White Paper: Samsung KNOX Value Propostion in the BYOD/COPE Market

Transcription

1 : September 2013 Enterprise Mobility Solutions Samsung Electronics Co., Ltd.

2 Contents Acronyms 1 BYOD and COPE: The New Norm? 2 What 2 Introducing Samsung KNOX 3 An Overview of KNOX Security 4 Secure Boot 4 TIMA 4 SE for Android 5 ODE 5 VPN FIPS-Compliant Data Protection 5 Per-App VPN 5 KNOX Application Containers 6 How KNOX Addresses the 7 Providing Secure Mobile Access to a New Employee 7 Secure Access Via Intranet 8 Secure Access to SaaS Apps 8 Ensuring Security of Enterprise Data on the Mobile Device 9 Preventing File Security Data Leakage 9 Preventing Copy and Past Data Leakage 10 Secure App Data on a Device 10 Use of Smart Card Authentication 11 Ensuring Device Integrity 11 Improving Employee Productivity from a Mobile Device 12 Enabling SSO for Mobile Apps 12 Dual Persona in BYOD and COPE 13 Protecting Against a Temporarily Missing Device 15 Terminating Mobile Access when an Employee Leaves 15 Recovering from a Stolen Device 16 Summary 17 Additional Resources 17 About Samsung Electronics Co., Ltd. 18

3 Acronyms AES BYOD CAC COPE DAR DoD FIPS IKE MAC MDM NIST NSA ODE PBKDF2 ROM SaaS SE for Android SE Linux SSO TIMA VPN Advanced Encryption Standard Bring Your Own Device U.S. Common Access Card Corporate owned, personally enabled Data-at-Rest U.S. Department of Defense Federal Information Processing Standard Internet Key Exchange Mandatory Access Control Mobile Device Manager National Institute of Standards and Technology (US) National Security Agency On Device Encryption Password-Based Key Derivation Function 2 Read-Only Memory Software as a Service Security Enhancements for Android Security-Enhanced Linux Single Sign-On TrustZone-based Integrity Measurement Architecture Virtual Private Network 1 page

4 A successful BYOD or COPE program requires a strong, secure, yet flexible device security architecture. BYOD and COPE: The New Norm? Once smartphones began entering the marketplace in 2007, it was only a matter of time before programs like Bring Your Own Device (BYOD) and the subsequent Corporate-Owned, Personally Enabled (COPE) began to arise. With the desire for employees to be responsive to customers and colleagues 24/7, new technologies have provided employees the ability to access corporate databases, attend real-time company videoconferences, and view presentations all with their mobile device. BYOD refers to employees who take their personal device smartphone, laptop or tablet to work to connect to a corporate network in order to securely access company information. COPE, on the other hand, takes the opposite approach by allowing employees to put personal data on a company-owned, corporate liable (CL) work device of their choice. Essentially a morphing of BYOD and CL, COPE arose as an alternative offering for companies with concerns over potential security risks using BYOD in their organization. Some of the benefits both programs offer include: BYOD: IT: - Can shift costs to employee - Not responsible for maintenance and upkeep of device Employee: - Can use device of choice - Improvement in effenciency and productivity COPE: IT: - Selects preferred device(s) - Selects cost-sharing model Employee: - Devices kept up-to-date by IT - Have support of IT What Mixing personal and business applications and data has the potential to introduce malware such as viruses that can infect devices and potentially lead to corporate data being compromised. In addition, devices with sensitive corporate data on them may be lost or stolen. As a result, for a BYOD or COPE program to even be considered by an enterprise company, let alone be successful, a strong, secure, yet flexible device security architecture is required. One that gives enterprise IT administrators the power to control and protect their company's assets, while at the same time preserving a user's personal data and information. At a miminum, an enterprise company would expect the following requirements be met before implementing a BYOD or COPE program with their employees: Providing secure mobile access to a new employee Securing corporate interests Ensuring employee privacy Improving employee productivity from a mobile device Securing a lost or missing device Samsung KNOX meets each of these requirements. 2 page

5 "Samsung KNOX was developed to provide a more compelling and secure enterprise experience." Introducing Samsung KNOX Samsung KNOX is a new Android-based mobile solution designed specifically to satisfy enterprise requirements. Samsung KNOX retains full compatibility with Android and the Google ecosystem while integrating fundamental security and management enhancements. All of these advantages make Samsung KNOX the perfect choice for both regulated and general enterprise environments. Samsung KNOX features one of the most comprehensive Mobile Device Management (MDM) capabilities available. Samsung KNOX, combined with its unique application container technology, enables enterprises to support both BYOD, COPE, and Corporate-Liable models without compromising corporate security or employee privacy. In addition, Samsung KNOX is US Government and Department of Defense (DoD) approved for compliance with initiatives, requirements and standards for mobile device security to enable its use in government and other highly regulated enterprise environments. Note: This document discusses how Samsung KNOX can benefit an enterprise market. For more information on the Samsung KNOX platform itself, refer to the An Overview of Samsung KNOX white paper. 3 page

6 "KNOX addresses security at the operating system level in a comprehensive strategy." An Overview of KNOX Security Security is perhaps the most significant factor that will determine the success of BYOD and COPE. Samsung KNOX incorporates the following security functions that will help provide a more secure environment for these platforms: Trusted Boot TrustZone-based Integrity Measurement Architecture (TIMA) Security Enhancements for Android (SE for Android) On-Device Encryption (ODE) VPN Tursted Boot, TIMA and SE for Android form the first line of defense against malicious attacks on the kernel and core boot strap processes. KNOX Security Trusted Boot TIMA SE for Android ODE VPN Secure Boot is a security mechanism that prevents unauthorized boot loaders and operating systems from loading during the startup process. Firmware images, such as operating systems and other system components, that are cryptographically signed by known, trusted authorities are considered as authorized firmware. Nevertheless, Secure Boot is limited in that the evidence of authorized firmware is not preserved after the system boot. Furthermore, in some markets, due to the need to give consumers the freedom to put custom Android OS images on their devices, Secure Boot is not extended to the OS kernel. As a result, there is no guarantee for enterprise users that their Android system is enforcing OS level security protection, such as SE for Android, which is essential for protecting enterprise apps and data. Samsung KNOX implements Trusted Boot to address these limitations of Secure Boot. Trusted Boot provides recorded evidence of firmware running on the device in the form of measurements stored securely in Trust-Zone. At system run time, TrustZone applications on the KNOX platform will use these measurements to make security critical decisions, such as verify the release of security keys, container activation, etc. KNOX Security Trusted Boot TIMA SE for Android ODE VPN KNOX utilizes SE for Android (Security Enhancements for Android) to enforce Mandatory Access Control (MAC) policies to isolate applications and data within the platform. SE for Android, however, relies on the assumption of OS kernel integrity. If the Linux kernel is compromised (by a perhaps as yet unknown future vulnerability), SE for Android security mechanisms could potentially be disabled and rendered ineffective. Samsung s TrustZone-based Integrity Measurement Architecture (TIMA) was developed to close this vulnerability. Introduced in Samsung KNOX as a unique feature on Samsung mobile devices, TIMA uses ARM TrustZone hardware and provides continuous integrity monitoring of the Linux kernel. The ARM TrustZone hardware effectively partitions memory and CPU resources into a secure and non-secure world. TIMA runs in the secure-world and cannot be disabled, while the SE for Android Linux kernel runs in the non-secure world. When TIMA detects that the integrity of the kernel or the boot loader is violated, it resonds with a policy-driven action. One of the policy actions disables the kernel and powers down the device. 4 page

7 KNOX Security Trusted Boot TIMA SE for Android ODE VPN Security-Enhanced Linux (SE Linux) is a technology invented by the NSA in 2000 and has long been established as the standard for securing enterprise Linux assets. Samsung R&D teams have worked very closely with the NSA to port and integrate this technology into Android. This port of SE Linux to Android is commonly referred to as Security Enhancements for Android, or SE for Android. SE for Android provides an enhanced mechanism to enforce the separation of information based on confidentiality and integrity requirements. This additional security, on top of Linux, reduces threats of tampering and bypassing of application security mechanisms. It also minimizes the amount of damage that can be caused by malicious or flawed applications, as applications are provided the minimum amount of permission required for their task. KNOX Security Trusted Boot TIMA SE for Android ODE VPN The On-device Encryption (ODE) feature allows users and enterprise IT administrators to encrypt data on the entire device, as well as any configured Samsung KNOX Container. The ODE feature on Samsung devices uses a Federal Information Processing Standard (FIPS) certified Advanced Encryption Standard (AES) cipher algorithm with a 256-bit key (AES-256) and offers the levels of security required by government and regulated industries such as healthcare and finance. The encryption feature spans both internal storage (system partition and internal SD card) as well as any user-installed external SD card. Note: KNOX Container data cannot be stored on an external SD card. KNOX Security Trusted Boot TIMA SE for Android ODE VPN Samsung KNOX offers a high level of comprehensive support for an enterprise virtual private network (VPN). This enables businesses to offer their employees an optimized, secure path to the enterprise intranet from their BYOD, or corporate-issued device. FIPS-Compliant Data Protection KNOX VPN is FIPS certified enabling its use in regulated environments like government, healthcare, and finance, and offers broad support for the IPSec protocol suite: Internet Key Exchange (IKE and IKEv2) Triple DES (56/168-bit), AES (128/256-bit) encryption Split tunneling mode NSA Suite B Cryptography Per-App VPN Another distinguishing feature of the KNOX VPN feature is the ability for enterprise IT administrators to configure, provision, and manage the use of VPN on a per-application basis. This capability allows the enterprise to automatically enforce the use of VPN only on a specific set of corporate applications. This has the benefit of ensuring that enterprise data is communicated on a secure connection while keeping the user s personal data from overloading the company s Internet connection. In addition, the per-app VPN feature allows personal-use applications to bypass the VPN and connect directly to the Internet, preserving the users privacy. The per-app VPN capability is also available for applications within a KNOX Container. Other features of a KNOX VPN implementation include: Up to 5 simultaneous VPN connections RSA SecureID support for Cisco VPN gateways Common Access Card (CAC) support for government use 5 page

8 "KNOX provides enterprises the ability to create and manage a secure Container within their employee s personal mobile device." KNOX Application Containers KNOX Application Containers A Samsung KNOX Container is a virtual Android environment within a mobile device, complete with its own home screen, launcher, applications, and widgets. Applications and data inside the Container are isolated from applications outside of it (a user's personal area), making this an ideal solution for companies that wish to implement a BYOD or COPE program for their employees. Likewise, applications inside the Container generally do not have the ability to interact with applications or access data outside the Container. However, some applications inside the Container can be granted read-only access to data outside the Container via a policy configuration. For example, photos taken from the camera inside the Container won t be viewable from the Gallery outside the Container in a user s personal area. Likewise, any contacts or bookmarks created outside the Container won t be available inside the Container. The same applies to calendar events and copying/pasting. A Samsung KNOX Container This total isolation of applications and data within the Container provides a solution for the data leakage associated with the BYOD model. Data leakage occurs when a user sends sensitive or critical information outside of the corporate network via a personal account, social network site, or public cloud storage system. Read more on data leakage in the "Ensuring Security of Enterprise Data on a Mobile Device" section of this document. KNOX allows a Work Container to be setup for corporate applications such as , calendar, browser, and storage clients. The Container will ensure that any data downloaded from the enterprise, such as attachments and files, cannot be accessed by applications outside the Container, All the data stored by applications inside the Container are encrypted via strong encryption algorithms (AES-256). A password is required to gain access to applications inside the Container. A KNOX Container is deeply integrated into the native Android platform. This deep integration enables a superior user experience that clearly separates the two environments to minimize user confusion, preserves the Android navigation paradigm in each environment for consistency, and provides a unified but privacy-aware view of notifications and active applications for efficiency. Furthermore, the deep integration allows the KNOX Container to execute at the system level and leverage additional security and isolation guarantees provided by SE for Android. 6 page

9 "Enterprises can customize KNOX to meet their specific mobility needs." How KNOX Addresses the The customizability of Samsung KNOX enables enterprises to tailor the deployment of KNOX to meet specific mobility needs. The following sections discuss typical enterprise use cases for mobility and how KNOX can address them. Providing secure mobile access to a new employee Ensuring security of enterprise data on the mobile device Improving employee productivity from a mobile device Protecting against a temporarily missing device device Terminating moble access when an employee quits Improvement of employee production Protecting against a temporarily missing device Terminating moble access when an employee leaves device Providing Secure Mobile Access to a New Employee The KNOX Container technology enables enterprises to create a secure zone within the device to host enterprise apps and data. The concept of a work zone is valuable in both BYOD and COPE environments. In BYOD environments, employees feel secure about their personal apps and data as the enterprise manages the Container representing the work zone and not the device. In COPE environments the enterprise can open up the corporate-issued device to employees, allowing them to install applications for personal use on the device, while maintaining full control of business apps and data in the work zone. Examples of KNOX features that enable this use case are: Remote Container creation Remote provisioning of the Exchange account inside the Container Remotely installing any custom enterprise applications These features are available as a result of KNOX providing the following: Secure access via intranet Secure access to SaaS apps 7 page

10 Improvement of employee production Protecting against a temporarily missing device Terminating moble access when an employee leaves device Secure Access Via Intranet Secure mobile access to server-based enterprise applications is a fundamental mobility requirement for the enterprise market, as compliance regulations and other factors require protection of data while in-transit. In addition, Virtual Private Network (VPN) access is crucial for personnel that travel or do field work, as data must be secure when using both cellular and Wi-Fi connectivity. As a result, KNOX VPN is FIPS certified with NSA Suite-B algorithms. Suite B is a set of cryptographic algorithms that serve as an interoperable cryptographic base for both unclassified and most classified information. In addition, the VPN client is integrated with the KNOX platform and provides broad VPN compatibility for most partner VPN solutions while spaning all levels of VPN security, including IPsec. Non-FIPS AES-256 IPSec VPN is available for MCM managed devices. Secure Access to SaaS Apps Access to Softare as a Service (SaaS) applications in the enterprise must be secured. In addition, combining enterprise and personal applications can consume precious resources, and classic split tunneling will not work as both destinations are in the cloud. Using the KNOX per-app VPN feature allows secure access to business applications and normal connectivity for personal applications while conserving enterprise resources. 8 page

11 Improvement of employee production Protecting against a temporarily missing device Terminating moble access when an employee leaves device Ensuring Security of Enterprise Data on a Mobile Device Samsung KNOX includes several features to ensure the security of enterprise data on the mobile device, both at-rest and in-transit. The security features provide broad coverage including protecting access to the work zone via a password, monitoring the device or work zone for unauthorized applications or tampering, encrypting application data on the device, and securing network connections to enterprise servers: Configure Container password requirements for the employee, for example minimum password length, use of special characters, expiry period, etc. Configure data encryption for the work zone, e.g. FIPS-mode for regulated enterprises Configure a VPN tunnel and specify what applications must use the VPN at all times Create a baseline of the device software and perform automatic periodic scans or on-demand scans to verify integrity of the system and enterprise applications KNOX safeguards and features designed to address these security aspects are described next. Preventing File Security Data Leakage When mixing personal and business use on the same mobile device, the threat of data leakage is increased. Data leakage, as explained earlier, occurs when a user sends sensitive or critical information outside of the corporate network via a personal account, social network site, or public cloud storage system. Examples of data leakage include: An is received with a file attachment that is downloaded and stored in memory /SD card. A file is downloaded to the device from enterprise storage and stored in memory/sd card. In both cases, the unsecured file is vulnerable to theft by malicious apps. The SD card can be stolen and file exploited (transferred to a PC via USB, etc.), or the attachment can be uploaded to a public cloud such as Facebook or Dropbox. KNOX also ensures that all mail attachments are secured and cannot leave the Container. Furthermore, the deep integration allows the KNOX Container to execute at the system level and leverage additional security and isolation guarantees provided by SE for Android. File sharing interaction is also restricted to enterprise storage resources only. 9 page

12 Improvement of employee production Protecting against a temporarily missing device Terminating moble access when an employee leaves devices Preventing Copy and Paste Data Leakage Data from a file can be copied within a Container and pasted into another application outside of the Container, such as S Memo. This can potentially expose sensitive, confidential corporate material in an unsecure environment. As a result, all Copy and Paste actions performed within the Container are prohibited outside of it. Thus, content copied within the KNOX Container can only be pasted into an application within the Container. In addition, the screen capture function in the Container has been deactivated. A KNOX Container is a virtual sandbox (or a Psuedo-Sandbox ) within the Android application layer which can control, manage, and restrict data and interactions between an application and the Android subsystem. In addition, the KNOX Container uses a separate file system completely isolated from the rest of the device. Securing App Data on a Device Enterprises must ensure that data stored on a mobile device is secure as devices can easily be lost or stolen. As a result, data can be exploited using USB or rooting techniques to steal data from a lost device. Hackers can even root a temporarily misplaced device and install malware that steals data. The Samsung KNOX FIPS certified encrypting file system offers protection of apps data. ODE enforcement is automatic within the KNOX Container, and is IT Policycontrolled outside of the KNOX Container. Additional protection can be provided through an optional Theft Recovery Service and SE for Android. For more information on wither one, refer to the "An Overview of KNOX Security" or "Securing a Lost or Missing Device" sections of this document. 10 page

13 Improvement of employee production Protecting against a temporarily missing device Terminating moble access when an employee leaves device Using Smart Card Authentication US DoD and government personnel use Common Access Cards (CACs) for identification and dualfactor Public Key Infrastructure (PKI) authentication to access government resources: PKI certificates are stored on CAC in a Samsung device and used to digitally sign and encrypt s. Two-factor authentication tests the user's identity by verifying both what they have (CAC) and what they know (PIN). The user must have the smart card (paired and registered with the device and within the Bluetooth range) and also input the PIN for the CAC smartcard for a successful authentication to occur. Larger enterprises may wish to use Smart cards for Single Sign-On (SSO) access to enterprise resources that require strong security. Stronger authentication requires a stronger PIN and a stronger card. Samsung KNOX solution offers enhanced Mobile Device Management (MDM) policies that support Smart Card authentication. This provides applications access to the certificates on the CAC via standards-based Public Key Cryptography Standard (PKCS) #11. These policies are specifically intended for CAC access to VPN, , lockscreen, and browser functionality. Ensuring Device Integrity Enterprises must ensure mobile device integrity to protect against rooting, malicious removal of essential apps, and the installation of unauthorized apps. Enterprises must also ensure that they are compliant with IT policies. When enterprises use the KNOX Integrity Service, IT Admins are notified of any loss of device integrity through their MDM console via a snapshot. Once a snapshot is taken for a baseline, the system reports any changes from that baseline, including the detection of the following threats: Rooting Any attempt at malicious removal of critical apps The installation of any unauthorized apps The Security Watcher feature of Samsung TIMA ensures that the kernel cannot be manipulated after it is loaded and that unauthorized Loadable Kernel Modules (LKMs) will not execute in the OS kernel. TIMA also guarantees the detection of any attacks that involve loading new code or modifying existing code by watchdogging virtual memory. Read more about TIMA in the "An Overview of KNOX Security" section of this document. IT Policies that support device integrity include those that support whitelisting and blacklisting. 11 page

14 Improvement of employee production Protecting against a temporarily missing device Terminating moble access when an employee leaves device Improving Employee Productivity from a Mobile Device Samsung KNOX enables increased employee productivity with features such as SSO, a preinstalled set of business applications, access to a curated set of applications from an Enterprise App Store, and work/personal area separation: Enable SSO for compatible applications such as Box. Access popular enterprise services such as Microsoft Sharepoint and Lync, SAP, Salesforce. com, etc. from within the work zone. Collaborate using Cisco Webex, Citrix GotoMeeting, Samsung SmartConference, Samsung Enterprise IM, Salesforce.com, and so on, within the work zone. Allow employees to download high-quality enterprise-specific applications from the Samsung Enterprise App Store, while avoiding the application-conjested Andoid Store. Complete separation of the work environment from an employee's personal area. Enabling SSO for Mobile Apps Almost all enterprise apps require authentication. Entering passwords repeatedly is cumbersome and can negatively affect the user experience, while password sprawl can cause Helpdesk issues related to password resets. Just as important, caching passwords in apps is not safe. KNOX offers a SSO service that utilizes SSO-enabled applications inside the KNOX Container (from the KNOX App Store) that supports both cloud and Intranet-based apps. IT Policies can be applied to enable SSO for apps as well. 12 page

15 Improvement of employee production Protecting against a temporarily missing device Terminating moble access when an employee leaves device Dual Personal in BYOD and COPE As mentioned earlier, a KNOX Container provides a separate Android environment within the mobile device, completed with its own home screen, launcher, applications, and widgets. Applications and data inside the Container are isolated from applications outside the Container, and vice versa However, some applications inside the Container can be granted read-only access to data outside the container via a policy configuration. The following lists the applications available in a KNOX Container, and illustrates how KNOX separates content and information located within the KNOX Container from a user s personal area: Core applications The KNOX Container comes complete with the following pre-installed applications: App Store Camera Contacts Downloads Gallery Internet My Files Phone Polaris Office 5 S Memo S Calendar S Planner Samsung KNOX Apps Application Isolation The following shows examples of how some of the core applications function within and outside of a KNOX Container. Camera The camera in the KNOX Container is the same camera app available for use in your personal environment. Photos that you take with the KNOX Camera cannot be accessed outside of the Container environment (just as photos taken with the camera in your personal environment cannot be accessed within the KNOX Container). Phone The Phone app in the KNOX Container is same Phone app available for use in your personal environment. Phone contact information within the KNOX Container cannot be accessed outside of the Container environment (just as phone contact data stored in your personal environment cannot be accessed within the KNOX Container). The client in the KNOX Container is a Microsoft Exchange-compatible app that supports business mail for the KNOX user. Enterprise mail, attachments, and other data cannot be accessed outside of the Container environment. 13 page

16 Improvement of employee production Protecting against a temporarily missing device Terminating moble access when an employee leaves device EXCEPTIONS Some applications inside the container can be granted read-only access to data outside the container via a policy configuration. For example, calendar events and contacts created outside the container are viewable inside the container. Calendar The Container s Calendar can receive event details from the user s personal calendar on a read-only basis. Both business and personal appointments are consolidated in the Container calendar view. Business events do not appear in the calendar in the personal environment. When using the calendar inside the KNOX Container: Events created within the Container are displayed with complete descriptions Personal events are shown with complete descriptions When using the calendar in the personal area: Events created within the personal area are displayed with complete descriptions No corporate events are shown Contacts The Contacts client in the KNOX Container is same Contacts app available for use in your personal environment. As a result, contacts created within personal area will appear in the KNOX Container. However, contacts created within the KNOX Container will not appear in a user's personal environment. When viewing contacts inside the KNOX Container: IT-installed company directory is displayed Contacts added within the Container are displayed Personal contacts are displayed When viewing contacts in the personal area: Personal contacts are displayed Contacts added while in the personal area are displayed Personal contacts added within the Container are not displayed 14 page

17 Improvement of employee production Protecting against a temporarily missing device Terminating moble access when an employee leaves device App Store The App Store in the KNOX Container is preloaded with a variety of business apps from Independent Software Vendors (ISVs) such as Cisco, Salesforce, Dropbox, and so on. You can browse the app store and select an app for download/installation in the same manner as any commercial app store (for example, Google Play). Improvement of employee production Protecting against a temporarily missing device Terminating moble access when an employee leaves device With recent statistics illustrating that over 40% of all robberies are smartphone-related, enterprises are rightfully concerned about their devices being lost or stolen. Once missing, a device can be sold, and any confidential information on it can be compromised. The user also has no way of disabling the device once it s gone. When devices are stolen, enterprises face the loss of physical asset from a device that potentially can contain intellectual property and/or assets. The financial impact on the enterprise due to theft can potentially be significant. Protecting Against a Temporarily Missing Device KNOX enables the enterprise to safeguard against accidental misuse of business data if the employee has temporarily lost custody of the device, e.g. leaving it at home before a business trip, leaving the device behind at a friend or relative s house, etc. The IT admin may invoke one or more of the following features to protect against data theft and misuse: Remotely lock the Container to prevent anyone from accessing the work zone. Remotely uninstall apps that access the corporate network or cloud services. Remotely disable VPN access. Terminating Mobile Access when an Employee Leaves In a BYOD environment, KNOX allows the enterprise to gracefully de-register the employee s personal device from the enterprise without affecting any personal applications or data: Remotely wipe and destroy the work zone Container, preserving all personal applications and content. Remotely remove VPN access if enabled for applications outside the KNOX Container. Remotely remove any policies affecting the use of the camera, Bluetooth, Wi-Fi or other hardware feature. 15 page

18 Improvement of employee production Protecting against a temporarily missing device Terminating moble access when an employee leaves device Recovering from a Stolen Device Factors behind the increasing numbers of smartphone thefts include the high resale value of the device as well as the personal and corporate information that may be used for identity theft or corporate espionage. KNOX offers a comprehensive anti-theft service that includes both tracking as well as law-enforcement assisted recovery of the stolen device: Remotely lock the device and/or the container to prevent the thief from using the device or extracting personal and business data Remotely wipe the device and/or Container to eliminate information theft using memory extraction techniques. The KNOX THEFT RECOVERY SOLUTION The optional Samsung KNOX Theft Recovery Service is supported by Absolute Software s Computrace solution. Each KNOX device contains the Absolute Persistence Service embedded in its firmware, and protects against circumventing the service, even if a factory reset is performed. The Computrace Mobile Agent is installed at the time of subscription and enables device tracking. Computrace also works with law enforcement agencies to recover the device. 16 page

19 Summary The Samsung KNOX service offers an extensible feature set that supports enterprise business needs for mobile security and management. As a result, KNOX is ideal to support the rigid security requirements of BYOD/COPE programs that many companies have or soon will be incorporating. Samsung KNOX features an Application Container technology that can be used to create a secure work zone on an employee s device for corporate applications and data. This means that all corporate-installed applications and data inside the KNOX Work Container are isolated from a user s personal applications and data outside the Container. This Container technology, in conjunction with other features like per-app VPN and Single-Sign-On, enables Samsung KNOX to offer the most secure solution for corporations and employees interested in using one mobile device for both work and personal use. Additional Resources More information on Samsung KNOX can be found in the following documentation: Introducing Samsung KNOX brochure An Overview of Samsung KNOX white paper 17 page

20 About Samsung Electronics Co., Ltd. Samsung Electronics Co., Ltd. is a global leader in technology, opening new possibilities for people everywhere. Through relentless innovation and discovery, we are transforming the worlds of televisions, smartphones, personal computers, printers, cameras, home appliances, LTE systems, medical devices, semiconductors and LED solutions. We employ 236,000 people across 79 countries with annual sales exceeding KRW 201 trillion. To discover more, please visit For more information about Samsung KNOX, Visit Copyright 2013 Samsung Electronics Co. Ltd. All rights reserved. Samsung is a registered trademark of Samsung Electronics Co. Ltd. Specifications and designs are subject to change without notice. Non-metric weights and measurements are approximate. All data were deemed correct at time of creation. Samsung is not liable for errors or omissions. All brand, product, service names and logos are trademarks and/or registered trademarks of their respective owners and are hereby recognized and acknowledged. Samsung Electronics Co., Ltd. 416, Maetan 3-dong, Yeongtong-gu Suwon-si, Gyeonggi-do , Korea 18 page