Skip to Content

Managing the Samsung KNOX Container with SAP Afaria

SAP has been a long time partner of Samsung, so it only makes sense that we’ve extended our partnership again to offer the most scalable and widely-deployed Android mobile security and management solution – this time for Samsung KNOX. 

Recently, SAP announced a few things related to the launch of KNOX. First, we have half a dozen mobile apps already approved and in the Samsung container, and second, SAP Afaria can manage the container. The apps are listed on the SAP Samsung KNOX apps website. For the rest of this blog I’ll focus on MDM (mobile device management) of the KNOX container.

Samsung provides a complete set of features that can be managed by an MDM solution. These features include:

  • Enterprise license management
  • Container creation & configuration
  • The ability to set container policies
  • KNOX-specific inventory reporting

There are over 180 features that can be enabled and disabled. They fall into three main categories and a few of the most interesting ones are highlighted below. If you want to go into even more details, I’m pleased to share a video recorded by SAP Afaria Product Manager Bryan Whitmarsh that dives into more detail. Its about 20 minutes long and can be viewed on-demand at your convenience.

In summary, the new Samsung KNOX functionality provides complete separation between personal and business data on a single device. Effectively, your device becomes a device with a “split-personality”. You can log in to the business side of the device (the container) and find apps that are guaranteed secured. The personal side of the device isn’t regulated by the strict guidelines, and itn’t managed.

KNOX features you may be interested in include:

Firewall Policies – You have both IP and URL firewall based control of the KNOX container.

Premium FIPS VPN – You can configure the VPN to apply to all applications in the container or apply to only specific applications in the container. This supports FIPS mode, which is very important to any public sector organization looking to use Android.

Certificate Management: You can completely manage the entire lifecycle of your certificates inside the KNOX container included trusted and untrusted support, revocation, renewals, etc.

KNOX Attestation: This is one that’s new to me, but it’s a pretty cool feature that provides boot tampering protection. You can complete a posture check for the device prior to container creation. It validates the device has not been tampered with and an administrator can decide to block containers on a fail condition.

Application security: Only KNOX signed apps can run in the KNOX container. This ensures that security policies are safe inside the container. Apps need to be submitted to and approved by Samsung. There is a Samsung process to “wrap” the application for use in the container.

Whitelist and Blacklist support: You can build an exception list, allow only specific applications and block specific applications inside the container.

Single Sign On: Single sign support for applications within the KNOX persona.

Restriction Control: You can configure policies and enable or disable the camera, share list, custom keyboards, etc.

The items listed above are only a few of the hundreds of features of Samsung KNOX that can be managed by SAP Afaria. To learn more, please watch the 20 minute ondemand webinar that dives into more detail.

To test out SAP Afaria for Samsung KNOX, sign up for a free trial of the award-winning SAP Afaria, cloud edition solution. The website is and the version of the software that supports KNOX will be made available in November.

If you’re planning to be at SAP TechEd October 21-25 in Las Vegas, you can meet our KNOX experts, Bryan Whitmarsh and James Naftel at the SAP Mobile Secure booth. Read more in my SAP Mobile Secure at TechEd blog. We’ll also be onsite at the Samsung Developer Conference October 27-29 in San Francisco.

You must be Logged on to comment or reply to a post.
  • Hello. I wonder where can I find the information how Samsung KNOX device enroll with Afaria MDM On-premises?

    I connected my device Samsung S5 (Android version -5.0,KNOX 2.3, Standard SDK 5.3.0, Premium SDK 2.3.0, Customization SDK 2.0.0, Container 2.3.0, TIMA 3.0, VPN 2.2.0), but I am stuck before the client KNOX downloading.

    I have done the following steps:

    1.   Using the Self-Service Portal Afaria (Afaria version 7.00.6662.0 SP5) I registered device Samsung S5.
    2. The client Afaria (version 6.60.7820.0.sp5 Afaria70_CR31), afaria. Enrollment.eaef was automatically downloaded and installed on the smartphone
    3. On my server Afaria I created Security Policies for KNOX and attached these policies to the device. I stopped on step ‘checking the license Knox completed’. There isn’t automatically downloading of the client KNOX.

    So I have some questions:

    1. Perhaps, the problem is in KNOX politics? Therefore, can you provide the steps, what policies should be attached (with screenshots, please).
    2. Maybe I need to download the client KNOX on my own, e.g. from Google play?
    3. I’m interested in links (e.g., on SCN), where it would be described step by step how to enroll KNOX with Afaria. As well as video showing the steps of activation, please.

    Thank You.