Success story
Knox Platform for Enterprise (KPE) is a military-grade mobile solution for IT admins to manage and secure Samsung phones, tablets and watches for business.
KPE provides a set of advanced and unique mobile device security management features* to the underlying Android OS, for business customers and partners who require higher security standards.
Explore Knox Platform for Enterprise features below, or download the white paper for more details.
Knox Platform for Enterprise is part of Knox Suite. Learn more
Trusted by security experts and government agencies
Knox offers a secure, stable and enterprise-capable set of features across a wide range of use cases. In a 2019 Gartner report*, Knox platform received 27 out of 30 strong ratings.
See the Gartner Report Learn more about Android Enterprise Recommended
SOC 2
Common Criteria
FIPS 140-2 (USA, Canada)
DISA (USA)
ANSSI (France)
ISCCC (China)
BSI (Germany)
CCN (Spain)
STRK (Kazakhstan)
ASD (Australia)
AIVD (Netherlands)
NCSC (UK)
Traficom (Finland)
Knox has achieved more global government security and third-party analyst certifications than any other device, platform, or operating system.
KPE goes beyond Android Enterprise
The Knox Platform for Enterprise solution provides a robust set of features on top of the core Android Enterprise platform, to fill security and management gaps and meet the strict requirements of highly regulated industries.
The additional features in KPE have been designed to address more sophisticated security needs for confidential data, providing powerful features for Android for stringent requirements in highly regulated industries.
Feature comparison table
The following table summarizes unique advantages offered by KPE in addition to Android Enterprise.
Key Features
Legend
Fully supported
Partially supported (with differentiation added)
Partially supported
Not supported
| Key Features | KPE PREMIUM | KPE STANDARD | ANDROID ENTERPRISE* | KPE Differentiation | |||
|---|---|---|---|---|---|---|---|
| Hardware-backed trusted environment | Hardware Root of Trust | Fully supported | Fully supported | Partially supported | Device-unique hardware keys and one-time programmable fuses | ||
| Build trust | Fully supported | Fully supported | Partially supported | Hardware-backed | |||
| Maintain trust | Fully supported | Fully supported | Partially supported | Runtime kernel protection | |||
| Prove trust | Fully supported | Fully supported | Partially supported | Hardware-backed, device-identifiable | |||
| Robust data protection | Data at rest | Hardware-based data isolation | Fully supported | Partially supported | Partially supported | 3rd-party container support, granular configuration | |
| On-device encryption | Fully supported | Fully supported | Fully supported | ||||
| Sensitive data protection | Fully supported | Fully supported | Not supported | Data-at-rest protection even when device is in use | |||
| Data in transit | Flexible on-device VPN options | Fully supported | Partially supported | Partially supported | On-demand, dual-chaining, web protect over VPN, on-premise bypass | ||
| Gov.-certified built-in VPN client | Fully supported | Fully supported | Partially supported | Government-certified features | |||
| On-device firewall management | Fully supported | Fully supported | Not supported | URL based filtering, per-app control, blocked access logs | |||
| Comprehensive device management | Wide range of device configurations | Fully supported | Partially supported (with differentiation added) | Partially supported | Advanced authentication options, booting splash customization, etc. | ||
| Advanced mobile app management | Fully supported | Fully supported | Partially supported (with differentiation added) | Granular app management without Managed Google Play | |||
| System-level device feature restriction | Fully supported | Partially supported (with differentiation added) | Partially supported | Factory reset (recovery mode), firmware flashing (download mode) | |||
| Granular device monitoring and control | In-depth device usage | Fully supported | Not supported | Not supported | Audit logs | ||
| In-depth network usage | Fully supported | Not supported | Not supported | Network platform analytics | |||
| Optimized remote control | Fully supported | Fully supported | Partially supported | High performance, device-wide control; SECURE_FLAG overriding | |||
| Versatile credential/ certificate management | Universal Credential Management | Fully supported | Not supported | Not supported | Customizable Keyguard/ ODE | ||
| HW-based Client Certificate Management | Fully supported | Fully supported | Partially supported | Hardware-backed, wide range of CSR/ CEP support | |||
| Certified and trusted by experts and government bodies | Fully supported | Partially supported | Partially supported (with differentiation added) | Most "strong" ratings by Gartner | |||
|
|||||||
|
|||||||
|
|||||||
|
|||||||
|
|||||||
|
|||||||
*Android Open Source Project (AOSP) without Knox Platform for Enterprise
Hardware-backed trusted environment
KPE security begins in the factory with a hardware-backed trusted environment, upon which a chain of stringent security checks are performed on software components leading up to device boot and during run time.
Using Knox Verified Boot, KPE also checks for unauthorized or outdated bootloaders to ensure your device only starts up using valid bootloaders. During device operation, Real-time Kernel Protection (RKP)** protects your OS from kernel attacks by monitoring and preventing unauthorized modifications and attacks.
Manufacturing time
Irretrievable device-unique hardware keys and one-time programmable fuses, only accessible via the TrustZone.
Run-time
Real-time Kernel Protection
Prevent unauthorized Kernel access or code modification in run-time. Block authorized system partition modification.
Run-time
Device Health Attestation
Verify the integrity of device security on demand. Measurements guaranteed per device (device ID mapping)
Robust data protection
Knox Platform for Enterprise uniquely protects data at rest by encrypting it not only when a device is powered off, but also when it is powered on but locked. It also provides further protection by allowing enterprise data to be isolated in secure app/ data containers, such as Work Profile, which can be managed with security policies separately from the rest of the device.
To secure data in transit, KPE offers several differentiated and even more secure VPN options, such as per-app/container and device-wide VPN, on-demand VPN, VPN on-premise bypass, HTTP proxy over VPN, and VPN chaining.
Per-app/container and device-wide VPN to configure the scope of VPN connection
On-demand VPN for optimal connection based on target application usage.
HTTP Proxy over VPN to allow web proxy settings to function while traffic is flowing over a VPN tunnel.
Comprehensive device management
Knox Platform for Enterprise gives IT admins granular device management at the system level to solve common frustrations when mass deploying devices. If your organization uses Android for work purposes, you can deploy hundreds of differentiated security policies that change and manage device settings, such as email, authentication, connectivity, container, and customization settings.
KPE also gives users granular and enforced Mobile Application Management (MAM) capabilities without Managed Google Play. Set system-level feature restrictions**, including Common Criteria mode, and policies to phone mirror with Samsung DeX.
Powerful device monitoring & control
Knox Platform for Enterprise provides powerful tools to monitor end-user activities, including data traffic usage, to ensure all device usage is under IT’s control.
Network analysis tools allow admins to view network patterns in real-time to detect potential threats or misconfigurations.
Remote phone access for IT admins to capture/stream device displays and inject keyboard and motion events.
Versatile credential and certificate management
Universal Credential Management (UCM) provides a plug-and-play framework for credential management across a variety of storage media.
The Client Certificate Manager (CCM) is another feature of KPE and augments the security of the Android Keystore. It supports features such as device-unique certificates, hardware tamper-proof fuses and supports a wide range of certificate enrollment protocols like:
Simple Certificate Enrollment Protocol (SCEP)
Certificate Management Protocol (CMP)
Certificate Management over Cryptographic Message Syntax, Enrollment Over Secure Transport (CMC-EST)
Find out more about how Knox Platform for Enterprise differentiates from Android Enterprise.
Features**
Comprehensive device management
Active Directory password on device
Enterprise roaming
New TIMA Keystore per-app API
Container lock, wipe
Advanced Container configurations
Power on and off control
App permission monitor management
Enhanced app permission monitor
Availability
Server options
Cloud or on-premise
License types
Monthly or yearlyGet started
Get a 90-day free trial
Get a free trial licence key to use Knox Platform for Enterprise in your MDM/EMM console.
Or purchase a commercial license
Purchase an annual licence from your local Knox reseller.
Contact a business sales expert
Our Knox sales team is ready to collaborate with you to address your biggest business challenges. Please provide your contact details to discuss a project with our sales team.
*Gartner, Inc. Mobile OSs and Device Security: A Comparison of Platforms, Patrick Hevesi, December 20, 2017
**Advanced features may not be supported on certain Samsung devices. Learn more >
Technical support
Already a Knox user? Log in to your Samsung Knox account to submit a support technical ticket.
