Using the Samsung KNOX Workspace Settings

The Samsung KNOX Workspace Settings policies enable users to create a Samsung KNOX enterprise container when they enroll their device and let you manage the policies settings that apply when users are in the container. For example, you can configure separate Exchange Sync, VPN, IMAP/POP email, firewall, and device restrictions settings for Samsung KNOX containers.

The following tables summarize the policies in Samsung KNOX Workspace Settings. See

“List of device configuration policies” on page 1 for the full list.

See “Working with Samsung KNOX devices” on page 17 for procedures that show you how to use a KNOX Workspace Settings policy to enable users to create a Samsung KNOX container and add a mobile application to the Applications SSO whitelist.

Samsung KNOX Workspace policies

Policy To do this

Configure applications that can sync with container

Synchronize data between the personal and KNOX mode instances of the Contacts and S Planner (Calendar) applications.

Enable Common Criteria mode Enable the following policies for Samsung Workspace devices only:

• Common Mobile Settings/Encrypt internal onboard storage The user encrypts the internal onboard storage from the SETUP REQUIRED screen in Samsung SDS CellWe EMM client.

• Common Mobile Settings/Passcode Settings/Maximum number of failed attempts

The number of failed attempts is set to the value you set in the Enable Common Criteria mode policy for the Samsung devices only.

• Samsung KNOX Device Settings/Security Settings/Encrypt removable storage

The user encrypts the removable storage from the SETUP REQUIRED screen in Samsung SDS CellWe EMM client.

In addition, when you set Enable Common Criteria mode, the Common Mobile Settings/Passcode Settings/Passcode History policy is disabled.

The policy settings are implemented on the devices only—they are not indicated in the Admin Portal policy set or the Active Directory group policy object. This allows you to have separate settings for these policies for other types of devices.

Common Criteria mode puts the target device in an operational mode that enforces the following security features and policies:

• Bootloader blocks KIES download mode, enforces an integrity check of the kernel, and self-tests the crypto modules.

• The device verifies additional signature on firmware-over-the-air (FOTA) updates using RSA-PSS signature and uses FIPS 140-2 validated crypto module for EAP-TLS wi-fi connections This policy is only available on the following KNOX 2 devices:

Galaxy S4, Galaxy S5, Galaxy Note 3, Galaxy NotePro, Galaxy Note 10.1 and Galaxy Note 10.1 2014 Edition.

Enable Enterprise Billing Enterprise Billing

Enable separate bill generation for personal and enterprise data usage.

To enable enterprise billing, two different Access Point Names (APNs) are configured on the KNOX device. Personal data is routed via the default APN and enterprise data is routed via the dedicated enterprise APN specified in the policy.

Note: This policy is only available for KNOX 2.1 devices.

Enable KNOX container Enable the device to allow the user to create a Samsung KNOX enterprise container after the device is enrolled.

See “Enabling the device to allow users to create an enterprise container” on page 20 for more details.

Note: On some Samsung devices, users can also create a KNOX personal container. You do not need to set a policy to allow them to create the personal container.

Policy To do this

Mobile device configuration policies overview

Samsung KNOX Workspace Container categories and policies

Enable ODE Trusted Boot verification

Enable to consider attestation state before decrypting the data partition.

Attestation confirms that the boot loader, kernel, and system software have not been tampered with. Attestation is performed when the user boots the device and periodically thereafter. The current attestation status is shown in the device details in Admin Portal.

Enable TIMA Key Store Enable to use the TIMA key store to store symmetric keys, RSA key pairs and certificates. The TIMA key store is implemented as a key store provider for the Java Keystore class. When this policy is enabled, it provides TrustZone-based secure storage and controls access based on the attestation state.

Require attestation verification Enable to consider attestation state before allowing the user to create a KNOX container.

VPN Settings Configure VPN profiles for Samsung KNOX Workspace devices.

Policies To do this

Enable Google Play store Allow users to install applications in a KNOX version 2 container from Google Play.

Note: This policy does not apply to devices with KNOX version 1 containers.

Exchange Sync Settings Configure the Exchange Sync profiles for server communications and account synchronization for the email application running in the Samsung KNOX container.

IMAP and POP Settings Configure account profiles for IMAP and POP mail servers.

These settings only apply to the mail application running in the Samsung KNOX container.

Per app VPN settings Map a mobile application to a specific VPN connection for applications installed in the container.

You can specify multiple VPN profiles and application pairs. You configure the VPN profiles in the Samsung KNOX Workspace VPN Settings policy.

Policy To do this

Categories To do this

Application Management Define a variety of operating parameters for applications installed in the container. For example, policies are provided that let you set the following:

• Define which mobile applications are allowed to use the KNOX container single sign-on service.

• Define which applications can be installed and added to the home screen.

• Define which applications can synchronize data with applications outside the container.

• Define which applications are disabled.

Note: If you are installing any applications that use the Samsung KNOX SSO service you must add them to the Application SSO whitelist policy in this category before users can open them. See

“Adding mobile applications that use SSO to the Application SSO whitelist” on page 24 for the details.

Browser Settings Control browser behavior—for example, enable or disable pop-up windows, cookies, and JavaScript

Container Account Settings Create a whitelist and blacklist of user accounts to limit the types of accounts users can create in the KNOX container.

Email Settings Control email application behavior—for example, prohibit adding new accounts and forwarding email through a personal account.

Firewall Settings Configure URL filtering and iptable allow and deny rules.

Passcode Settings Configure rules governing passcode properties (for example, minimum length, character occurrence, number of complex characters, and sequence length), usage (for example, number of failed attempts, visibility, and history), and quality.

Notes

• The Minimum password length policy sets the minimum length for the password and the PIN.

• The “Require two factor authentication” policy is only available for devices that have a fingerprint reader and applies only to opening the container. (It does not apply to opening the device.)

• There are several more passcode policies in the Advanced category. Changing the settings in these policies will require all users affected by this policy to change their password regardless of whether their current password meets the new criteria.

Restriction Settings Permit or prohibit use of container and device features, such as moving files between the device and the container, screen capture, the camera, and more.

Mobile device configuration policies overview

In document Managing policies. Chapter 7 (Page 34-38)