Firstly, here is a little video explaining what Samsung KNOX is:
My "cliff note" explanation of what KNOX is:
A virtual environment, on your phone, where running "un-approved" applications, will not affect the KNOX environment. In other words, it's like running a program like Virtual Box for your Note 3, and only pre-approved "limited" apps can run in this environment. In the video, it says how taking a picture, can be emailed and shared, yet outside of KNOX, you can't access this picture.
KNOX has been in development for quite some time. What I have found out, it's like Fort Knox (get the pun?). Fort Knox is known to be impenetrable (http://ainulfarina.blogspot.com/2013/01/fort-knox-most-secure-vault-in-world.html). Samsung has partnered with various software and hardware companies to develop a platform for the infrastructure of business, with security in mind. We're talking about security on the hardware level. To market this, to tap into the business/enterprise world, using the Note 3 as the preferred paperless, go to device. To achieve this, they need sell the idea that security is king. However, they don't want to exclude the rest of the market of the common everyday individual. That's why Samsung tag line is "Work and play on one device".
This KNOX environment needs to be installed and set up. The desired list of apps would need to be pre-approved for your devise as part of the set-up process. I'm sure this is on an organizational level.