificate associated with a lost or stolen device. Additionally, the client certificates for any other enterprise servers (such as email) that are stored on the device should be revoked.

 

It is recommended that all remote or mobile working scenarios use a typical remote access architecture based on the Walled Garden Architectural Pattern.

Configure the Samsung KNOX Workspace enabled device’s global HTTP proxy so that it is used for both the device and the KNOX Workspace container.

Recommended network architecture for deployments of Samsung devices with KNOX 2.x

Preparation for deployment

For an enterprise deployment of Samsung KNOX Workspace enabled Android devices that is suitable for organisations working with OFFICIAL data, administrators should:

  1. Deploy and configure the requisite network components as described above.

  2. Procure and set up an MDM server that is compatible with KNOX and is able to enforce the settings given in the Recommended policies and settings section below.

  3. Create MDM security profiles for the Samsung KNOX Workspace enabled devices in line with the guidance given in the Recommended policies and settings section, and associate these profiles with the devices.

Device provisioning steps

The following steps should be followed to provision each device onto the enterprise network to prepare it for distribution to end users.

  1. Install the MDM client on the device, and enrol the device into the MDM. The enrolment process will vary according to the MDM in use.
  2. Install the KNOX compatible VPN client; this should be done via the MDM if possible.
  3. Push the MDM policy to the device. If the MDM does not allow configuration of any of the following via policy, it should be done manually. Dependent on the MDM, policies should be applied for the following configuration settings:

    1. Install and configure the KNOX Workspace container.
    2. Configure on-device security settings.
    3. Install required user, device and required trusted CA certificates for the organisation on the device. MDM software may automate this process.
    4. Ensure that only trusted apps are installed and enabled on the device (disable or delete unnecessary apps both inside and outside the KNOX Workspace container including Google Play and the KNOX Store).
    5. Ensure that all enterprise apps are installed inside the KNOX Workspace container. Apps outside the KNOX Workspace container should be restricted to basic functionality, and personal web browsing if desired.
    6. Configure a per-app VPN profile for all applications inside the KNOX Workspace container. This can be done with a single setting, and does not require each application to be set up individually to use the VPN.
    7. Configure a per-app VPN profile for all applications permitted outside the KNOX Workspace container. This can be done with a single setting, and does not require each application to be set up individually to use the VPN.
    8. Configure the KNOX email client to connect to the enterprise server using client certificate authentication.
    9. Configure the device’s global HTTP proxy so that it is used for both the device and the KNOX Workspace container.

 

The following settings should be applied from the MDM interface. As all MDMs vary, the text accompanying the setting may be slightly different to that shown below.

KNOX Workspace container policies

The following policy should be applied to KNOX Workspace container.

Configuration Rule Recommended Setting
App stores Disable the Samsung KNOX and Google Play app stores. Applications from these stores that are required may be installed using the out-of-Workspace store app, then installed inside the Workspace container using KNOX settings utility.
Allow applications to be moved into the Workspace Enable.

Applications that can be moved into the container are restricted by the whitelist.

Whitelist Applications Whitelist essential applications for accessing and manipulating corporate data only, e.g. mail client, browser, and office suite. If the KNOX Store or Google Play stores are permitted, allow only applications in the whitelist to be installed.
Browser Enable.
VPN Apply the Per-App VPN to all applications in the KNOX Workspace container, including background services and widgets.
Email Configure the email client to connect to the enterprise server using client certificate authentication.
Email account addition Disable

This prevents users adding additional email accounts within the Workspace.

HTTP Proxy Set the enterprise proxy IP as both the device and KNOX proxy. This will prevent network traffic which is not configured to use the VPN reaching the Internet.
Password* Enable KNOX Password Policy: True

KNOX Timeout: 30 minutes

Maximum failed attempts: 5

Minimum length: 8 characters

Quality: Alphanumeric

Password history: 8

Maximum passcode age: 90 days

Minimum character changes: Set to greater than 1 to prevent incremental password change.

 

Credentials Required client certificates should be installed via policy.
Permit moving files into the KNOX Workspace container False
Permit moving files out of the KNOX Workspace container False
KNOX Workspace data synchronisation The following settings should be set to ‘disallow’ to prevent data being moved into and out of the KNOX Workspace container:
- Preview KNOX notifications
- Export contacts to personal mode
- Export calendar items to personal mode

*The choice of KNOX Workspace container password complexity may be altered according to the organisational requirement. Given assurance that the whole device is controlled by policy as per the guidelines, the complexity of the container password may be reduced as suggested here. However, the organisation may choose to enforce a greater level of complexity for the Workspace container password.

Samsung KNOX Workspace enabled device policies

The following policies should be applied outside the KNOX Workspace container. These settings will promote use of the KNOX Workspace container and secure residual data and activity outside the KNOX Workspace container.

Configuration Rule Recommended Setting
App stores Disable or remove the Google Play and Samsung App store, and prevent the installation of applications from unknown sources.
Whitelist Applications Disable or remove unnecessary applications. If the Google Play store is permitted, allow only applications in the whitelist to be installed.
Developer Mode Prevent all developer mode settings, including USB debugging and USB storage mode.
Common Criteria (CC) Mode Enable CC mode
Encrypted storage Enforced internal encryption.
SD card Disable access to the SD card.
HTTP Proxy Set the enterprise proxy IP as both the device and KNOX proxy. This will prevent network traffic which is not configured to use the VPN reaching the Internet.
Password* Require Password: True

Minimum length: 8 characters

Maximum failed attempts: 5

Require complex password: True

Password must contain uppercase, lowercase and symbols

Passcode history: 8

Maximum passcode age: 90 days

Wipe external storage during device wipe: True

Lock timeout 10 minutes.
VPN Apply the Per-App VPN to all applications outside the KNOX Workspace container, including background services and widgets.
Certificates Enable certificate validation at install.

Install enterprise certificates (including VPN certificates and organisation CA certificates).

Interfaces Disable unnecessary interfaces, e.g. USB interface, Bluetooth, NFC.
Attestation Verification of KNOX attestation status should be required.
TIMA Key Store Enable
ODE Trusted Boot Verification Enable

*The choice of device password complexity may be altered according to the organisational requirement. If the whole device is controlled by policy as per the guidelines, the complexity of the container password may be reduced as suggested here. However, the organisation may choose to enforce a greater level of complexity for the container password.

VPN configuration

The Samsung Galaxy S6, S6 Edge and Note4 devices' built in VPN client should be configured for Samsung KNOX using a compatible MDM, and configured with the PSN End State IPsec profile in the CPA Security Characteristic.

This VPN profile should be applied as a Per-App VPN to all applications on the device. A ‘Per-App’ profile does not require each app to be individually configured to work with the VPN; it causes the VPN to start automatically and all app traffic to be routed via the VPN tunnel.

 

6. Enterprise considerations

The following points are in addition to the common enterprise considerations, and contain specific issues for deployments of Samsung KNOX Workspace enabled devices.

Choice of MDM provider

Not all MDM solutions are capable of interacting with all KNOX APIs. It is essential that system architects evaluate which policies their MDM solution will enable them to set, and should note that currently no MDM solution can set all KNOX policy types. MDM solutions that cannot set the policies specified in section 8 should not be considered for use. Specifically, enabling CC mode requires either an MDM which supports the feature or installation of an Android application onto each device to enable the mode. Further details can be found in the "Samsung Android 5 on Galaxy Devices - Guidance documentation for CC and CPA" document.

Many MDM providers now offer cloud-based solutions. Organisations that wish to use cloud-based MDM products must take into consideration the risk of placing the security and control of their devices and data under a third party.

KNOX workspace

The KNOX Workspace provides additional security features over the underlying Android platform. Users can store all or some of their enterprise data in the KNOX Workspace container, providing enhanced protection.

  • For users working primarily with sensitive data, the majority of their work will be within the KNOX Workspace container. The Android platform outside the KNOX Workspace container is used for non-sensitive work.

  • Users who only access sensitive data occasionally can use the KNOX Workspace container when they are required to work with that sensitive data, doing the non-sensitive majority of their work outside the container.

  • Enterprise applications and data should be kept within the KNOX Workspace container where possible. Unnecessary applications outside the container should be removed or managed using an appropriate whitelist.

Was this guidance helpful?

We need your feedback to improve this content.

Yes No