In Samsung Knox-enabled devices, there is a security mechanism that monitors during the device boot and in runtime if the device is ever rooted, and leaves an undeletable mark on a rooted device. Using this information, Knox Workspace determines if it’s safe to install or maintain the container on the device.
If an IT admin tries to create Knox Workspace on a rooted device, installation is denied. Unauthorized firmware on the device implies that there can be an unknown security hole, putting corporate data in the container at risk. Therefore, Knox Workspace is not installed unless integrity of the device is proven.
Likewise, even if Knox Workspace is already installed and activated, if the device finds out it’s rooted, it permanently locks the container as a possible security threat.