Enrolling mobile devices into the enterprise network and remote management of these devices are key aspects of an enterprise mobility strategy. Key device management features of the KNOX platform include comprehensive management with over 1500 MDM APIs, Active Directory integration, KNOX Mobile Enrollment, and Enterprise Billing.
The various policy groups are classified into two major categories: Standard and Premium. The Standard Policy suite represents continuous enhancements Samsung developed over Google Android management capability since 2009. The SDK for these policy APIs is available to MDM vendors and other interested ISVs free of charge. Furthermore, no runtime license fee is associated with these APIs.
The KNOX Premium Policy suite is the collection of policy groups offering advanced capabilities such as management and control of the KNOX Workspace, security features such as the Trusted Boot-based TIMA KeyStore and Client Certificate Manager, Per-application VPN, and so on. The SDK for these policy APIs is also available at no charge; however, enterprises using these features are required to purchase a KNOX License that is verified on the device at runtime. The KNOX Audit Log meets MDFPP 2.0 audit requirements. IT Admins can select a set of events to audit and periodically push logs to the server.
KNOX provides an option for the IT Admin to choose an Active Directory password as the unlock method for KNOX containers. This has two important benefits. First, it allows IT Admins to use a one-password management policy for desktop and mobile devices. Second, the end user only needs to remember one password to access all services offered by the employer, thereby reducing employee password fatigue and improving productivity.
The KNOX platform provides a simplified enrollment solution for supported MDMs that is streamlined and intuitive and eliminates many steps and human error.
The enrollment process happens via either self-discovery using an email domain, or employees are provided with an enrollment link sent by e-mail, text message, or through the company's internal or external website. Once the link is clicked, users are prompted to enter their corporate e-mail address. This action triggers the display of all required privacy policies and agreements. After accepting the terms, users enter a corporate account password for authentication from the enterprise. Any agent application required is automatically downloaded and installed.
Samsung KNOX Mobile Enrollment allows IT Admins to enroll hundreds or thousands of employees at the same time. Samsung provides a web tool and an application to scan package bar codes (the device IMEI). This enrollment method is targeted for devices purchased for COPE enterprises and for supported carriers and resellers.
Another option for IT Admins includes using a master device to automatically enroll devices using NFC. The master device is configured by downloading an app from the Google PlayTM store.
Enterprise Billing provides enterprises a mechanism to separate enterprise data usage from personal data usage. This enables enterprises to compensate their employees for costs generated because of work, particularly in BYOD cases, or to pay only for work-related data in COPE cases.
The KNOX platform supports Enterprise Billing from KNOX version 2.2 or above, and requires MDM support. Enterprises configure two Access Point Name (APN) gateways. One APN is for data associated with enterprise-approved apps, and a different APN is for all other personal data. Enterprises must first register with a network operator’s enterprise billing service. Once a new APN is provisioned for business use, KNOX Workspace can be enabled for that dedicated APN. IT Admins can also select individual apps inside or outside Workspace to use data over the enterprise APN.
The enterprise APN can also be configured to allow or not allow roaming. When roaming is enabled, personal data is routed through the default APN, and enterprise data is routed through a dedicated enterprise APN. By default, roaming over the enterprise APN is disabled. When a user is roaming in a single Packet Data Protocol (PDP) network, all enterprise apps are automatically routed to the personal APN for work continuity.