Configuring KNOX containers

This section contains information about working with KNOX containers on Samsung devices running Android.

Use of KNOX containers is available only on Samsung devices running Android version 6 or later.

About KNOX containers

A KNOX container is a safe environment on a user's device that has its own desktop, launch panel, apps, and widgets. A KNOX container lets you isolate corporate apps and data from personal apps and data. A KNOX container is a component of the Samsung KNOX mobile solution.

Samsung KNOX is a mobile solution for configuring and protecting Samsung mobile devices running the Android operating system. For more details about Samsung KNOX, please visit the Samsung technical support website.

KNOX containers let you separate personal and corporate data on a mobile device. For example, it is impossible to use a personal mailbox to send a file that is located in a KNOX container. It is recommended to deploy a KNOX container if personal mobile devices of employees are used for working with corporate data.

To use KNOX containers, you must activate Samsung KNOX. After synchronizing a device with Kaspersky Security Center, the user of the mobile device will be prompted to install the KNOX container. Before installing the KNOX container, the user must accept the terms of the End User License Agreement from Samsung.

After installing the KNOX container, the KNOX icon will be added to the desktop of the mobile device. Or the workspace will be added to the app list on the mobile device. To work with corporate data, the user needs to start the app from KNOX container.

Kaspersky Endpoint Security for Android is not installed to the KNOX container and does not protect corporate data. Kaspersky Endpoint Security for Android does not detect the downloading of malicious files and block malicious sites in the KNOX container. You cannot control app launch or prohibit the use of the camera in the KNOX container. Kaspersky Endpoint Security for Android protects private data only. You can protect corporate data with the Samsung KNOX tools. For more details about Samsung KNOX, please visit the Samsung technical support website.

Activating Samsung KNOX

To use a KNOX container on the user's mobile device, you must activate Samsung KNOX. The procedure of activating Samsung KNOX depends on the Kaspersky Endpoint Security for Android version installed on your users' devices:

• If the current version of Kaspersky Endpoint Security for Android is installed on the devices, you do not need any keys to activate Samsung KNOX.
• If an old version Kaspersky Endpoint Security for Android (10.8.3.174 or earlier) is installed on the devices, you need to obtain a KNOX License Manager key (hereinafter referred to as a KLM key) from Samsung. A KNOX License Manager key is a unique code that is used by the Samsung KNOX licensing system. For detailed information about a KLM key, please refer to the Samsung KNOX Technical Support website.

Use of KNOX containers is possible only on Samsung devices.

To activate Samsung KNOX:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Manage Samsung KNOX → KNOX containers section.
5. In the KNOX License Manager key field, specify the following:
   • If the current version of Kaspersky Endpoint Security for Android is installed on the devices, type any character.
   • If an old version Kaspersky Endpoint Security for Android (10.8.3.174 or earlier) is installed on the devices, enter the KLM key received from Samsung.
6. Set the Lock attribute in the locked position .
7. Click the Apply button to save the changes you have made.

Samsung KNOX will be activated after the next device synchronization with Kaspersky Security Center. The user will be prompted to accept the terms of the End User License Agreement from Samsung and install the KNOX container.

To deactivate Samsung KNOX:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Manage Samsung KNOX → KNOX containers section.
5. Clear the KNOX License Manager key field value.
6. Click the Apply button to save the changes you have made.

Samsung KNOX will be deactivated after the next device synchronization with Kaspersky Security Center. Access to the KNOX container will be blocked.

Samsung KNOX limitations

• Use of KNOX containers is available only on Samsung devices.
• On Samsung devices that support KNOX 2.6, 2.7 and 2.7.1, Web Protection and App Control do not work in a KNOX container. This issue is related to the lack of required permissions in the KNOX container (Accessibility service). On devices that support KNOX 2.8 or later, all components of the app operate without limitations.
• Kaspersky Endpoint Security for Android versions prior to Service Pack 4 Maintenance Release 3 Update 2 may work unstable on Samsung Android 10 devices due to Samsung KNOX updates. It is recommended to update Kaspersky Endpoint Security for Android to Service Pack 4 Maintenance Release 3 Update 2 version.

Configuring Firewall in KNOX

You should configure the Firewall settings to monitor network connections in a KNOX container.

To configure Firewall in a KNOX container:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Manage Samsung KNOX  → KNOX containers section.
5. In the Firewall window, click Configure.

   The Firewall window opens.

6. Select the Firewall mode:
   • To allow all inbound and outbound connections, move the slider to Allow all.
   • To block all network activity except that of apps on the list of exclusions, move the slider up to Block all but exceptions.
7. If you have set the Firewall mode to Block all but exceptions, create a list of exclusions:
   1. Click Add.

      This opens the Exclusion for Firewall window.

   2. In the App name field, enter the name of the mobile app.
   3. In the Package name field, enter the system name of the mobile app package (for example, com.mobileapp.example).
   4. Click OK.
8. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Configuring an Exchange mailbox in KNOX

To work with corporate mail, contacts, and the calendar in a KNOX container, you should configure the Exchange mailbox settings (available only on Android 9 and earlier).

To configure an Exchange mailbox in a KNOX container:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Manage Samsung KNOX → KNOX containers section.
5. In the Exchange ActiveSync window, click the Configure button.

   The Exchange mail server settings window opens.

6. In the Server address field, enter the IP address or DNS name of the server hosting the mail server.
7. In the Domain field, enter the name of the mobile device user's domain on the corporate network.
8. In the Synchronization interval drop-down list, select the desired interval for mobile device synchronization with the Microsoft Exchange server.
9. To use the SSL (Secure Sockets Layer) data transport protocol, select the Use SSL connection check box.
10. To use digital certificates to protect data transfer between the mobile device and the Microsoft Exchange server, select the Verify server certificate check box.
11. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.