Samsung Knox

Samsung Knox is a mobile solution for configuring and deploying Samsung mobile devices running the Android operating system. For more details about Samsung Knox, please visit the Samsung technical support website.

Installation of Kaspersky Endpoint Security for Android via Knox Mobile Enrollment

Knox Mobile Enrollment (KME) is part of the Samsung Knox mobile solution. It is used for batch installation and initial configuration of apps on new Samsung devices.

Installation of Kaspersky Endpoint Security for Android via Knox Mobile Enrollment consists of the following steps:

1. Creating a Knox profile with the Kaspersky Endpoint Security for Android app
2. Adding devices in Knox Mobile Enrollment
3. Installing the Kaspersky Endpoint Security for Android app on the user's mobile devices

For more details about working with Knox Mobile Enrollment, please refer to the Knox Mobile Enrollment User Guide.

Deployment via Knox Mobile Enrollment is possible only for supported Samsung devices.

Creating a Knox profile

A Knox profile is a profile that contains links to apps for their quick deployment and initial configuration on mobile devices.

To create a Knox profile:

1. Sign in to the Samsung Knox console → Knox Mobile Enrollment.
2. Select the Profiles section.
3. Click Actions > Create profile.

   The Create New Profile wizard starts.

4. Select Android Enterprise as the profile type.
5. In the Android enterprise profile details window that opens, specify the following settings:
   1. In the Basic information section, enter general information about the Knox profile: Profile name and Description.
   2. In the EMM information section, in the Pick your EMM field, select Other.
   3. In the EMM agent APK field, enter the path to the APK installation file.

      The installation file for Kaspersky Endpoint Security for Android is included in the Kaspersky Secure Mobility Management distribution kit. First, download the APK installation file. Then place the APK installation file on the Kaspersky Security Center Web Server or on another server that is accessible for downloading from the device.

6. Click Continue.
7. In the Android enterprise profile settings window that opens, specify the following settings:
   1. In the EMM configuration section, enter the settings for connecting the device to Kaspersky Security Center in the Custom JSON data (as defined by EMM) field in the following format:
   2. {"serverAddress":"myServer.domain.com","serverPort":"12345","vsrv":"virtualServerID","groupName":"MOBILE GROUP","eulas":"cmFuZG9tYmFzZTY0c3RyaW5n"}.

      The following fields of the JSON file are now supported:

      • serverAddress - the address of the Kaspersky Security Center.
      • serverPort - the number of the port for mobile device synchronization to the Administration Server via the specified address.
      • vsrv (optional) - the Virtual Administration Server.
      • groupName (optional) - the name of the subgroup in the Unassigned group.
      • eulas (optional) - the list of the accepted EULAs (an array of binary identifiers, 16 bytes long).

      The connectionString parameter is no longer supported for KME (Knox Mobile Enrollment).

   3. To install Kaspersky Endpoint Security for Android via Knox Mobile Enrollment, the mobile device user must accept the terms of the Samsung License Agreement. You can view the terms of the Samsung License Agreement in the Privacy Policy, EULAs and Terms of Service section. You can also add other legal documents of your company that are necessary for deploying a Knox profile by clicking the Add legal agreement button.
8. Click the Save button.

As a result, the new Knox profile with the Kaspersky Endpoint Security for Android app will be added to the list in the KME console.

Adding devices in Knox Mobile Enrollment

Devices can be added in the Knox Mobile Enrollment (KME) console in the following ways:

• The vendor automatically adds devices in the KME console after the devices are purchased.
• The administrator installs the Knox Deployment app from Google Play on their mobile device and migrates the Knox profile to users' devices using Bluetooth, Wi-Fi Direct, or a QR code.

After the device is reset to the factory settings, the Knox profile will be installed. After deployment of the Knox profile, the device will be automatically added in the KME console.

Adding a device through the Knox Deployment app

If you did not purchase your Samsung device from an official vendor, you can add the device to Knox Mobile Enrollment using Bluetooth, Wi-Fi Direct, or a QR code. This will require the administrator's mobile device that will be used to deliver Knox profiles to users' mobile devices.

To add devices using the Knox Deployment app, the following conditions must be met:

• Depending on the selected delivery mode, Bluetooth or Wi-Fi must be enabled on the mobile devices.
• The mobile devices must be connected to the internet.

To deliver a Knox profile using the Knox Deployment app:

1. Install the Knox Deployment app from Google Play on the administrator's primary mobile device.
2. Start the Knox Deployment app.
3. Enter your Samsung account credentials to sign in.
4. In the Knox Deployment window, configure the settings for deploying a Knox profile:
   1. In the Knox services section, select Knox Mobile Enrollment.
   2. Select the desired Knox profile from the list.
   3. Select the Deployment mode:
      • Bluetooth. Set the duration of Bluetooth connection and specify whether the Bluetooth connection is automatic or manual.

        When using Bluetooth, you can add a Knox profile to several devices at the same time.

      • Wi-Fi Direct. Specify whether the Wi-Fi Direct connection is automatic or manual. Then follow the instructions on the screen.
   4. Tap Start deployment.
5. On the receiver device, draw a plus-sign (+) gesture on the Welcome window to initiate deployment.
6. In the Knox Deployment menu that opens, select whether you want to use Bluetooth or Wi-Fi Direct to enroll a device:
   1. If you selected Bluetooth, approve the pairing request that appears on the primary device. Then the receiver device downloads the profile. Follow the instructions on the screen.

      After the Knox profile is installed, the new device will be added with the Bluetooth tag to the KME console.

   2. If you selected Wi-Fi Direct, follow the instructions on the screen.

      After the Knox profile is installed, the new device will be added with the Wi-Fi tag to the KME console.

7. When the receiver device is configured, tap Finish deployment on the primary device in order to complete the enrollment.

After the device is reset to the factory settings, the Knox profile will be installed.

To deliver a Knox profile using a QR code:

1. On the receiver device, draw a plus-sign (+) gesture on the Welcome window to initiate deployment.
2. In the Knox Deployment menu that opens, select QR-code.
3. In the KME Console, select the desired profile in the Profiles section.
4. If there is no QR code next to the profile name, open the profile settings and click the Add a QR-code button on the second page.
5. Follow the instructions on the screen and save the profile.

   The generated QR code appears near the profile name.

6. Scan a QR code from the KME Console with the camera on the user's mobile device running Android 10 or later.

   After the Knox profile is installed, the new device with the QR-code tag will be added to the KME console.

After the device is reset to the factory settings, the Knox profile will be installed.

Adding a device through the vendor

Official vendors of Samsung devices can be registered in Samsung Knox. For the list of official vendors, visit the Samsung technical support website. The vendor automatically adds devices in the KME console for your Samsung account immediately after the devices are purchased. To have the devices added by the vendor, you must register the vendor in the KME console for your Samsung account. You will need a reseller ID to add the Samsung device vendor in the KME console. To receive the reseller ID, you must send a request to the vendor. In the request, specify your Knox client ID.

To view your Knox client ID:

1. Sign in to the Samsung Knox console → Knox Mobile Enrollment.
2. Select the Resellers section.
3. Your ID is displayed in the Knox Customer ID field.

After you receive a response from the vendor with the reseller ID, register the vendor in the KME console. Prior to registering the vendor, you can create a Knox profile so that the profile can be automatically deployed when adding new devices.

To register an official vendor in the KME console:

1. Sign in to the Samsung Knox console → Knox Mobile Enrollment.
2. Select the Resellers section.
3. Click the Register reseller button.

   The window for registering the device vendor opens.

4. In the Reseller ID field, enter the ID received from the official Samsung device vendor.
5. If you created a Knox profile, select the Knox profile in the vendor registration window.

   When you add new devices, the Knox profile is automatically installed.

   For more information about configuring other settings, please refer to the Samsung technical support website.

6. Click OK.

The Samsung device vendor will be added to the list of vendors in the KME console.

After new devices are purchased from the official vendor, Kaspersky Endpoint Security for Android will be automatically installed on the devices after the devices are connected to the internet. For more details about working with Knox Mobile Enrollment, please refer to the Knox Mobile Enrollment User Guide. If you already have a list of devices in the KME console, add the Knox profile with the Knox app to the device.

Installing the app

Prior to installing Kaspersky Endpoint Security for Android, issue a mobile certificate for mobile device users in the Kaspersky Security Center Web Console. A mobile certificate is required for identifying the mobile device user in the Kaspersky Security Center Web Console.

To deliver the Knox profile to devices:

1. Sign in to the Samsung Knox console → Knox Mobile Enrollment.
2. Select Devices → All devices.
3. Select the devices on which you want to install the Knox profile.

   The Device info window opens.

4. In the Profiles list, select the Knox profile with Kaspersky Endpoint Security for Android.
5. In the Tags field, enter tags for grouping and labeling devices, and for search optimization in the KME console.
6. Enter the user account credentials of the device into the User ID and Password fields.

   Account credentials are required for receiving a mobile certificate. The user ID and password must match the user account credentials in Kaspersky Security Center (Name and Password in the user account properties).

   To receive a mobile certificate only with a password and without a login, enter the "DO_NOT_USE_LOGIN" value in the User ID field. Kaspersky Endpoint Security for Android will not use the login to request a certificate.

7. Select the Knox profile for the remaining devices.
8. Click the Save button.

After the device is reset to the factory settings, the Knox profile will be installed.

After deployment of the Knox profile is started, the APK installation file will be automatically downloaded on the mobile device. Installation of Kaspersky Endpoint Security for Android starts automatically. No additional configuration of the app is required. After the initial setup of the device is performed and the app is installed, synchronization with Kaspersky Security Center will be performed automatically. The mobile device will be added to the Kaspersky Security Center Web Console.

Configuring Knox

This section contains information about working with Knox on Samsung devices.

Knox is available only on Samsung devices running Android 6 or later.

Restricting SD card usage in Knox

Expand all | Collapse all

Configure SD card restrictions to control usage of SD cards on the user's Samsung device that supports Knox.

To restrict SD card usage on a mobile device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Samsung Knox settings section.
4. On the Device feature restrictions card, click Settings.

   The Device feature restrictions window opens.

5. Enable the settings using the Device feature restrictions toggle switch.
6. In the SD card settings section, specify the required restrictions:
   • Prohibit access to SD card

     This setting applies to devices with Android 5-12.

     Selecting or clearing this check box specifies whether access to the SD card is disabled or enabled on the device.

     This check box is cleared by default.

   • Prohibit writing to SD card

     Selecting or clearing this check box specifies whether writing to the SD card is disabled or enabled on the device.

     This check box is cleared by default.

   • Prohibit moving apps to SD card

     Selecting or clearing this check box specifies whether the device user is allowed to move apps to the SD card.

     This check box is cleared by default.

7. In the Additional settings section, you can specify any additional restrictions:
   • Prohibit sending crash reports to Google

     This setting applies to devices running Android 11 or earlier.

     If the check box is selected, Kaspersky Endpoint Security for Android blocks sending crash reports to Google.

     If the check box is cleared, sending reports is allowed.

     This check box is cleared by default.

   • Prohibit developer mode

     This setting applies to devices running Android 11 or earlier.

     If the check box is selected, the device user is not allowed to enable developer mode on the device.

     If the check box is cleared, the user is allowed to enable developer mode on the device.

     This check box is cleared by default.

8. Click OK.
9. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. SD card settings are now configured.

Configuring VPN in Knox

To securely connect an Android device to the internet and protect data transfer, you can configure VPN (Virtual Private Network) settings.

Configuration of VPN is possible only for Samsung devices running Android 11 or earlier.

The following requirements must be considered when using a virtual private network:

• The app that uses the VPN connection must be allowed in the Firewall settings.
• VPN settings configured in the policy cannot be applied to system apps. The VPN connection for system apps has to be configured manually.
• Some apps that use a VPN connection need to have additional settings configured at first startup. To configure settings, a VPN connection has to be allowed in app settings.

To configure VPN on a user's mobile device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Samsung Knox settings section.
4. On the VPN card, click Settings.

   The VPN window opens.

5. Enable the settings using the VPN toggle switch.
6. Specify the following VPN settings:
   • Settings in the Network section:
     • In the Network name field, enter the name of the VPN tunnel.
     • In the Protocol drop-down list, select the VPN connection type:
       • IPSec Xauth PSK. A tunneling protocol of the "gateway-to-gateway" type that lets the mobile device user establish a secure connection with the VPN server using the Xauth authentication utility.
       • L2TP IPSec PSK. A tunneling protocol of the "gateway-to-gateway" type that lets the mobile device user establish a secure connection with the VPN server via the IKE protocol using a preset key. This protocol is selected by default.
       • PPTP. A "point-to-point" tunneling protocol that lets the mobile device user establish a secure connection to the VPN server by creating a special tunnel on a standard unsecured network.
     • In the Server address field, enter the network name or IP address of the VPN server.
   • Settings in the Protocol settings section:
     • In the DNS search domain(s) list, enter the DNS search domain to be automatically added to the DNS server name.

       You can specify several DNS search domains, separating them with blank spaces.

     • In the DNS server(s) field, enter the full domain name or IP address of the DNS server.

       You can specify several DNS servers, separating them with blank spaces.

     • In the Routing field, enter the range of network IP addresses with which data is exchanged via the VPN connection.

       If a range of IP addresses is not specified in the Routing field, all internet traffic will pass through the VPN connection.

7. Additionally, configure the following settings:
   • For the IPSec Xauth PSK and L2TP IPSec PSK protocols:
     • In the IPSec shared key field, enter the password for the preset IPSec security key.
     • In the IPSec ID field, enter the name of the mobile device user.
   • For the L2TP IPSec PSK protocol, specify the password for the L2TP key in the L2TP key field.
   • For the PPTP network, select the Use SSL connection check box so that the app will use the MPPE (Microsoft Point-to-Point Encryption) method of data encryption to secure data transmission when the mobile device connects to the VPN server.
8. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Configuring an Exchange mailbox in Knox

To work with corporate mail, contacts, and the calendar on the mobile device, you can configure the Exchange mailbox settings for the standard Samsung Email app.

An Exchange mailbox can be configured only for Samsung devices running Android 9 or earlier.

To configure an Exchange mailbox on a user's mobile device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Samsung Knox settings section.
4. On the Exchange ActiveSync card, click Settings.

   The Exchange ActiveSync window opens.

5. Enable the settings using the Exchange ActiveSync toggle switch.
6. In the Server address field, enter the IP address or DNS name of the server hosting the mail server.
7. In the Domain name field, enter the name of the mobile device user's domain on the corporate network.
8. In the Synchronization interval drop-down list, select the interval for mobile device synchronization with the Microsoft Exchange server.
9. To use the SSL (Secure Sockets Layer) data transport protocol, select the Use SSL connection check box. The SSL protocol uses encryption and certificate-based authentication for secure data transfer. This check box is selected by default.
10. To use digital certificates to protect data transfer between the user's mobile device and the Microsoft Exchange server, select the Verify server certificate check box. The server certificate is verified to have been issued from the trusted root certificate. This check box is selected by default.
11. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Configuring APN in Knox

APN can be configured only for Samsung devices.

A SIM card must be inserted to be able to use an access point on the user's mobile device. Access point settings are provided by the mobile operator. Incorrect access point settings may result in additional mobile charges.

To configure the Access Point Name (APN) settings on a user's mobile device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Samsung Knox settings section.
4. On the APN settings card, click Settings.

   The APN settings window opens.

5. Enable the settings using the APN settings toggle switch.

   The toggle switch in this card does not enable or disable the corresponding functionality on devices. Enabling the toggle switch lets you configure custom settings. Disabling the toggle switch lets you use default settings.

6. Specify the following access point settings for connecting the user to the data service:
   • In the APN type drop-down list, select the type of access point (APN) for data transmission on a GPRS/3G/4G mobile network:
     • Internet. Connection of the user's mobile device to the internet.
     • MMS. Exchange of MMS multimedia messages.
     • Internet and MMS. Connection to the internet and exchange of multimedia messages. This is the default value.
   • In the APN name field, specify the name of the access point.
   • In the MCC field, enter the mobile country code (MCC).
   • In the MNC field, enter the mobile network code (MNC).
7. If you have selected MMS or Internet and MMS as the type of access point, specify the following additional MMS server settings in the MMS server section:
   • In the MMS server name field, specify the full domain name of the mobile carrier's server used for MMS exchange (for example, mms.mobile.com).
   • In the MMS proxy server address field, specify the network name or IP address of the proxy server.
   • In the MMS proxy server port field, specify the port number of the mobile carrier's server used for MMS exchange.
8. In the Authentication section, specify the authentication settings:
   • In the Authentication type drop-down list, select the type of authentication of the mobile device user that will be used on the mobile carrier's server for network access. By default, user authentication is not required. The following types are available:
     • None. User authentication is not required to access the mobile network.
     • PAP (Password Authentication Protocol). An authentication protocol that uses passwords as plain non-encrypted text.
     • CHAP (Challenge Handshake Authentication Protocol). A request-response authentication protocol that uses standard MD5 hashing to encrypt the response.
     • Concurrently. Combined use of CHAP and PAP protocols.
   • In the User name field, enter the user name for authorization on the mobile network.
   • In the Password field, enter the password for user authorization on the mobile network.
9. In the Network section, specify the following network settings:
   • In the Network name field, enter the name of the network.
   • In the Server address field, specify the network name of the mobile carrier's server through which data transmission services are accessed.
10. In the Proxy server section, specify the following proxy server settings:
    • Select the Use a proxy server check box to enable the use of a proxy server. This check box is cleared by default.
    • In the Proxy server address field, specify the network name or IP address of the mobile carrier's proxy server for network access. This field is available only if the Use a proxy server check box is selected.
    • In the Proxy server port field, specify the port number of the mobile carrier's proxy server for network access. This field is available only if the Use a proxy server check box is selected.
11. Click OK.
12. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Configuring Firewall in Knox

Configure Firewall settings to monitor network connections on the user's mobile device.

Firewall can be configured only for Samsung devices.

To configure Firewall on a user's mobile device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Samsung Knox settings section.
4. On the Firewall card, click Settings.

   The Firewall window opens.

5. Enable the settings using the Firewall toggle switch.
6. In the Internet access drop-down list, select the Firewall mode. Depending on its operating mode, Firewall monitors connections established by the user's mobile device:
   • If you want to allow inbound and outbound connections of all installed apps, select Allow for all apps. This mode is selected by default.
   • If you want to block all network activity except for several specified apps, select Allow for listed apps.
7. If you selected Allow for listed apps as the Firewall mode, create a list of apps for which all network activity is allowed:
   1. In the Apps with internet access section, click Add.

      The Add app window opens.

   2. In the App name field, enter the name of the mobile app.
   3. In the Package name field, enter the system name of the mobile app package (for example, com.mobileapp.example).
   4. Click Add.

   The new app for which Firewall is disabled appears in the list.

   You can modify or delete mobile apps in the list using the Edit and Delete buttons at the top of the list.

8. Click OK.
9. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.