Samsung KNOX is platform available for compatible Samsung Android devices that can be used to enhance device security when combined with a Mobile Device Management (MDM) platform, such as Systems Manager Enterprise. This article will discuss features available in Systems Manager Enterprise as part of this platform.
Note: While profiles containing Samsung KNOX settings can be applied to any device, they will only be effective on compatible Samsung devices.
Systems Manager Security Policies can also be used to control deployment of profiles to devices based on their compliance status.
Kiosk mode can be used to force a device to always run a single app full screen, with no access to other apps, device settings, etc. This is ideal for point-of-sale (POS) terminals, interactive displays, or similar applications.
To use the profile, ensure that both it and the desired app have been applied to the device. Read the article on Pushing apps and profiles to devices for more information. Once the app and profile are installed, the device will run the app in full-screen mode whenever it is online.
The blacklist functionality can be used to control which apps are allowed to be installed on devices. To enable:
Note: Managed apps (MDM > Apps) are NOT exempt from these restrictions. Managed apps will fail to deploy if blacklisted. Ensure these apps are either not blacklisted, or covered in the whitelist.
The App Blacklist is used to indicate any apps (or patterns) that users are not allowed to install on the device. The app is listed by its package name (ex. "com.meraki.sm" for the Systems Manager app), and can use wildcards to blacklist groups of apps (ex. "com.meraki.*" would block all Meraki apps).
Apps can easily be added by using the Search Apps button to search by display name, and then clicking the + icon to add the app to the list.
Apps can also be manually entered by typing the desired package name, or pattern, in the textbox. Once the desired pattern has been entered, click Add option.
Once the packages are added, they'll appear as individual bubbles in the field. To remove a package, click the X.
After the profile is pushed to the device, any user attempting to install apps that violate the blacklist will receive a message similar to the one shown below.
The App Whitelist is used to indicate any apps that should be explicitly allowed, overriding the blacklist. Package names are entered in the same way as blacklisted apps above.
Apps that were installed prior to the whitelist being created will remain on the device. Only future app installations will be subject to the whitelist.
The permissions blacklist will not allow users to install apps that require any of the permissions selected. Information about what is provided by each of these permissions is available in the Android Developer Documentation.
As an example, the ability to send or receive text messages (SMS/MMS) over cellular could be blocked by selecting the following permissions.
This could also be simplified using wildcards.
Blacklist and whitelist settings will be combined across profiles on a device, with whitelist settings taking priority. Thus, a general profile could be deployed to all devices with more restrictive settings, and then more apps allowed through a second profile with whitelist options.