The Samsung Knox Premium SDK adds rich security measures to mobile device management solutions. With these added measures, you can reduce security threats and risks from lost or stolen devices that contain sensitive corporate data. Providing over 400 API methods, this SDK lets you manage areas such as Knox containers, SE (Security Enhancements) for Android, SmartCards, certificate enrollment, and the TrustZone-based key store.
The Knox Premium SDK also bundles in the Knox Standard SDK, giving you access to over 1500 API methods for managing mobile devices.
How it works
On a mobile device, the Knox framework provides many security features. First and foremost is the Knox container, which was significantly improved with the Knox 2.0 release. The container protects your enterprise apps and data from the personal apps and processes outside the container. Within the container, SSO, VPN, and SmartCard frameworks provide added security and also ease the adoption of different IdPs, VPN clients, and SmartCard readers.
The Knox Premium SDK provides over 400 API methods that let your app control these device features:
- Knox containers — You can create a secure container to protect corporate apps and data from potential malware outside the container. You can also fully control, manage, and restrict interactions between apps inside and outside the container.
- Single Sign-On (SSO) — You can choose the Identity Provider (IdP) used by selected apps inside the secure Knox container. (These whitelisted apps can add SSO authentication through the Generic SSO SDK for ISVs or Samsung SSO SDK.) Through a generic SSO framework, apps can use a generic API call to authenticate users through one of several supported IdPs.
- Virtual Private Networks (VPNs) — You can set up multiple secure VPN tunnels to protect data being sent to and from apps inside the container. You can identify which container apps use which tunnels, and separate the data being sent by apps inside the container from that being sent by apps outside the container. Through a generic VPN framework, apps can set up VPN tunnels using one of several supported VPN clients.
- SmartCards — You can require that SmartCards (microUSB, bluetooth, virtual) be used to securely authenticate a user, unlock their device, sign/encrypt/decrypt e-mails, set up a VPN tunnel, or access high-security apps like those used in government or military. Through a SmartCard framework, apps can select from multiple SmartCard readers.
- Client Certificate Management (CCM) — You can use the TrustZone-based CCM to store and retrieve digital certificates, as well as other operations that use those certificates, for example, encryption, decryption, signing, and verification in a manner similar to the functions of a SmartCard.
- Certificate Enrollment Protocol (CEP) — You can perform certificate enrollment without the need of any manual intervention.
- Attestation — You can verify that a device has not been rooted or had its firmware corrupted. From a web server, you send an attestation request to a device, and use your device-based app sends back to the server TIMA (TrustZone-based Integrity Measurement Architecture) measurements that indicate the status of the device.
- Enterprise billing — You can separate the billing for personal and enterprise data usage. With this feature, employees can bring their own devices to work and use two different APNs to route personal and enterprise data connections.
- Remote control — You can use computers to connect to a remote device and get screen shots from or inject events into the device.
- Wi-Fi — You can provision Wi-Fi settings to wirelessly connect to the Internet (using 2.4 GHz UHF and 5 GHz SHF radio waves) and send and receive data through wireless connections.
For more detail about all the available API features, see the API Reference.
Knox Premium SDK v2.9 provides no new features, but deprecates these classes:
- SmartCardBrowserPolicy, SmartCardEmailPolicy, SmartCardPolicy
For details, see the Release Notes.
Knox Premium SDK v2.8 provides these new features:
Advanced certificate enrollment and management — Enhances network security between an Enrollment over Secure Transport (EST) client and EST server per RFC 7030. Enterprises can use the EST protocol to initiate a Certificate Signing Request and manage credential generation and communications. In the class CMCProfile, use these new constants KEY_ENCR_FROM_SERVER, KEY_ENCR_TYPE, and extras.
For details about the v2.8 API methods, helper classes, and constants as well as details about older SDK versions, see the Release Notes.
Knox Premium SDK v2.7.1 ensures that the Premium SDK v2.7 features work on devices with Android v7.x (Nougat). No new features were introduced.
For details about the v2.7 API methods, helper classes, and constants as well as details about older SDK versions, see the Release Notes.
Knox Premium SDK v2.7 provided these new features:
- Cross Container Intents — You can now allow activities in a managed profile to access intents sent from its parent profile, and allow activities in a parent profile to access intents sent from its managed profile. Use the new API method ContainerConfigurationPolicy.addCrossProfileIntentFilter. This is simply a wrapper that lets you use the Android API method DevicePolicyManager.addCrossProfileIntentFilter, without your app needing to be a device administrator.
- FIDO Biometric Authentication — You can now set the URIs of FIDO servers used for biometric (fingerprint, iris) authentication. These servers conform to the open specifications defined by the FIDO (Fast IDentity Online) Alliance. Use the new API method ContainerConfigurationPolicy.setFIDOInfo.
- Container Application Shortcuts — You can now add a shortcut to an app that is inside the Knox container to the device’s personal home screen. Use the new API method ContainerConfigurationPolicy.addHomeShortcutToPersonal.
- Container Customization — You can now customize a container name, icon, and badge, using the new API methods KnoxConfigurationType.setCustomizedContainerName, setCustomizedContainerIcon, and setCustomizedContainerBadge.
For more info about all the new API methods, helper classes, and constants as well as details about older SDK versions, see the Release Notes.
Knox Premium SDK v2.6 provided these new features:
- Data Loss Prevention (DLP) — Enables IT admins to enforce tighter policies on the Knox container and its apps to restrict and prevent enterprise data loss/leakage. Using Knox DLP APIs, admins can designate (through a whitelist) apps that can create, consume, and set expiration rules for its content. The content associated with so designated apps is known as "DLP content". Note that this feature is currently supported for Knox container only.
- Domain filters — Restricts internet access to a limited number of domains per application or device wide. You can now allow/block apps from accessing domain names specified by the given URLs.
- SE Container Clipboard isolation — You can now isolate SE Container and Global clipboard. This feature controls the user’s behavior on clipboard (copy and paste) between personal space and the container.
- SE for Android Policy Delivery updates — Enables the ability to enforce or disable usage of the SE for Android Policy Delivery (SPD) update mechanism.
- Universal Credential Management — The Samsung Knox Universal Credential Management (UCM) framework manages credential-related services on a mobile device, and provides a streamlined interface to the different developers and vendors who populate a mobile device with the following:
- credential-consuming apps
- credential-managing apps
- storage space
Ultimately, the streamlined interface of UCM helps independent parties accomplish their tasks while bypassing the complexity of their peer’s custom API.
New support enhancements:
- Attestation — To enhance the integrity of attestation, in addition to the nonce mechanism provided, MDMs wish to collect the measured and verified APK binary and have this result attached to the blob. This enables the ISV to know exactly which application made the call and collected the information.
- Audit log — You can now get the object to access the AuditLogPolicy object for the Knox container.
- Container enhancements — Some Android permissions could be used to interact across user boundaries, including across the Knox container boundary. This feature enables us to prevent this interaction for all but the necessary system apps. It also protects system app data files with SE for Android.
- Google Play™ for Work in Container — Android™ for Work offers Google Play for Work as mechanism to deploy work applications to managed profiles. IT admin can navigate to the Google Play Store admin console and silently deploy apps on the target employee devices.
- SEAMS Container Clipboard protection — The Knox platform supports various types of app "containers" that isolate and protect the data and interfaces for a set of apps. The three main categories of containers are: Knox Workspace, SEAMS containers, and Knox Enabled App (KEA). The feature outlined in this document enables MDM-control of clipboard protections for SEAMS containers. SEAMS containers are a type of generic container that can be created on the fly through our MDM APIs to isolate apps without the heavy UX and lockscreen requirements of the Knox Workspace. The clipboard protections allow device administrators to specify whether or not the data copied into the clipboard by SEAMS container apps should be accessible by apps outside of the container.
- Trust Anchor Management — Trust anchor is a trusted CA (Certification Authority) root certificate that is typically used by apps (such as browser, email) to validate a server certificate (say during SSL/TLS connection establishment) and for app-specific operations, such as secure email using S/MIME, verification of digitally signed documents. Starting with Knox SDK 2.6, Knox devices support trust anchors. Knox devices have Trusted Credentials store per user scope that maintains a list of trust anchors that are trusted by platform/container. Trust anchors provide the basis on which apps can trust a digital certificate they receive. If trust anchors can be changed/poisoned by unauthorized entities (such as unauthorized users/apps) it can lead to apps trusting the wrong entity (for example, the wrong server/website) which can further lead to issues such as leakage of information or credentials (username/password) to the wrong entities. This feature provides an effective solution to control certificates, enable certificate installation validation, user certificate removal, and certificate failure notification for the container without affecting other users.
- Data Loss Protection Policy group
- Knox Container Management Policy group
Get policy instance:
- Knox Container Remote Content Provider Policy group
For more info about the new features, support enhancements, policies, API methods, helper classes, and constants, see the Release Notes.
Next steps ...
- Instead of using legacy keys and the Knox Premium SDK, we recommend migrating your app to the Knox SDK and using its development license key.
- Review the Tutorial. This shows how to create your first app, in this case, an app that creates a secure Knox container on a device.
- Get the Sample Apps. These include all the source code files required to compile the apps.
- Browse the API Reference. This describes over 400 API methods, grouped by Android package and Java class. Also browse the API Reference for the Knox Standard SDK, which is bundled in with the Knox Premium SDK.
- Read the Developer Guide. This describes how to set up the development environment and deploy different features through sample code fragments.
If you would like an older version of the SDK or its documentation, please contact us.