Hello all, i'd like to answer some of your questions if possible. I've been working with Knox as a QA resource with a 3rd party testing a implementation of Knox and i'd like to answer a few points that have been brought up.
Activating Knox (knoxifying) a device locks the bootloader and activates the Knox Agent. The Knox agent will consistently force close and attempt to unsinstall any SU style application. The bootloader in Odin mode scans bootloader, PDA, Modem, CSC files for a unique Knox Samsung certificate.
After activating Knox you will see that the Secure Boot Mode changes to 'Enforcing'
There is no known way to reverse it back into a Permissive state and remove the Knox agent. Conversations with Samsung have proved less then useful on this subject however i've heard rumor they are coming up with a way to reverse it.
Knox cannot be activated soley on its own.
MDM vendors will still have full control of device even when Knox is activated. Knox is not meant to Sandbox a devices MDM vendor. It is meant to sandbox secure corp data, MDM vendors will more then likely still have samples and controls of device.
I had previously made a thread on reddit.com/r/android which I answered a lot of questions there as well however I cannot link to it due to using a throwaway account.