25 Apr 2017

What’s new in Knox 2.8?

By Knox Technical Publications Staff

Introducing Samsung Knox 2.8, which includes a number of platform updates and feature updates for individual SDKs. The Knox 2.8 platform is built into the new Samsung Galaxy S8 and S8+ devices and platform features are built into the device software. Other devices will receive firmware updates pending on the release schedule of each mobile service provider. To check the Knox version that’s currently running on your device, go to Settings > About device > Software info.

Let’s take a look at the 2.8 updates! 

Platform-based features are built into the device OS. All flagship devices include the following features:

Advanced security

Control flow protection

  • The Knox platform now prevents Return Oriented Programming (ROP) exploits. This enhancement restricts an attacker’s ability to hijack the control-flow of an OS kernel by encrypting return addresses before putting them on the stack.

VPN support over IPv6 networks

  • When using the Knox VPN framework, device users can now access network resources over an IPv6 network. Previously, any IPv6 servers proposed during the VPN tunnel negotiation were rejected.

Trustzone app rollback preventions

  • The Knox platform now checks the Trusted Application (TA) version and blocks older TA versions which may provide exploitable vulnerabilities.

Convenience for device users

Power Saving mode

  • Enterprises can allow power saving mode to extend battery life, or disallow power saving mode to optimize manageability. In power saving mode, for example, an EMM agent does not work normally and cannot receive policy updates from the IT admin server.

Accessibility apps access to Knox Workspace

  • IT admins can now whitelist the accessibility apps that can access the Knox Workspace container, for example, to read what is displayed on the screen while in the container. Previously, to reduce vulnerabilities, the Knox Workspace container blocked access from all third-party accessibility apps except Google TalkBack.

Microsoft Exchange ActiveSync (EAS) as default storage for Contacts/Calendar

  • If an EAS account is set up on a device, it is now used as the default storage for the contacts, events, and tasks in the Contacts and Calendar apps. Previously, the device was the default storage and device users could lose this data after switching devices or deleting the Knox Workspace.

Data Loss Prevention

Data Loss Prevention logs

  • Enterprises can now view audit logs to browse events associated with DLP-protected content. Both informational events about content accessed as well as critical security events about unauthorized access are logged.

Data Loss Prevention from browser

  • Enterprises can define a list of trusted web sites to which device users can upload classified content from the Internet app inside the Knox Workspace.

Management controls and compliance

Advance certificate enrollment and management

  • Enhances network security between an Enrollment over Secure Transport (EST) client and EST server per RFC 7030. Enterprises can use the EST protocol to initiate a Certificate Signing Request and manage credential generation and communications.

URL disclaimer in SMS/MMS messages

  • This feature is designed for regulated industries like banking, which need to attach a disclaimer to every SMS or MMS sent by their regulated employees, in order to comply with industry standards. Typically, the disclaimer links to a web page providing the full text of an organization’s legal disclaimer.

Emails sent outside a secure domain

  • This feature addresses financial industry requests to warn employees when they send emails outside their secure domain. Any destination email address lacking an approved address suffix is highlighted automatically in the native Email app.

Enterprise billing on dual SIM devices

  • Previously, the SIM1 card was used for enterprise billing by default. With this enhancement, you can select the SIM2 card for enterprise billing.

SDKs and Tools

Knox Customization Configurator

Knox Customization Configurator 1.6.1 and 1.6.2 releases include a number of improvements for System Integrators, IT admins, and end users.

Advanced KCC License management

  • The KCC license activation logic was enhanced to cater to customer requirements regarding license count. The license assignment in KCC pairs a device group with a certain license key. Once the license key is activated on a device, the license count is deducted. Previously, that device could not be reassigned with the same license key, but now it can with this feature enhancement.

Enhanced ProKiosk mode

  • The Knox Customization Configurator now supports the following customizing features: Automatic Power on, USB connection, Application URL restriction, Disable Flight mode, Disable OMC mode, Advanced Wi-Fi settings, and Custom booting/shutdown animations in ProKiosk mode.

Next Steps