Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

Everything KNOX...

OP lawalty

10th October 2013, 09:33 PM   |  #1  
lawalty's Avatar
OP Senior Member
Thanks Meter: 130
 
939 posts
Join Date:Joined: May 2008
FYI: Please don't get offended by me posting this thread. I searched and couldn't find anything dedicated to KNOX and discussions about it. So I created a thread where we can hammer out our ideas, and logic.

Firstly, here is a little video explaining what Samsung KNOX is:



My "cliff note" explanation of what KNOX is:

A virtual environment, on your phone, where running "un-approved" applications, will not affect the KNOX environment. In other words, it's like running a program like Virtual Box for your Note 3, and only pre-approved "limited" apps can run in this environment. In the video, it says how taking a picture, can be emailed and shared, yet outside of KNOX, you can't access this picture.

https://www.samsungknox.com/

KNOX has been in development for quite some time. What I have found out, it's like Fort Knox (get the pun?). Fort Knox is known to be impenetrable (http://ainulfarina.blogspot.com/2013/01/fort-knox-most-secure-vault-in-world.html). Samsung has partnered with various software and hardware companies to develop a platform for the infrastructure of business, with security in mind. We're talking about security on the hardware level. To market this, to tap into the business/enterprise world, using the Note 3 as the preferred paperless, go to device. To achieve this, they need sell the idea that security is king. However, they don't want to exclude the rest of the market of the common everyday individual. That's why Samsung tag line is "Work and play on one device".

This KNOX environment needs to be installed and set up. The desired list of apps would need to be pre-approved for your devise as part of the set-up process. I'm sure this is on an organizational level.
The Following 5 Users Say Thank You to lawalty For This Useful Post: [ View ]
10th October 2013, 10:19 PM   |  #2  
Member
Thanks Meter: 6
 
44 posts
Join Date:Joined: Sep 2010
I have a couple of questions on KNOX which I hope the answer is Yes to both:
Will it work if the phone is un-rooted, but had been previously rooted?
Will it prevent MDM applications from reading personal stuff like installed text messages and other stuff outside of KNOX on the phone?


There are a few things that I'd like to do which requires root to do. A couple of examples, among many, are removing bloatware that can't be disabled and BT pairing a PS3 controller.

My employer has selected MobileIron for their MDM due to the head of Security having some relative there (nepotism) when there were plans to use and sell as a SaaS solution the less intrusive AirWatch. Interest in MobileIron by our customers is much lower than AirWatch since it doesn't fit into the SaaS model like our other services.

The big problem with MobileIron from an end user perspective is how intrusive it is. It logs everything and sends that info to the management server; this includes text messages. On company issued equipment, no privacy is to be expected however, that privacy is expected on my personal stuff. I'm told MobileIron has the capability to go through the phones storage and download anything.

I'll consider leveraging KNOX if those two questions have "Yes" as an answer. Frankly, my employer is being unreasonable with their mobile requirements (long story) and the head of Security maintains his ass as his hat with more power than he should because of his relationship with a VP or the CEO. I have been using an alternate method to the silliness of walking around with two phones that facilitates their electronic checks; I just don't advocate the solution.
The Following User Says Thank You to noc007 For This Useful Post: [ View ]
10th October 2013, 10:45 PM   |  #3  
lawalty's Avatar
OP Senior Member
Thanks Meter: 130
 
939 posts
Join Date:Joined: May 2008
Quote:
Originally Posted by noc007

I have a couple of questions on KNOX which I hope the answer is Yes to both:
Will it work if the phone is un-rooted, but had been previously rooted?
Will it prevent MDM applications from reading personal stuff like installed text messages and other stuff outside of KNOX on the phone?

I have many friends who have rooted their phones, but none that I know use the KNOX environment. Even using the Note 2 for a full year, this is the first time i've heard of KNOX when exploring my Note 3.

I also want to know if triggering the KNOX flag, can that environment still be accessed, or even installed?

I can only assume the answer would be "yes" to your second questions, since it's a separate environment altogether. I understand that anything done outside KNOX mode is excluded from effecting it, however wouldn't it be the same from within?

To answer your first question, we would need someone who rooted their phone, and simply select KNOX from the app drawer, go through the install process and find out.
11th October 2013, 01:35 AM   |  #4  
nygmam's Avatar
Senior Member
Flag New York, NY
Thanks Meter: 181
 
809 posts
Join Date:Joined: Oct 2007
More
While I haven't chosen to activate or use Knox, I believe you are limited to installing apps from the Knox store. You can see the apps available on the store at the Knox Website.

Not only will Knox basically run all apps in a sandbox, it will only run Knox approved apps, further locking down the possibility of something bad being installed. You can't even take a screen shot in the Knox environment. Think of it as a locked down virtual box on your phone, that separates your work life from your private, and protects the work related data.
11th October 2013, 05:53 AM   |  #5  
wing_addict_usa's Avatar
Senior Member
Thanks Meter: 16
 
263 posts
Join Date:Joined: Jul 2008
selinux
11th October 2013, 10:33 PM   |  #6  
Senior Member
Thanks Meter: 438
 
1,039 posts
Join Date:Joined: Jan 2010
Quote:
Originally Posted by lawalty


I also want to know if triggering the KNOX flag, can that environment still be accessed, or even installed?

Once the KNOX WARRANTY VOID bootloader flag is set to 0x1, the phone is considered compromised and the KNOX secure container cannot be created. In other words, once you root, the KNOX sandbox will never function again.

The flag is there for exactly this purpose - to disallow compromised devices from accessing secure apps and systems that require sandboxing; the fact Samsung also started using it to deny warranty claims is a side effect caused by their greed.
The Following 5 Users Say Thank You to siraltus For This Useful Post: [ View ]
12th October 2013, 02:00 AM   |  #7  
Steve Lazarus's Avatar
Senior Member
Flag Syracuse, NY
Thanks Meter: 539
 
844 posts
Join Date:Joined: May 2013
More
Quote:
Originally Posted by siraltus

Once the KNOX WARRANTY VOID bootloader flag is set to 0x1, the phone is considered compromised and the KNOX secure container cannot be created. In other words, once you root, the KNOX sandbox will never function again.

The flag is there for exactly this purpose - to disallow compromised devices from accessing secure apps and systems that require sandboxing; the fact Samsung also started using it to deny warranty claims is a side effect caused by their greed.

I really think Samsung should of had a business line of Note 3 devices, as compared to every phone having the Knox "container", I think it's a contributing Factor to the bootloop issues that are widespread and creating more headaches than it's worth.

There's going to be a very small population of users that will actually consider even using Knox, yet as stated, is creating major issues in the Note 3 community.

Sent from my SM-N900T using XDA Premium 4 mobile app
Last edited by Steve Lazarus; 12th October 2013 at 02:06 AM.
12th October 2013, 03:15 AM   |  #8  
lawalty's Avatar
OP Senior Member
Thanks Meter: 130
 
939 posts
Join Date:Joined: May 2008
What was Samsung thinking of putting KNOX on the Note 3s with unlocked bootloaders? If simply rooting the phone triggers the KNOX flag, permanently flagging the phone for any future dealings with this secure mode for businesses, wouldn't it be simpler to only have the flag if rooted?

So if your phone is not rooted, then you can install KNOX. If you phone currently is rooted, then no KNOX.

My fear is that other companies, that don't like people rooting the phones where their apps are installed on, might hop on this, and consider this as a solution.

Sent from my SM-N900T using XDA Premium 4 mobile app
12th October 2013, 07:15 AM   |  #9  
wing_addict_usa's Avatar
Senior Member
Thanks Meter: 16
 
263 posts
Join Date:Joined: Jul 2008
knox flag is the same thing as the note ii warranty flag. wtf do they call it knox

anyway its bs i cant use knox if im rooted
12th October 2013, 07:33 AM   |  #10  
muqali's Avatar
Senior Member
Flag Unfortunately, Mexico
Thanks Meter: 95
 
620 posts
Join Date:Joined: Nov 2007
More
Quote:
Originally Posted by siraltus

Once the KNOX WARRANTY VOID bootloader flag is set to 0x1, the phone is considered compromised and the KNOX secure container cannot be create.... the fact Samsung also started using it to deny warranty claims is a side effect caused by their greed.

Just open the phone, use some fine wires to pump enough voltage and current into it to fry some stuff. Make it look like a charger or battery issue. Warranty still "valid". They want to screw us, we can screw back.

The Following 12 Users Say Thank You to muqali For This Useful Post: [ View ]
Post Reply Subscribe to Thread

Tags
business, enterprise, flag, knox
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes