Knox Solutions - Samsung Knox€¦ · - Provide Knox Customer ID - Get Knox Reseller ID 01...
Transcript of Knox Solutions - Samsung Knox€¦ · - Provide Knox Customer ID - Get Knox Reseller ID 01...
Knox Solutions
Cloud Services
KnoxGuard
What is Samsung Knox?
Knox Platform for Enterprise
On-device Security
A comprehensive set of cloud enterprise solutions built on top of a secure on-device platform to address various business needs
Contents
Ⅰ . Product Overview
Ⅱ . Product Offerings
Ⅲ . Device Eligibility & Verification
Ⅳ . Customer Benefits
Ⅴ . Appendix
ProductOverview
What is Knox Guard? Cloud-based service that allows carriers/banks to remotely control and
lock Samsung devices to reduce financial risks while running installment plans
05
“ Reduced Financial Risks Larger Consumer Base ”
Message Notification
Periodic Screen Lock
Device Lock
Remote Device Control for Devices with Installment Plans
Ⅰ. Product Overview
USP 1 : Mandatory Message NotificationNotify device users of overdue payments by remotely
sending message notifications to their devices
Admin(Carrier/Bank)
Device Users
Use Cases
· Notification of overdue payments
· Reminder of payment terms & conditions
· Advance warning of upcoming restrictions
06
Message Notification
· Customizable notification message
· Real-time delivery
Ⅰ. Product Overview
USP 2 : Periodic Screen LockNotify device users of overdue payments more strongly
by periodically locking screen
Use Cases
· Periodic restriction of device use
· Early warning of upcoming restrictions
Admin(Carrier/Bank)
Device Users
07
Periodic Screen Lock
· Full-screen lock
· Non-dismissible message remains in the
notification bar after screen lock is dismissed
· Lock frequency: 3 seconds ~ 24 hours
· Customizable lock message
Ⅰ. Product Overview
USP 3 : Device LockPrevent unpaid devices from being resold in the gray market
by fully locking device
Admin(Carrier/Bank)
Device Users
Device Lock
· Blocked access to Home Screen
· No factory reset & binary flashing allowed
· No USB/Bluetooth/Tethering/NFC allowed
· Customizable Lock Screen message
Location monitoring
Use Cases
· Persistent device lock-down
· Enforced location monitoring
Outgoing Call Restriction
Exceptions:: Call to Customer Call Center, Emergency Call
Ⅰ. Product Overview
08
09
- Status Inquiry
- Device ID Upload
- Action/Control
- License Order
Automated Operation Flexible Device Registration Methods SIM Control
SIM Control
- Lock device
- Apply Restriction (Call/SMS/Data)
- Based on MCC/MNC/GID1
Additional Features
Offline Lock
Offline Lock
- Prevent call-only fraud
- Offline period thresholdfrom 15 to 200 days
Data
Ⅰ. Product Overview
Hardware-backed Security
Agent Network Blocking-proof
All security-sensitive operations of Knox Guard securely run inside the TrustZone, a vault designed to protect the device from any attempts to compromise or hack. If user attempts to manipulate the TrustZone to escape Knox Guard’s control, device will subsequently lock itself.
Knox Guard has ability to lift any network block or filtering placed on Knox Guard agent by any malicious app, and connect back to Knox Guard server to remain under control.
TrustZone
KG
Ⅰ. Product Overview
Enhanced Security
10
Firewall App
KG
Unauthorized Firmware Blocking
Any attempts to replace the official software binary with a maliciously modified one are blocked on devices that are enrolled to Knox Guard to prevent devices from being compromised. NO CUSTOM ROM
IMEI Tamper-proof
Any intentional IMEI changes cannot alter or affect the control over the device because, upon Knox Guard device enrollment, each device is assigned a unique/secure identifier other than its IMEI within the server. IMEI
KG
ProductOfferings
Ⅱ. Product Offerings
Product Polices
Pricing Licensing
· Per Device, One-time
- Each device has own license periodbased on the enrollment timingof the device
- Non-transferrable, Irrevocable from
activated devices
· Maintenance fee included
- SLA-based technical support
- Software maintenance
· Upon Expiration
- All policies applied on the device will be removed.
- The device will be out of control.
- Devices cannot be registered to Knox server with an expired license
· Upon Device Deletion
- All the policies and installed agent are withdrawnfrom the device
- Device stops receiving command from the server,to push commands, the device must be registeredand enrolled once again * License can be activated during 1 year from the "activation date" set
by customer. Each device can be controlled up to 3 years after activation
12
Device Eligibility& Verification
Technical Requirements Device Ownership Verification
Device Eligibility
Ⅲ. Device Eligibility & Verification
15
· Devices must be purchased fromKnox Deployment Program-participating resellers
· Designed for a large number ofcommercial devices
Type 1
By Device Reseller(Bulk Device ID Upload)
· Devices can also be verifiedusing Knox Deployment Appin real time
· Designed for a small number ofdevices (e.g., test devices)
Type 2
By IT Admin(NFC/Bluetooth Connection)
Samsung Galaxy(smartphones/tablets)
With Knox v3.2.1(=Android Pie OS) or greater
* Basic Knox Guard features are supported even from Knox v2.7.1+ but Knox Guard is preloaded and fully secured from Pie OS.
Ⅲ. Device Eligibility & Verification
Type 1 : By Reseller – Bulk Device ID Upload KDP1)-participating resellers can upload a number of device IDs in bulk for
verification automatically via Knox Reseller API or manually via Knox Reseller Portal
15
Admin(Carrier/Bank) Device Users
Knox DeploymentProgram
Participating DeviceReseller
Manage devicesover-the-air,out-of-the-box
05Submit deviceIMEI/SNsfor verification
02
Deploy devices to end users04
Submit Reseller ID, accept device ID uploads, and select devices to register
03
Purchase devices fromParticipating resellers- Provide Knox Customer ID- Get Knox Reseller ID
01
Automated
Manual
Knox Reseller API
Knox Reseller Portal
KG Customer Portal
1) Knox Deployment Program
Master Device Target Device03 NFC
Bump each target devicePrepare a master deviceand download & installKnox Deployment App
01
Sign in with IT Adminaccount to registertarget devices
02 Device IDuploaded by app
04 Device registration andmanagement capabilityenabled immediately
05
Ⅲ. Device Eligibility & Verification
BluetoothOpen https://guard.samsungknox.comfrom web browser on each target device and click on “First Time” button
Type 2 : NFC/Bluetooth ConnectionIT Admin can self-verify device ownership and immediately apply Knox Guard on devices
by connecting each device via NFC or Bluetooth using the Knox Deployment App
16
CustomerBenefitsCustomerBenefits
Ⅳ. Customer Benefits
Benefits
Pricing
Customer Consumer
Reduced Operating Costs
Eliminate costs associated with manual labor and fees
incurred through SMS and/or call reminders
Increase Customer Base Lower Interest Rates Wider Product Portfolio
Places the Customer(finance companies, carriers, etc.) at an advantage against other device
channels with higher interest rates and operating costs.
Lowered interest rates are favorable for consumers
as total costs associated with financing a device is lower
Consumers have a wider range of devices to choose from, including premium
devices that are not available for financing elsewhere.
18
Appendix
Ⅴ. Appendix
Business Model : Device Registration at point of saleDevice resellers sell devices with an installment plan, enabling devices at point of sale,
to be managed by financial service providers through Knox Guard
20
Device Users
Financial Service Provider
· Such as Banks or Carriers· Purchases Knox licenses· Serves as IT admin for
Knox Guard
Device Reseller
· Such as Retailers or Carriers· Participating in KDP*
Check credit01
Upload device IDsat point of sales
02
Resell devices
- With installment plan- with signed terms & conditions
03
Control devices04
Could be the same company OR
Knox Deployment App(at the point of sales)
Reseller API/Portal
License Reseller
* KDP (Knox Deployment Program)
Financial Service Provider
· Such as Banks or Carriers· Purchases Knox licenses· Serves as IT admin for
Knox Guard
Device Reseller
· Such as Retailers or Carriers· Participating in KDP*
Device Users
Knox Deployment App(at the point of sales)
Check credit02 Upload device IDsin advance
01
Control devices04
Could be the same company
Reseller API/Portal
License Reseller
Business Model : Bulk Device Registration in Advance
21
Ⅴ. Appendix
Device resellers sell devices with an installment plan, enabled in advance,to be managed by financial service providers through Knox Guard
* KDP (Knox Deployment Program)
Resell devices
- With installment plan- with signed terms & conditions
03
Ⅴ. Appendix
Resources
22
Video Collateral
Flyer
Introduction 4:05
Demo 2:16
*Click the image to get to resources
Knox DeploymentProgram
Participating Resellers
Financial ServiceProvider
Carrier
Stakeholders and Responsibilities
Purchase· Devices from Knox Deployment
Program participating resellers( for bulk device verification )Licenses from Knox resellers
Sign up· For samsungknox.com · For Knox Guard
- Sign the License Agreement- Create a Knox Customer ID
Provide· Its Knox Customer ID to resellers
and add their Knox Reseller IDsto KG for verification
Administer· Remote Device Control for
Devices with Installment Plans
Sign up· For Knox Reseller Portal
- Sign the Knox DeploymentProgram Participation Agreement
- Create a Knox Reseller ID
Resell
Upload· Devices to Samsung server via Knox
Reseller Portal or Knox Reseller APIfor verification
Approve· Customer/reseller registration
or
Ⅴ. Appendix
· Devices to B2B customersLicenses to them together, optionally
End Customer and KDP Resellercould be the same company
23
End Customer
Knox Guard vs. 3rd Party Solution
24
Criteria Knox Guard 3rd Party Solution
IMEI falsification Protected Vulnerable
Data safetyProtected ( Status information of device, PIN, etc. are into TrustZone)
Vulnerable
TrustZone security Supported Not Supported
*Unofficial binary flashing ProtectedVulnerable (No Secure Bootloader based technology – Only OEM can manipulate)
APK disableProtected (Any attempt to disable or delete KG agent will automatically lock device)
Vulnerable
Firewall app attack(Network Filtering)
Protected Vulnerable
Device lock on Android GO Supported Not supported
* Unofficial binary(custom ROM) flashing is the most common way to root devices
Ⅴ. Appendix
End ofDocument