Configuring Knox

This section contains information about working with Knox on Samsung devices.

Knox is available only on Samsung devices running Android 6 or later.

Restricting SD card usage in Knox

Expand all | Collapse all

Configure SD card restrictions to control usage of SD cards on the user's Samsung device that supports Knox.

To restrict SD card usage on a mobile device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Samsung Knox settings section.
4. On the Device feature restrictions card, click Settings.

   The Device feature restrictions window opens.

5. Enable the settings using the Device feature restrictions toggle switch.
6. In the SD card settings section, specify the required restrictions:
   • Prohibit access to SD card

     This setting applies to devices with Android 5-12.

     Selecting or clearing this check box specifies whether access to the SD card is disabled or enabled on the device.

     This check box is cleared by default.

   • Prohibit writing to SD card

     Selecting or clearing this check box specifies whether writing to the SD card is disabled or enabled on the device.

     This check box is cleared by default.

   • Prohibit moving apps to SD card

     Selecting or clearing this check box specifies whether the device user is allowed to move apps to the SD card.

     This check box is cleared by default.

7. In the Additional settings section, you can specify any additional restrictions:
   • Prohibit sending crash reports to Google

     This setting applies to devices running Android 11 or earlier.

     If the check box is selected, Kaspersky Endpoint Security for Android blocks sending crash reports to Google.

     If the check box is cleared, sending reports is allowed.

     This check box is cleared by default.

   • Prohibit developer mode

     This setting applies to devices running Android 11 or earlier.

     If the check box is selected, the device user is not allowed to enable developer mode on the device.

     If the check box is cleared, the user is allowed to enable developer mode on the device.

     This check box is cleared by default.

8. Click OK.
9. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. SD card settings are now configured.

Configuring VPN in Knox

To securely connect an Android device to the internet and protect data transfer, you can configure VPN (Virtual Private Network) settings.

Configuration of VPN is possible only for Samsung devices running Android 11 or earlier.

The following requirements must be considered when using a virtual private network:

• The app that uses the VPN connection must be allowed in the Firewall settings.
• VPN settings configured in the policy cannot be applied to system apps. The VPN connection for system apps has to be configured manually.
• Some apps that use a VPN connection need to have additional settings configured at first startup. To configure settings, a VPN connection has to be allowed in app settings.

To configure VPN on a user's mobile device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Samsung Knox settings section.
4. On the VPN card, click Settings.

   The VPN window opens.

5. Enable the settings using the VPN toggle switch.
6. Specify the following VPN settings:
   • Settings in the Network section:
     • In the Network name field, enter the name of the VPN tunnel.
     • In the Protocol drop-down list, select the VPN connection type:
       • IPSec Xauth PSK. A tunneling protocol of the "gateway-to-gateway" type that lets the mobile device user establish a secure connection with the VPN server using the Xauth authentication utility.
       • L2TP IPSec PSK. A tunneling protocol of the "gateway-to-gateway" type that lets the mobile device user establish a secure connection with the VPN server via the IKE protocol using a preset key. This protocol is selected by default.
       • PPTP. A "point-to-point" tunneling protocol that lets the mobile device user establish a secure connection to the VPN server by creating a special tunnel on a standard unsecured network.
     • In the Server address field, enter the network name or IP address of the VPN server.
   • Settings in the Protocol settings section:
     • In the DNS search domain(s) list, enter the DNS search domain to be automatically added to the DNS server name.

       You can specify several DNS search domains, separating them with blank spaces.

     • In the DNS server(s) field, enter the full domain name or IP address of the DNS server.

       You can specify several DNS servers, separating them with blank spaces.

     • In the Routing field, enter the range of network IP addresses with which data is exchanged via the VPN connection.

       If a range of IP addresses is not specified in the Routing field, all internet traffic will pass through the VPN connection.

7. Additionally, configure the following settings:
   • For the IPSec Xauth PSK and L2TP IPSec PSK protocols:
     • In the IPSec shared key field, enter the password for the preset IPSec security key.
     • In the IPSec ID field, enter the name of the mobile device user.
   • For the L2TP IPSec PSK protocol, specify the password for the L2TP key in the L2TP key field.
   • For the PPTP network, select the Use SSL connection check box so that the app will use the MPPE (Microsoft Point-to-Point Encryption) method of data encryption to secure data transmission when the mobile device connects to the VPN server.
8. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Configuring an Exchange mailbox in Knox

To work with corporate mail, contacts, and the calendar on the mobile device, you can configure the Exchange mailbox settings for the standard Samsung Email app.

An Exchange mailbox can be configured only for Samsung devices running Android 9 or earlier.

To configure an Exchange mailbox on a user's mobile device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Samsung Knox settings section.
4. On the Exchange ActiveSync card, click Settings.

   The Exchange ActiveSync window opens.

5. Enable the settings using the Exchange ActiveSync toggle switch.
6. In the Server address field, enter the IP address or DNS name of the server hosting the mail server.
7. In the Domain name field, enter the name of the mobile device user's domain on the corporate network.
8. In the Synchronization interval drop-down list, select the interval for mobile device synchronization with the Microsoft Exchange server.
9. To use the SSL (Secure Sockets Layer) data transport protocol, select the Use SSL connection check box. The SSL protocol uses encryption and certificate-based authentication for secure data transfer. This check box is selected by default.
10. To use digital certificates to protect data transfer between the user's mobile device and the Microsoft Exchange server, select the Verify server certificate check box. The server certificate is verified to have been issued from the trusted root certificate. This check box is selected by default.
11. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Configuring APN in Knox

APN can be configured only for Samsung devices.

A SIM card must be inserted to be able to use an access point on the user's mobile device. Access point settings are provided by the mobile operator. Incorrect access point settings may result in additional mobile charges.

To configure the Access Point Name (APN) settings on a user's mobile device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Samsung Knox settings section.
4. On the APN settings card, click Settings.

   The APN settings window opens.

5. Enable the settings using the APN settings toggle switch.

   The toggle switch in this card does not enable or disable the corresponding functionality on devices. Enabling the toggle switch lets you configure custom settings. Disabling the toggle switch lets you use default settings.

6. Specify the following access point settings for connecting the user to the data service:
   • In the APN type drop-down list, select the type of access point (APN) for data transmission on a GPRS/3G/4G mobile network:
     • Internet. Connection of the user's mobile device to the internet.
     • MMS. Exchange of MMS multimedia messages.
     • Internet and MMS. Connection to the internet and exchange of multimedia messages. This is the default value.
   • In the APN name field, specify the name of the access point.
   • In the MCC field, enter the mobile country code (MCC).
   • In the MNC field, enter the mobile network code (MNC).
7. If you have selected MMS or Internet and MMS as the type of access point, specify the following additional MMS server settings in the MMS server section:
   • In the MMS server name field, specify the full domain name of the mobile carrier's server used for MMS exchange (for example, mms.mobile.com).
   • In the MMS proxy server address field, specify the network name or IP address of the proxy server.
   • In the MMS proxy server port field, specify the port number of the mobile carrier's server used for MMS exchange.
8. In the Authentication section, specify the authentication settings:
   • In the Authentication type drop-down list, select the type of authentication of the mobile device user that will be used on the mobile carrier's server for network access. By default, user authentication is not required. The following types are available:
     • None. User authentication is not required to access the mobile network.
     • PAP (Password Authentication Protocol). An authentication protocol that uses passwords as plain non-encrypted text.
     • CHAP (Challenge Handshake Authentication Protocol). A request-response authentication protocol that uses standard MD5 hashing to encrypt the response.
     • Concurrently. Combined use of CHAP and PAP protocols.
   • In the User name field, enter the user name for authorization on the mobile network.
   • In the Password field, enter the password for user authorization on the mobile network.
9. In the Network section, specify the following network settings:
   • In the Network name field, enter the name of the network.
   • In the Server address field, specify the network name of the mobile carrier's server through which data transmission services are accessed.
10. In the Proxy server section, specify the following proxy server settings:
    • Select the Use a proxy server check box to enable the use of a proxy server. This check box is cleared by default.
    • In the Proxy server address field, specify the network name or IP address of the mobile carrier's proxy server for network access. This field is available only if the Use a proxy server check box is selected.
    • In the Proxy server port field, specify the port number of the mobile carrier's proxy server for network access. This field is available only if the Use a proxy server check box is selected.
11. Click OK.
12. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Configuring Firewall in Knox

Configure Firewall settings to monitor network connections on the user's mobile device.

Firewall can be configured only for Samsung devices.

To configure Firewall on a user's mobile device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Samsung Knox settings section.
4. On the Firewall card, click Settings.

   The Firewall window opens.

5. Enable the settings using the Firewall toggle switch.
6. In the Internet access drop-down list, select the Firewall mode. Depending on its operating mode, Firewall monitors connections established by the user's mobile device:
   • If you want to allow inbound and outbound connections of all installed apps, select Allow for all apps. This mode is selected by default.
   • If you want to block all network activity except for several specified apps, select Allow for listed apps.
7. If you selected Allow for listed apps as the Firewall mode, create a list of apps for which all network activity is allowed:
   1. In the Apps with internet access section, click Add.

      The Add app window opens.

   2. In the App name field, enter the name of the mobile app.
   3. In the Package name field, enter the system name of the mobile app package (for example, com.mobileapp.example).
   4. Click Add.

   The new app for which Firewall is disabled appears in the list.

   You can modify or delete mobile apps in the list using the Edit and Delete buttons at the top of the list.

8. Click OK.
9. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.