Knox Active Protection (KAP)* is a set of security mechanisms that defend against mobile device attacks that attempt to modify, observe, or otherwise influence certain critical parts of the device operating system or its data. 

KAP is always enabled for enterprise users, that is, those users with an enterprise-managed Workspace. Through the Smart Manager app, non-enterprise users may optionally enable KAP to gain its benefits.

 Why is KAP disabled by default for non-enterprise users?

KAP introduces a very small change in performance which adds about one second to device boot up time.

 How does KAP work?

In the Knox 2.4 release, KAP includes two protection mechanisms:

1. DM-Verity which ensures the integrity of code and data in the system partition of the device FLASH storage. This partition is the only section of FLASH containing code having permission to perform privileged operations, hence the additional protection. Specifically, this partition includes all the Android code/data, preloaded system apps, and system daemon processes. It specifically does not include apps installed by the user or the associated user data.
2. Real-Time Kernel Protection (RKP) which detects and prevents unauthorized access to or modification of selected critical kernel code and data structures.

* Knox Active Protection features may vary depending on your device model. Future releases may change, optimize, or augment the functionality and performance of KAP based on real-world market feedback.