Working with Samsung general policies

Use the Samsung general policy to manage Samsung Knox license keys on Samsung devices.

Upgrade Note: The Samsung Knox license key for Samsung Knox activation has been moved from the Samsung (Knox) Container policy (Policies & Configs > Configurations) to the Samsung General policy (Policies & Configs > Policies). If a license key is configured in the Container policy, then a new Samsung general policy is automatically created.

Procedure 

  1. Go to Policies & Configs > Policies.
  2. Select Add New > Android > Samsung General.
  3. Use the following guidelines to complete this form:

    Item

    Description

    Name

    Enter a unique name for the policy.

    Status

    Select Active to turn on this policy.

    Select Inactive to turn off this policy.

    Priority

    Select Higher than or Lower than, then select an existing policy from the drop-down list.

    If you have multiple policies, use the Priority setting to select which policy gets applied. See “Prioritizing policies” in Getting Started with Ivanti EPMM.

    Description

    Enter a description for the policy.

    KNOX License Key

    Enter the Samsung Knox license key

    Important: Ivanti EPMM does not validate the Knox license key. If the license key is invalid, AppConnect apps on the device cannot be used.

    KNOX Device Attestation Enabled

    To enable attestation, first select the “I understand” check box, then select Knox Device Attestation Enabled.

    See also: Attestation support for Samsung Knox

    Audit Collection Controls

    Select Enable to enable event logging to the device logs on Samsung Knox devices.

    See Configuring audit collection controls for Samsung Knox devices.

  4. Select Save.

Attestation support for Samsung Knox

It is possible for employees to use rooted Android devices with customized firmware. An enterprise can validate a device’s integrity before it installs a Samsung Knox container on the device using the attestation feature.

The attestation feature requires Samsung Android devices that are attestation capable.

Attestation works by sending a challenge to the device to test its integrity. The device responds, and Ivanti EPMM returns its final verification. A device responds to the challenge in one of three ways:

  • Correctly, resulting in attestation state of PASS
  • Incorrectly, resulting in attestation state of FAIL
  • No response, resulting in attestation state of UNKNOWN

A device without attestation support does not respond. A device that supports attestation may also not respond, for example, if it has no network connectivity, or if it was compromised and sends no response.

An attestation challenge is sent to a device when the device checks-in with Ivanti EPMM, but not more frequently than once per hour. The attestation result determines whether a Samsung Knox container is removed, installed, or left unchanged. Additional compliance actions triggered by an attestation fail can be defined in a security policy.

For all Samsung Android devices, whether or not they are attestation-capable, enabling attestation for the device removes a pre-existing Samsung Knox container from the device.

See Attestation behavior on the device for more details.

Configuring attestation on Ivanti EPMM

Before you begin 

  • You must have a Samsung Knox License Key to enable attestation.
  • Samsung Android devices that support attestation are required to take advantage of this feature.

Recommendations

  • For the best user experience, apply attestation to a new device deployment. If you enable attestation on a previously deployed device, any existing Samsung Knox container will be removed, and replaced only if the device passes the attestation challenge.
  • Ivanti recommends enabling attestation in a homogeneous environment where all the devices are known to support attestation. For example, where all attestation-capable Samsung devices are corporate owned and assigned to an LDAP group.
  • Ivanti strongly recommends against enabling attestation to groups of devices where attestation support is unknown or mixed.

Configuring attestation step-by-step

Follow these steps to enable attestation, create a related security policy with optional custom compliance actions, and assign the policy to devices.

Procedure 

  1. Create a label to use for attestation-related policies and devices:
    1. Go to Device & Users > Labels.
    2. Select Add Label. Name the label “Attestation Label”, for example.
  2. Enable attestation in the Samsung General Policy:
    1. Go to Policies & Configs > Policies.
    2. Select Add New > Android > Samsung General. The New Samsung General Policy dialog appears.
    3. Enter the Name.
    4. Enter the Knox License Key.
    5. Read the Caution statement, and then select the “I understand” beneath it.
    6. Select Knox Device Attestation Enabled.
    7. Select Save.
  3. Assign the Samsung General Policy to a label:
    1. Select the policy.
    2. Select Actions > Apply to Label.
    3. Select the desired label (for example, Attestation Label).
    4. Select Apply.
  4. Optionally, create a custom compliance action to use in the attestation security policy:
    1. Go to Policies & Configs > Compliance Actions.
    2. Select Add.
    3. Select the actions to take if attestation fails.
    4. Select Save.
  5. Create a security policy to define the consequences when attestation fails:
    1. Go to Policies & Configs > Policies.
    2. Select Add New > Security. The New Security Policy dialog appears.
    3. Enter a name. For example, “Attestation Security Policy”.
    4. Scroll down to Access Control and find the For Android devices section.
    5. Select the check box for “when Samsung Knox device attestation fails”.
    6. Choose the compliance action from the drop-down. If you created a custom compliance action for attestation, it appears as one of the options.
    7. Select Save.
  6. Assign the Security Policy to a label:
    1. Select the policy.
    2. Select Actions > Apply to Label.
    3. Select the desired label (for example, Attestation Label).
    4. Select Apply.
  7. Assign devices to the label with the attestation policies.
    1. Go to Device & Users > Devices.
    2. Select attestation-capable Samsung device(s).
    3. Select Actions > Apply to Label.
    4. Select the label with attestation policies (for example, Attestation Label).
    5. Select Apply.

WARNING: For all Android devices, Knox containers that were created before attestation is enabled are removed when the attestation policy is applied.

Attestation behavior on the device

A label that includes a Samsung Global Policy with the attestation feature enabled is applied to a device. Ivanti EPMM sends attestation challenges to the device periodically. The behavior of each device type is detailed below.

Applying attestation to non-attestation capable devices is not recommended.

Android devices that are not attestation-capable

  • Attestation state is reported as UNKNOWN in Device Details in the Admin Portal.
  • Attestation state will always be UNKNOWN because the device is incapable of responding to an attestation challenge.
  • Any existing Samsung Knox container is removed from the device.
  • No new Samsung Knox container is installed.

Android devices that are attestation-capable

An attestation-capable device will respond to the attestation challenge. A challenge result can be PASS, FAIL, or UNKNOWN.

If the attestation result is PASS:

  • Attestation state is reported as PASS in Device Details in the Admin Portal.
  • For a new device deployment, a Samsung Knox container is installed.
  • For an existing device which has a Knox container that was installed before attestation was enabled:
    • Pre-attestation Knox container is removed.
    • New Knox container is installed.
  • For a device that previously passed, the Knox container remains unchanged.

If the attestation result is FAIL:

  • Attestation state is reported as FAIL in Device Details in the Admin Portal.
  • Samsung Knox container is removed.
  • Additional compliance actions are taken based on the security policy in effect for the device, triggered by the “when Samsung Knox device attestation fails” condition.

If there is no response, the attestation result is UNKNOWN:

  • Attestation state is reported as UNKNOWN in Device Details in Ivanti EPMM.
  • If the device has previously passed attestation, it continues to function as if it has passed. The Knox container remains unchanged.
  • If the device has not ever passed attestation, then:
    • Any pre-attestation Knox container is removed.

Configuring audit collection controls for Samsung Knox devices

The Samsung General Policy provides audit collection control settings. These settings control what audit events are logged to the device logs on Samsung Knox devices based on an event’s severity, outcome, and audit group. These settings impact logs collected on the Samsung device: logs made by the Samsung platform, as well as logs made by Ivanti Mobile@Work .

You pull these device logs to Ivanti EPMM, and then can access them using the System Manager.

Procedure 

  1. In the Admin Portal, go to Policies & Configs > Policies.
  2. Select the Samsung General Policy that you are using.
  3. Select Edit.
  4. For Audit Collection Controls, select Enable.
  5. For Severity Rule, select the severity level of events you want to collect. Only audit events of the chosen severity level or higher will be collected. For example, if you select Error, only Error, Critical, and Alert audit events will be collected. The severity levels are, from most severe to least severe, are:
    • Alert
    • Critical
    • Error (the default)
    • Warning
    • Notice
  6. For Outcome Rule, select whether you want to collect only events indicating success, events indicating failure, or all.
  7. For Audit Groups, select the groups of events you want to collect. Select one or more of Security, System, Network, Events, or Application. The default is that all of the groups are selected.
  8. If you selected Events in the Audit Groups field, the Audit Events field is enabled. The possible individual events in the Events group are displayed in the Audit Events drop-down. Select the individual events that you want to collect.
  9. In the UID section, select the + sign to add a UID. Each UID is an integer, defined by Samsung, for enabling Samsung-specific logging.
  10. Select Save.