This feature addresses IT admin requests to delete a Knox Configure admin role with a pending, revoked or blocked state (any state but active). Prior to the role deletion, a message displays the intended admins impacted by the role deletion.
Existing administrators assigned to the role must be re-assigned to another role before the deletion can proceed. Any pending, revoked, or blocked admins assigned the deleted role are assigned a role of NoRole.
This feature further addresses customer requests to deploy wearable devices in areas where Wi-Fi is required to communicate with internal systems. Such customers need to connect to a staging profile, deploy a KC profile, exit Kiosk mode on the device, authenticate to an Enterprise Wi-Fi (EAP-PEAP), load a certificate, then redeploy a kiosk supported profile. Such deployments are not practically scalable for 30,000 devices.
To further support this request, additional TTLS+None and TTLS+GTC options have been added to the EAP options initially made available in Q4 2019.
Currently profile app update console notifications are not sufficiently clear. Specifically, when a failure occurs an administrator cannot discern the appropriate reason for update failure amongst the possible failure scenarios.
To address this issue, the failure notifications have been updated to provide a clearer explanation of the failure root cause. Unique failure notifications are now in place for the following scenarios:
Success and partial success notifications remain as previously implemented.
Currently, when a license activation end date changes its difficult to discern the new end date from the previous one.
To reduce end date confusion, the License <licenseName> activation end date has been updated from <PreviousActivationEndDate> to <NewActivationEndDate>.
To date, there is no way for a user to determine which version of WKC is running on their wearable device without looking at device logs. The Android version of KC resides in the device's Settings > Apps menu. However, WKC cannot access this information due to the structure of the Wearable Settings menu.
To address this issue, the WKC version number now displays in a more visible location within the device’s App Info screen for the benefit of those who need it.
The existing Hotspot 2.0 AP connection tooltip is lacking in sufficient detail to be truly helpful. To help remedy this uncertainty of this tooltip, it has been updated to read as follows:
"Seamlessly connect Hotspot 2.0 enabled Wi-Fi access points without needing a password. Hostspot 2.0 with be turned off automatically if “Do not allow” is selected. If you want to turn it on and prevent the user from changing this setting, please select Do not allow and Hide setting."
Continuing with this release, Knox Configure is providing admins additional schema-driven updates to remotely configure, change and manage device settings. These additional advanced profile settings are unique to Samsung device models, and are not provided by Android Enterprise. These settings are available to Normal, Setup and ProKiosk supported profiles.
These new profile settings are only available to devices running Knox version 3.4 and above. There is no change to existing Knox Configure profile configuration categories, but supported devices are exposed to additional new profile configuration options within these existing categories (Home & lock screen, Sound and display, Device connectivity, Device settings, and Security settings). These new profile configuration will be clearly identified as available to supported Knox 3.4 and above devices within the Knox Configure Admin Guide.
Admins have requested better Knox Configure battery life options to provide their device users an experience that avoid loops due to low remaining battery life.
With this release, an admin now can set a limit when the device battery stops charging once it reaches a maximum setting of 85% total power. This new setting is available within the Device settings portion of the profile configuration screen flow and is available to tablets devices only running Knox version 3.4 and above.
This enhancement helps admins better control battery thresholds while also providing a maximum change setting of 85% to avoid issue associated with keeping the tablet on its charger too long.
Customers are currently unable to deploy wearable devices in areas where enterprise Wi-Fi is required for internal communication. Requesting customers want to connect to a staging profile, deploy a profile, exit Kiosk mode on the wearable, authenticate into an Enterprise Wi-Fi (EAP-PEAP), pull-down a certificate, then re-deploy a Kiosk supported profile. However, this is not practical for deployments supporting thousands of wearable devices.
To remedy this issue, an admin can now create a profile and set its Advanced Wi-Fi setting's security type to 802.1x EAP (using either PEAP or TTLS). Once the admin associates target devices to this profile, they configure the deployment area’s Access Point resource with EAP as a hidden state. The admin then verifies that the configured devices have Wi-Fi connectivity.
The implementation of this feature affords administrators the ability to provision large numbers of EAP Wi-Fi supported wearable devices at once time and save a substantial amount time and money in the process.
To date, admins have requested the ability to download profile settings in PDF to review profile settings. Such admins report that a PDF provides an easier means to both review settings and use the output to create profiles in other accounts.
With this release an authenticated user can now download profile summary settings in PDF. The PDF output closely resembles the KC profile summary page displayed once a profile is configured and saved. A profile PDF can be generated from either the Profile configuration dashboard or the bottom of the Profile summary once the profile configuration is configured. The PDF does not exceed 5 MB, and has a UTC timestamp of the time it was downloaded. This enhancement affords admins an easier means to access profile configuration settings when creating profiles for other accounts, thus saving time and money.
To date, when a Knox Configure license expires, a profile is unassigned from its assigned device. However, customers often want to renew their existing license used by deployed devices, but when the license is renewed, customers are unable to re-assign their devices. Additionally, when an unassigned device is assigned a profile using a renewed license, the devices are consuming new seats even though they have activated the license before.
To remedy this license utilization issue, devices no longer consume new license seats when re-assigned to profiles using the same license. However, devices need to be manually selected within the KC console and re-assigned the license.
This enhancement enables customers to re-assign their unassigned devices to a profile and reuse a renewed license without consuming additional license seats, saving both time and money.
To date, there is no inactivity threshold to terminate a WebKiosk session and reduce exposure of sensitive user information when a Kiosk user does not properly end their session. To avoid the exposure of sensitive information, admins require a short inactivity value to close an open WebKiosk browser session and reduce the window sensitive financial information is exposed.
To reduce this exposure window, a WebKiosk browser session is now invalidated, closed, and reset to the home screen after 5 minutes of inactivity without an admin having to pre-define an inactivity timeout manually for the Kiosk supported profile. For more information on defining a WebKiosk mode configuration, go to: Kiosk mode support..
The date, the assigned license count is the number of devices activating a license, plus number of devices assigned to a profile using the license. To reduce reported confusion in the field, the assigned license count going forward will be the number of devices currently assigned a profile and use the KC License when assigned a profile.
Going forward, the following license utilization scenarios are supported:
For more information on Knox Configure license utilization and seat consumption, go to: License management.
To date, Android does not allow App updates using a signature different from the installed version of the App. To update an App on a device with a new version of an existing App, the existing App must be deleted. Consequently, issues have been reported after App versioning was made available for Knox Configure with the KCS 1.23 version release.
To remedy this issue, when an admin now uploads a new version of an existing App, if the signature is different than the signature of the existing App, the upload is rejected with a the display of a console error message. Additionally, when an admin uploads a new version of an App with the same signature as the existing App, then the upload is permitted. This should help streamline administration time when also ensuring version integrity is maintained.
To date, Knox Configure console tooltips are needed or require improvement for several dashboard, profile, device, and console configuration activities. New tooltips have been added to following Knox Configure console activities:
With this release, separate profiles are now configurable for Samsung devices that are not running Knox. Going forward, an admin will have the option of configuring a profile for Knox enabled Samsung devices (as is the default behavior currently), as well as Other Samsung devices without Knox.
When configuring a profile, an admin is not required to select a Knox version. The remainder of the profile configuration closely resembles the existing process and screen flow.
Profiles are only assignable to Other Samsung devices. When IMEIs are uploaded into the KC console, non Other Samsung devices will not be accepted into KC. The upload fails with an appropriate message that displays for either individual or bulk upload failures. The KDA enrollment of Other Samsung devices is not supported.
Beginning with this release, Knox Configure will begin providing enterprise IT administrators a schema-driven user interface, allowing admins to remotely configure, change and manage device settings. These settings are unique to Samsung device models, and are not provided by Android Enterprise.
With this release, only an Advanced features section will be added from the Deep Settings schema introduced with Knox 3.4. There will be no impact to existing profile configuration categories with this addition.
Additional Deep Settings features will be added into Knox Configure in the 4th quarter of the year.
This solution addresses requests from Enterprises who want to better assist customers in the lobby of their facility by presenting product descriptions, comparisons and demonstrations. Such Enterprises want to leverage tablets to create programs to better message their key services.
In particular, an admin can configure a ProKiosk mode profile to support the following tablet features:
For information on configuring a tablet for WebKiosk mode support, go to: Kiosk mode support.
With this release, the Knox Configure client will ignore shared device and E-billing configurations on devices running the Android Q version operating system and above. The Knox Configure console provides a warning for now unsupported status of shared device and E-billing on the Q version operating system.
If the shared device feature was already enabled on an existing device, and that device was FOTA updated to the Q version operating system, the shared device feature should be disabled when a newly applied profile has shared device disabled.
Starting with the P OS (Android 9.0), some APNs now require the mobile virtual network operator type (mvno_type) and mobile virtual network operator (MVNO) value (mvno_value) be set together. These mvno_type and mvno_value fields allow an APN configuration to be restricted when using particular MVNOs or subscriber accounts. Without this setting, custom defined APN configurations are selected according to MCC and MNC only, which specifies the mobile network a mobile device subscribes to, but not the particular retailer or reseller, or account on a network.
To address this new requirement, Knox 3.2.1 and 3.3 devices can have their mvno type set to one of the following options during profile configuration:
Currently, booting animation, and sound are not cleared from a wearable device as expected when the Set a custom booting animation option is unselected, and an update is pushed to the device. Additionally, if the Set a custom shut down animation is unselected and an update is pushed to wearable device, shut down animation should also be cleared, including sound.
To date, WKC always checked if existing animation was set by a previous WKC profile, and would not remove it if set for a previous profile. To remedy this situation, users can now remove booting or shutdown animation separately by ensuring either option is not selected when pushing an update.
To date, when a wearable device has 15% power or less remaining and is in a Profile assigned state, enrollment is halted when authenticating after accepting the terms of the EULA. Once the wearable device is rebooted, the expected result is to resume enrollment. However, enrollment is not resumed after power save is enabled and then disabled before reaching an activating license state.
To remedy this enrollment problem, power saving is disabled, then enabled back after license activation so enrollment is not interrupted.
To date, if you upload a new application into a profile, it is not selected automatically. You need to click the application icon again to ensure the expected check mark appears. This can be confusing, since the reason applications are typically uploaded is to deploy it immediately with an update.
To remedy this confusion, with this release a newly added, but not selected, application will be added as long as the application version is added as well.
In Kiosk mode, when customers select Hide Status Bar from the Home & Lock Screen they believe this action will hide the status bar, but it is still available when dragged down.
To remedy this confusion, the tooltip has been updated to the following, “This method shows or hides the status bar. If the status bar is hidden in normal mode, every application will use the entire display space for itself. Notifications will therefore be hidden from the user. The status bar will still be available if you drag it down. The Soft Navigation bar will be hidden from the user as well and available if you drag it up.”
When there are no profiles in an account, the dashboard should show a Create profile button in place of the profile widgets.
Beginning with this release, when there are no profiles in an account, the dashboard displays a Create profile button instead of the profile widgets. Selecting it starts the profile creation screen flow. If there are profiles in the account, the button displays Select profile to pin here. Selecting it displays a popup where user can add profiles to add to dashboard.
For more information, go to: Dashboard.
Currently, some error or partial success messages (portal responses) are inconsistent and do not provide sufficient enough information for users to understand and perform troubleshooting workarounds. Consequently, they need to be updated with sufficient information users will be find beneficial.
Going forward, fragmented portal responses will be combined when practical into a more meaningful single response string. Additionally, if an event has an error log entry associated with it, the log will be cited for additional information. Lastly, an additional response will be added to certain response strings to “Please try again later and if the problem persists, contact the Samsung Knox support team.”
Currently, when creating a Knox Configure profile, a KDA License key cannot be selected if the date is before the set Activation Date.
To address this shortcoming, the license drop-down menu will now include applicable licenses (both active with remaining seats), as well as licenses that have yet to start. If a user tries to KDA enroll a device with a license that hasn’t started yet, a license error code will be created and displayed for the device user.
With this release the Knox Configure activity log now provides better event status for administrative role updates. The following updates are now included:
When uploading animation into the KC console, a user selects PNG images, adds animation values selects the Generate button. However, when attempting to upload 2-30 images and selecting Generate, it often appears the animation upload is not loading properly. The animation creation popup no longer displays, but the animation progress indicator appears to be processing normally.
To resolve this potential confusion, the animation upload processing time has been substantially decreased. This should help reduce the confusion as to whether the animation upload is stuck when processing a large number of files
This option is only supported with Dynamic edition Knox Configure profiles upon the agreement of a disclaimer. The disclaimer displays upon the creation of each profile, but only one confirmation is required per profile.
To date, users are reporting confusion by the messaging displayed when uploading an invalid CSV file supporting bulk invitations. Specifically, there is no adequate workaround instructions for invalid input within the CSV file template that would help users properly prepare their CSV file.
To remedy this confusion, additional guidance has been added to the CSV file template (downloaded from the Knox Configure console's Bulk invite administrators screen) to reduce user uncertainty. Specifically, the following additional information has been added to the CSV template:
To date, the Knox Configure console has utilized an incomplete set of tooltips for status and event indicators. While the following new set of tooltips do not satisfy the complete list of tooltips needed, they do provide a more thorough set. New tooltips include:
To date, there is a separate View link for each upload displayed on the Dashboard that, when selected, efficiently navigates to the single upload page. Additionally, for licenses there is a View all link that, when selected, navigates to the Licenses screen. However, when there is an alert issued for license, the user cannot properly review the individual license directly, and must manually navigate to the Licenses screen and locate the impacted license.
To remedy this shortcoming, the View all link has been removed from the Licenses screen and replaced with individual View links for each displayed license. When selected, a License details popup displays on the dashboard for the selected license without having to manually navigate to the impacted license.
To date, the Library screen’s Media tab displays an empty page when there is no media content available. This is of no assistance to users with no idea how to add media.
To remedy this issue, the Media tab has been enhanced with helpful information, testing recommendations and an image that should be of better assistance when an empty Media tab is encountered.
To date, a user cannot include a description when they add a new version of an existing application using the Library screen’s Add application version option within the ACTIONS drop-down menu.
To remedy this shortcoming, a user can now provide a description when adding a new version of an existing application. The description is helpful to an admin who may be finding it difficult deciding which version to utilize with an existing profile.
To date, a customer has been unable to skip the Knox Configure enrollment screen to optimize the device users enrollment experience.
With this new implementation, only the welcome screen is skipped. If the user reboots their device, they will be navigated to the EULA screen once again, regardless of whether they have previously accepted it or not.
This option is only supported with Dynamic edition Knox Configure profiles upon the agreement of a disclaimer. The disclaimer displays upon the creation of each profile, but only one confirmation is required per profile.
With this release, admins can now customize their device user's enrollment screens to provide a more consistent experience across the screen flow, and minimize the time required to download required files.
With this new streamlined approach, background images and logos are shared for each screen in the enrollment flow, with the exception of screens requiring configuration input. Support links are optional, and can be removed by the customer. The text within the welcome screen remains customizable.
If a customer does not want to customize the screens, the default Knox Configure enrollment screens are used, and default Knox Configure images are renewed for use.
To date, the current device configuration screen displays detailed app and file download information at different completion intervals. This has resulted is confusion for B2B2C customers who lost perspective as to the significance of each reported download.
To remedy this situation, only a single simplified progress bar now displays in the foreground during configuration that reports cumulative app download and file progress at 10% increments. Background configuration items are not included in the displayed progress number.
Currently, applications display in the app list without their current version information. Consequently, if there are several versions of an application, they each display separately and are difficult to differentiate for potential device updates.
To help resolve this confusion, apps are now listed separately, with each displaying its current app name, description. profile assignment, size, and date of last modification. Additionally, one Knox license is used for an application, not each version of the same application.
Admins can now easily update an application's version within the Knox Configure Library screen by selecting the higher version of the app if the current version is not the latest.
To date, a default icon displays when a bookmark shortcut is added by Knox Configure to a device homescreen. This default icon is supposed to change to a permanent icon when the device user visits that page using their device browser. However, the actual behavior is no icon change at all.
With this release, a bookmark added by Knox Configure appears uniquely from those added by the device's supported browser(s) to better differentiate Knox Configure added bookmarks.
If a locked device is deleted by a customer, reseller, or the Samsung Knox Team. a push notification for enabling a factory reset is sent to that device, and the device user can factory reset it in recovery mode. However, if a push notification is delayed or not sent at all due to network issues, the device user cannot use the device until the notification is received.
To remedy the situation, the passcode for the Locked device is now retained within the device deletion log when the device is deleted, and no status change is reflected in the log.
With this release the activity log has been enhanced to provide a broader range of administrator event changes. These administration events include administrator invitations, resent/ reactivated/revoked invitations, and deactivated/reactivated accounts.
To date, the blue light filter has not been working properly for devices that utilize a software blue light filter (SM-T580 and SM-A105G). To provide additional coverage for this potential issue, the existing tooltip has been updates as follows:
"The Settings menu and quick panel might not reflect the selection made here, but the policy will be applied. And, this feature may not work properly in some device which use a S/W blue light filter. It is recommended to test before deployment."
This KCS enhancement addresses customer requests to assign an administrator view only permissions. Once assigned, no profile configuration, device management, license, or reseller administration is permitted, just view only access.
When a View only radio button is selected, all nested options under that category (Profiles, Devices and Uploads etc.) are disabled. Additionally, if a radio button has nested options, and that category does not have View only selected, at least one of its permission checkboxes must also be selected.
New roles have View only enabled by default.
In response to Italian customer requests, customers and subsidiaries in Italy have requested the ability to update Italian text with their own regional translations. Impacted areas of the console include:
To date, the KC console displays an error message when a customer registers an application to Galaxy apps and doesn't select Korea from the supported country list or does not select certain devices. With this release, a package name is now added without error when it has registered in Galaxy apps with a StubAPI permission.
To date, an IT admin cannot adequately determine the cause of an app upload failure, since the current messaging is too general to drill-down to specific causes. With this release, the error code definitions have been refined to be more informative to an actual event and now enable an It admin make more informed corrective actions.
To date, if a device was configured, or failed to be configured, a profile snapshot displays when a user clicks on the profile name in console’s Devices tab. If the applied profile is not the latest, its version displays in red beside the profile name. However, in snapshot view, there is no difference between latest one and old one, except for a version mark, and the user is often confused as to the correct version.
To date, when a profile is selected from within the console’s Profiles tab, the Delete profiles option is disabled from the Actions drop-down menu, even though the profile is not assigned to a device. The user, not knowing the reason this option is disabled, is understandably confused.
To remedy this situation, the user must consent to the profile deletion within a pop-up message. However, if there are any default profiles selected for deletion, a message displays stating they cannot be deleted since they have already been uploaded by the listed reseller.
Currently, when a user selects 20-30 images, adds animation values, and selects the Generate button, the animation progress indicator keeps running perpetually. Consequently, it appears as if the KC console is hung in the middle of an animation generation and upload operation and inoperable.
To help rectify this confusion, animation upload performance has been improved to reduce the time the console appears to be inoperable while generating and uploading images.
To date, admins have been only able to delete a single obsolete or unused media file at one time from the console's media library. With this release, IT admins can now select and delete multiple media files from within the KC console as long as the files are not associated with any profiles.
This feature only supports the deletion of multiple qmg formatted media files, and does not include mobile and wearable applications.
Inconsistencies have been noticed between the use of BLUETOOTH Enrolled device within the console’s Device log and Uploaded via Bluetooth within the Device details screen. As result, there has been reported confusion as to whether these two text strings are conveying the same message.
To rectify this inconsistency and avoid confusion, Uploaded via Bluetooth has been removed from the Device details screen’s Order number field (and replaced with a tag), and the text string within the Device log is now changed to Device enrolled via bluetooth using Knox Deployment app. Similar console text refinements have also been made for NFC and Wi-Fi enrollments.
To date, there’s no option within the KC console to add a license key when configuring a profile to use with the Knox Deployment App (KDA). When configuring a profile in KC, the KNOX DEPLOYMENT APP SETTINGS field License drop-down menu only provides a means to select an existing license for a KDA enrolled KC profile.
To remedy this situation, a new Enter License Key option has been added within License drop-down menu. The Enter License Key option can be selected when there are no profiles available to automatically move to the Enter license key screen. From there, a License name and License Key can be added that then become available for selection from the License drop-down menu.
To date, an admin is unable to invite another admin belonging to a different Knox Cloud Service.
With this release, a Super Admin or an admin with Admins' permissions can now invite an admin belonging to a different service to a role in their service.
For example, Admin 1 belongs to just KC with a non-Super Admin role. Admin 2 belongs to KME with a non-Super Admin role, but has Admins' permissions. Therefore, Admin 2 can invite Admin 1 to join KME for any role for which Admin 2 currently has permissions.
The feature addresses IT admin requests to only use the KDA for enrollment into Knox Configure, and not access any of the KCS portal resources (including the KC console). When relying exclusively on the KDA without the Knox Configure console, an admin must log into the KDA, choose a service (KC, KME, KG, etc.), select a profile, pair the master/admin device with the target device, and assign the profile to the target device.
Additionally, a KDA access permission option has been added to the Knox Configure Create role screen, to provide administrators the ability to grant permission to enroll devices directly into Knox Configure using the KDA.
This feature addresses customer concerns to only activate a setup edition license once each device is actually activated. This enables customers to utilize licenses more efficiently, since a customer may not initially use Knox Configure after it is purchased, or deploy devices at the same time.
Using this new Per Device Staggered license type, a customer creates a Setup edition profile and assigns devices per usual. They then however select the Per Device Staggered license type and ensure each activated device has a different expiration date based on the device's activation date.
Existing KC SKUs will be kept as is, and are not immediately impacted by this change. Official notice will be shared with KC console users via email and console notifications two weeks prior to this release.
This feature enables customers who want to revoke a license on one device in order to use the license, “per seat,” on another device with the same dynamic edition profile. For example, an IT admin may want to revoke an ex-employee’s license so they can utilize that revoked license on a different device using that same Dynamic edition profile. Utilizing the revoked license increases the available license count and improves license provisioning efficiency with the Dynamic edition profile.
Existing KC SKUs will be kept as is, and are not immediately impacted by this change. Official notice will be shared with KC console users via email and console notifications two weeks prior to this release.
To date, a profile and an assigned license were linked, so a profile could not be created without a license assigned. With this release however, a profile and an assigned license are no longer linked, and each device follows the behavior of the license types they belong to. Legacy SKUs and new license SKUs can now be used together in the same profile. If necessary, a profile can be created and saved without a license assignment.
With this release, a license can now be assigned for the KDA at profile creation as an optional step within the console Profile information screen. Licenses utilized with legacy profiles that were created prior to this release will be automatically migrated to the KDA licenses. Only one license can be designated for the KDA, so if it consumed or expired, an admin will need to assign another one. No license selection workflow is available with the KDA. Instead, a predefined license is used for the KDA uploaded devices.
This Knox Configure console enhancement permits IT admins to enable/disable device users from accessing and using carrier data when roaming.
A new Default Data roaming settings drop-down menu within Profiles > Device Connectivity includes Keep current settings (the default setting), On, and Off. If Off is selected, the drop-down menu is disabled. This feature is supported on Dynamic edition Knox Configure profiles in normal mode. Selecting On and using mobile data when roaming could result in additional charges.
This feature addresses IT admin requests who do not want their device users distracted when accessing and reviewing status bar notifications at work or driving a vehicle.
Specifically, this feature provides a Knox Configure console addition within Profiles > Applications and Content to optionally disable notifications, including both pop-up notifications and status bar notifications for:
This feature is supported on Dynamic edition Knox Configure profiles in normal mode.
To avoid the further escalation of Knox Configure administrative roles and permissions issues, an existing admin who does not have the ability to manage the roles of other admins now has additional restrictions regarding the roles they can assign to other administrators.
With this release, existing administrators can only invite admins with a matching set of their own permissions. The Invite administrator screen's Role drop-down menu options have been customized to reflect the role of the admin creating an administrator invitation. If an admin cannot invite and manage administrators themselves, they cannot assign that permission to other admins.
This feature addresses administrator requests to disable a device's SIM slot 2 to achieve control over a device's SIM bays, and stop users from inserting personal SIM cards in dual SIM devices. This enhancement is in particular demand in both Government and Public sectors.
This feature is supported on Dynamic edition Knox Configure profiles, and devices running Android P OS and above (Knox version 3.2.1 and above).
This feature has been added in response to education and vertical customers who have requested blue light filter settings be added as profile configuration options. The blue light filter is helpful to reduce device brightness at night when trying to sleep.
The Turn on now setting is profile configurable, as is the Opacity setting. This feature is supported in both Setup and Dynamic edition Knox Configure profiles.
With this release, the GPS option is removed from the Device connectivity section of the KC console and replaced with Location for Android P. All related APIs are deprecated. The same GPS parameters as previous will still remain within the console, but they will be changed to Location parameters.
This feature is supported on Knox version 2.9 and above devices with both Setup and Dynamic edition profiles. All new KC version 1.19 profiles will have this user interface update, and previously created profiles will retain their legacy GPS settings for backward compatibility.
This enhancement enables administrators to customize boot animation by uploading images and setting the appropriate image rotation, dithering level and size. Once created and uploaded, an admin can preview and verify the animation before assigning to devices. When added into the console, the animation is available as a .qmg file for profile assignment and a MP4 file for preview within the console.
Once verified, an admin can create a profile with relevant settings and add the animation file. The admin can then push the profile to specific assigned devices and check to ensure the devices are configured properly with the animation file.
This feature addresses customers reporting difficulty recovering unassigned devices due to license expiration without adequate expiration messaging. SLM license expiration warning emails are typically sent incrementally months in advance of the actual expiration date, but the email recipients may not be the appropriate admins responsible KC license administration. Therefore, with this release, KC will send email reminders to IT admins 2 months, 1 month, 2, weeks, and 1 week in advance of the license expiration date. A typical reminder email contains the license name, type, license key, license key quantity and validation period.
This new email notification enhancement is supported on both Setup and Dynamic edition KC profiles, and new “per seat” Dynamic edition profiles.
This release introduces a new enrollment option in addition to the existing KDA Bluetooth and NFC enrollment options. Wi-Fi direct supported devices can connect directly to one another via a WLAN without joining a traditional wireless network or Wi-Fi® hotspot. Once enabled, the device automatically scans for other supported Wi-Fi direct devices. Once discovered, specific devices can be selected for enrollment data transfers.
With Wi-Fi direct, only out-of box trigger deployments are supported. Trigger deployments utilize a plus sign (+) gesture on a device's Welcome screen to start an out-of-box deployment and bypass the setup wizard.
To utilize the Wi-Fi direct option, the receiver device must be utilizing Knox version 3.2 or above. Additionally, only Note9 and Tab S4 and above devices are supported. Wi-Fi direct is not supported on wearable devices.
This release introduces a new Role-Based Access Control (RBAC) service allowing customer (tenant) admins that are responsible for account creation (Super Admin) to assign more refined role permissions to individual admins as their specific enterprise requirements dictate. Though KC utilizes admin roles unique to the KC service specifically, the Super Admin role cuts across all supported services.
With the new RBAC service, existing customers will have their administrators migrated automatically. Administrators with their own unique set of permissions (manage administrators, delete devices etc.) will be assigned new roles that map to their current permissions. If needed, new roles beyond what the migrated admins are currently assigned can be created based on a list of permissions unique for each service.
The only role that cannot be assigned is the Super Admin role, which applies across all supported services. Only one person can assume a Super Admin role per company. Upon migration, the Super Admin role is assigned to the person who originally created the customer account. The Super Admin role receives every permission option available. For more information on creating an administrator and assigning them roles and permissions, go to: Manage administrators.
This feature introduces a new device deletion concept when KC is utilized with Knox Guard. If a device is only used with KC, its removal is a typical hard deletion, and the device is removed from KC and the Reseller Portal.
However, if a device is used with both KC and Knox Guard, it is deleted from KC only (soft deletion), and remains in Knox Guard.
This feature addresses customer requests to Prevent user from changing the WiFi on/off settings and Allow device to switch from WiFi to mobile data when necessary. These new options have been added to existing device profile WiFi Device Connectivity settings. These new options help large enterprise deployments where it’s not scalable to manually make WiFi changes per device.
This feature is supported with both Setup and Dynamic edition Knox Configure profiles on devices running Knox version 2.7.1 and above
This enhancement addresses customer requests to disable a mobile device’s mock location capability that, when enabled, displays disguised data, as opposed a device’s actual location data. To support this requirement, a new Disable mock location option has been added to the Device connectivity field’s LOCATION area (formally GPS). Selecting this option disables mock location applications within the device Develop options.
This feature is supported on Dynamic edition Knox Configure profiles only (both normal and ProKiosk modes), and on devices running Knox version 2.7.1 and above.
To date, the existing Clear all shortcuts from Home screen option does not clear favorite applications as expected by some of our customers. To remedy this situation, a new Clear all favorite applications from the Home screen option has been added to the Home & Lock portion of the profile configuration user interface flow.
This new feature is available to both Setup and Dynamic edition Knox Configure profiles on devices running Knox version 2.7.1 and above.
Beginning with this release, the KC console’s Applications list now displays selectable application cards to optionally view detailed information about the selected application. The application description can be modified and saved as needed within the application details popup screen. Additionally, the license can be updated if it was selected during device upload. However, license changes will not apply to existing KC profiles. If a Google Play or Galaxy application is selected, the data listed within the Application details screen is limited.
To date, users must refresh a page manually to view its latest status. This has resulted in an undesired user experience, and can result in unnecessary or repeated device actions. To remedy this situation, the Knox Configure console now auto-refreshes when certain status updates are detected. The following actions and events now result in an auto-refresh within a currently displayed Knox Configure screen:
To date, the Knox team has received numerous suggestions on how to improve the Knox Configure console’s notification efficiency. To date, the notification center retains notifications for just one login session. When a user logs out, notifications are cleared, and when they log in again, new notifications are triggered as applicable. However, holding notifications for just login session is too limited and can result in missing important notifications.
To remedy this issue, notifications now disappear 7 days after being read or acted upon, depending on type of notification.
To date, Knox Configure can factory reset specific IT admin selected devices. However, customers have also requested the ability to reboot selected devices. With this release, factory reset and reboot are both available for devices in a Configured, Updates pushed, or Failed to configure status. A reboot is triggered without prompting for user consent.
This feature is available for Dynamic edition Knox Configure profiles (both normal and ProKiosk mode) on devices running Knox version 2.7.1 or above.
This enhancement provides a new screen notifying a device user of special access permissions assigned by the admin for specific apps.
To date, APN settings have only been supported in Knox Configure Dynamic edition profiles. However, numerous customers have requested APN setting be made available in Setup edition Knox Configure profiles as well. With this release, the same APN settings available for Dynamic edition Knox Configure profiles are now available for Setup edition profiles.
To date, Knox Configure supports Keyboard settings in ProKiosk mode. However, customers have requested a feature to switch off predictive text, but keep keyboard settings enabled. As a result, the ability to switch off predictive text has been added to this release.
This feature is now available for both Setup and Dynamic edition (Normal mode only) profiles on devices running Knox version 2.7.1 or above.
This enhancement enables admins to enable and disable the auto-fill forms option within the Samsung Browser. Admins can now enable/disable the Browser auto-fill forms option within a Dynamic profile’s Browser settings field within the Knox Configure console.
This feature is available for Dynamic edition (Normal mode only) profiles on devices running Knox version 2.7.1 or above.
To date, device content is downloaded during device configuration.
With this feature, content is downloaded in the background by default, but selected Knox Configure content specified within the Download content during configuration is downloaded during device profile configuration.
With the Knox 3.0 version release, ringtone settings were no longer supported as a Knox Configure profile configuration option, but the parameter for selecting ringtone remained in the console, creating confusion for administrators.
To remedy this confusion, a tooltip has been added to the Knox Configure console explaining that the Ringtone option is no longer available for devices running Knox version 3.0 or later. This makes this configuration option available to legacy Knox versions while explaining its lack of availability on new Knox versions.
With this release, an option to Request end user consent to updated terms and conditions has been added to the Terms and Conditions portion of the profile configuration within the Knox Configure console.
When selected, end users must agree to the updated Terms and Conditions before these terms are committed to their device. If this option remains unselected, any updates to the Terms and Conditions are passed to the device user with the Knox Configure profile whether they agree to these terms or not.
Currently, users may not know how the search function optimally works within the Knox Configure console. The console’s search capabilities are case insensitive within most tables, but case sensitive in some tables, such as the Devices tab, since the vast number of devices require case sensitivity. A partial match search is supported for each search parameter, but an exact match is applied to a device IMEI/SN. Additionally, a blank space between search keywords means an AND condition
The following are the tabs within the Knox Configure console, and the searchable columns or parameters within each. These will be better described in the Knox Configure User Guide beginning with this release:
DeX mode configuration is now available with Knox Configure on devices running Knox version 3.2 or higher. Samsung DeX is a unique product that lets you use your phone as if it were a desktop computer. Both Setup and Dynamic edition Knox Configure profiles are supported, but not ProKiosk mode profiles.
The following device platforms support DeX mode with Knox Configure:
To date, a customer cannot update the Terms & Conditions portion of their EULA after a profile is configured and applied to the device. With this release, revisions to the Terms & Conditions are now available after the profile has been applied to a device.
With this feature, a device reboot is no longer required to enter into ProKiosk mode when enrolling in Knox Configure or conducting a push update. This feature is only supported on devices running Knox version 3.2 or above. Just a Knox Configure device agent update is required to implement this feature.
This feature addresses customer requests to disable their native Samsung device Contacts app and use a 3rd party Contacts app as an alternative. This provides greater flexibility and addresses customer concern for flexibility beyond Samsung’s default device options.
This feature addresses requests to prevent specific apps from closing or stopping for purposes such as battery savings.
With this feature, both the system and device user are prohibited from closing or stopping a listed app. This feature is supported with Dynamic edition Knox Configure profiles only, and not supported with Setup edition profiles.
To date, Knox Configure’s Chinese language support did not extend beyond Simplified Chinese.
However, Taiwanese customers have requested the Knox Configure console support Traditional Chinese characters (繁體字) as well. This Knox Configure release includes Traditional Chinese amongst the list of supported console languages.
The Samsung Knox team is introducing new versions of our industry-leading Knox Configure (KC), and Knox Mobile Enrollment (KME) consoles, as well as the Knox Deployment Program (KDP) to provide optimal uniformity amongst our growing family of device enrollment and configuration solutions.
The central update with each console is the introduction of a collapsible left-hand navigation menu, replacing the previous horizontal menu bar. This provides a visual-hierarchy of key enrollment and configuration console activities and administrator "call-to-actions."
The new Knox Configure console is personalized, with improved status updates from each user's previous login. Colorized status indicators optimally display "at-a-glance" event severity to administrate with best in class efficiency.
Currently, all applications are downloaded in the background by default after configuration. However, if some applications are related to other configurations, including the use cases noted below, they are downloaded during configuration.
To date, a push notification for an update is sent as soon as an IT admin clicks the push button. However, some customers have request the ability to send push notification updates at a specified, or scheduled time. With this release, admins can use a new scheduling facility to select a calendar date, time of day, and time zone when a push update occurs.
This feature allows IT admins to define which particular USB restriction classes to enable or disable for a configuration profile. Before this release, the USB interface was either enabled or disabled completely. This feature is supported on Knox 2.9 and above supported devices, and only using Dynamic edition Knox Configure profiles.
To date, there is no proxy Wi-Fi settings for a smart phone or tablet profile. With this release, proxy settings are supported for Wi-Fi with both phones and tablets, and not just wearable devices. A device can now connect to a specified network with credentials delivered by Knox Configure using a proxy to communicate externally.
IT admins have requested the ability to assign a profile automatically to devices uploaded by a specific reseller. With this release, customers can now reduce the number of profiles administrated by eliminating device model dependencies, this will help reduce their burden when assigning devices to profiles.
To date, Knox Configure supports an option to disable GPS, but location services can be supported with Wi-Fi and mobile networks. However, some customers have requested the ability to disable location services completely.
With the introduction of this feature, dynamic edition Knox Configure profiles have the option of disabling GPS, Wi-Fi and mobility network location services. This option is supported on mobile devices running Knox version 2.7.1 or later.
To date, a primary admin can only invite other admins manually, and only one admin at a time. This can be a cumbersome activity when numerous admins require an invitation. With this release, a CSV file can be read into the Knox Guard console to invite additional admins using their name and Email address.
Currently, when an IT admin adds a Google play app to a Knox Configure profile, its shortcut is included within the Recommended apps folders by default. This folder's name and directory can be changed by an IT admin, but customers have requested the ability to add the shortcut to the device’s home screen.
To address this issue, a Google Play application shortcut option has been added. The selected Google Play shortcut will display on the home screen.
Customers have requested a mechanism to disable the update of specifically whitelisted or blacklisted applications.
To address this issue, the Knox Configure profile “Applications and content” screen has been updated to include an Update blacklist/whitelist item where admins can list those specific applications they want to either include or exclude in an update.
Currently, a device’s configure.samsungknox.com page displays a GET LATEST button that states “Get latest configurations. Please make sure this device is already configured at least once.” Some customers report confusion as to the expected behaviour once the button is pressed.
To remedy this confusion, the button name has been changed to RE-ENROLL TO KNOX CONFIGURE. Additionally, the descriptive text displayed on the screen has been updated to the following: “Re-enroll to Knox Configure with latest configurations. This will remove KC agent from this device and enroll it to Knox Configure again. Please make sure this device is already configured at least once.”
Currently, an installation permission screen displays when a non Google Play application is installed using Knox Configure. The Knox team has received requests to remove this screen when installing and executing applications. To address the issue, an admin can now turn on and off each permission, permission exceptions now result in a warning and no longer block Knox Configure enrollment.
This enhancement enables the activation of a KLM or SKL license for application installed using Knox Configure. If using Knox SDKs, some applications still require Knox license activation. This enhancement reduces the burden placed on partners to implement Knox licenses within Enterprise application(s).
To date, numerous Knox Configure device screens have yet to improve from their legacy KCC design.
To address this, the Knox Configure out-of-box device experience has a simpler flow and user navigation, reducing the number of screens a user encounters when setting up their device. Additionally, the new UX provides detailed feedback of a device’s configuration progress for a better understanding of the steps involved and wait times, including app download and installation progress, and filename and download progress.
To date, IT admins are unable to optimally input configuration settings using the CSV file format. With this new feature, multiple inputs can now be provided with a CSV file or copy & paste, including:
To date, the APN, MNC and MCC were not distinguishable when selecting an AP resource for a profile’s E-Billing configuration. With this release, the KC console’s UX has been updated with more granular APN, MNC and MCC data per drop-down menu options.
Currently, when an error occurs during device enrollment, the enrollment process stops, regardless of the error type, and a failure is reported to the KC server. The current messaging is often inadequate to properly define the scope and severity of the issue that is stopping enrollment.
This implementation of this feature enables IT admin to better distinguish and categorize errors and warning messages during enrollment. Enrollment now continues when a warning occurs, but stops when an error occurs. The device log now has better descriptions and links to specific warnings and error conditions.
To date, when Knox Configure updates a device and the device’s ProKiosk mode has already been set by a customized app other than Knox Configure, a failure occurs regardless of the normal or ProKiosk mode profile type. However, if a normal mode profile is used, the Knox Configure update can be completed without a conflict with ProKiosk mode. To remedy this situation, a Knox Configure normal mode profile is now compatible with ProKiosk mode using a customized app with cSDK without a failure.
To date, a license can be entered only if the Knox Configure License name is unique to all customers. However, there is no way for a user to know if name is truly unique across all customer deployments. To remedy this problem, the License name duplicate check logic has been revised from all customer deployments to an individual customer's pool of licenses.
To satisfy a customer request, a second APN resource with the same APN resource parameters (name, apn, mcc, etc.), can now be configured and entered within the Knox Configure console. While adding multiple identical APN resources has been supported on the device-side for some time, it is only with this current release that an identical APN resource can be defined and made available within the KC console.
Currently, the Home screen grid options do not provide enough customer preferred choices. As a result, new 4x6 and 5x6 options have been included to provide administrators a better selection for a growing set of supported device models (such as the new GalaxyS9+).
Additionally, the grid selection drop-down menu has been moved into the Device screen preview field for better logical placement of the grid selection option.
This enhancement permits numerous bulk configuration operations within the KC console using a CSV file. Bulk configuration operations include assigning and un-assigning profiles, device deletions, locking devices, unlocking devices, and adding tags. To bulk configure devices, navigate to DEVICES and select BULK ACTIONS. Follow the directions on the right-hand side of the screen for preparing a CSV file with one device ID per row then add the CSV file into the portal.
In response to requests from both our internal and external user communities, this enhancement enables a Locked or ProKiosk mode device to remain in its current locked state or kiosk mode, even after the device profile is unassigned. To date, when a profile is unassigned from a locked or kiosk mode device, the locked state or Kiosk mode is released.
The Model field has been removed from profiles. Therefore, one profile can be assigned to different models types and users do not have to create a separate profile for each model. This also enables future profile enhancements such as "auto-profile-assignment".
To date, when an IT admin pushes an updated configuration profile, all devices or selected devices assigned to that profile can receive the configuration update. With this enhancement, an IT admin can select individual devices for push updates from the portal’s DEVICES tab. This helps admins update just those specific devices intended for an update, and exclude those devices that are not.
To date, when an IT admin pushes an updated configuration profile, each device utilizing this specific profile receives the update, whether intended or not. With this enhancement, an IT admin can select individual devices for push updates from the portal's PROFILES tab or at the time of profile modification. This helps admins update just those specific devices intended for an update, and exclude those devices that are not.
To date, KC permits just the package name for an application shortcut. However, some apps (like contacts) include several activities and appear as independent apps to device users. With this release, support is now available for providing an activity name when creating a shortcut. The KC agent will fail however if the shortcut is provided as just an activity name, since the client validates the entire package name string (for example, com.samsung.android.contacts.com.android.dialer.DialtactsActivity). As an interim solution, the KC agent checks if an activity name exists before passing it as a package.
To date, the Home screen index started from 0 in Galaxy S8 and later model devices. With other models, if the zero page is disabled, the home screen starts from 0. However, if the zero page is enabled, the home screen starts from 1. To remedy this situation, the home screen index is adjusted for better consistency for both shortcuts and widgets, regardless of the presence of a Zeropage.
In response to requests from both our internal and external user communities, this enhancement enables a Locked or ProKiosk mode device to remain in its current locked state or kiosk mode, even after the device profile is unassigned. To date, when a profile was unassigned from a locked or kiosk mode device, the locked state or Kiosk mode was released.
Currently, there is no on/off setting in the Knox Configure portal for Bluetooth discoverable mode, only a means to either enable or disable Bluetooth. Discoverable mode is a Bluetooth device state that enables Bluetooth devices to search, connect and transfer data amongst other Discoverable mode enabled Bluetooth devices. The addition of Bluetooth discoverable mode with this release is just for Dynamic edition Knox Configure profiles in either Normal or Kiosk mode.
If an IT admin disables Bluetooth discoverable mode, the discoverable mode remains off even if the device end user enables Bluetooth on their device. If an IT admin wants to turn on Bluetooth discoverable mode on an end user’s device, they uncheck the Disable Bluetooth discoverable mode option in Knox Configure. Once enabled in Knox Configure, discoverable mode remains on, even if the end user turns off Bluetooth on their device.
To date, there is no parameter to differentiate Enterprise Edition profiles within the Knox Deployment App. To resolve this confusion, the Knox Deployment App now correctly lists Setup, Dynamic or Dynamic EE as the profile type to better categorize profile types.
Currently, the Knox Configure Feedback form is frequently used by customers to report technical issues with the portal, as opposed to a form for general feedback to improve their Knox Configure portal experience. To resolve this issue, links have been added into the Feedback form to route customers to the proper Support resources for filing a ticket. This update keeps the feedback form dedicated to portal improvements and not a resource for filing and escalating individual customer support issues.
This feature enables an IT admin to define an application as a device kiosk mode home activity. ProKiosk mode requires the home activity support and run a single application.
From the Home & Lock screen's Home activity drop-down menu, select the + Add a pre-installed application option. The resulting pop-up allows a user to enter a valid package name in the input field. Once submitted, the provided application is available for selection within the home activity drop-down menu.
To date, only active KLM keys could be added within the Knox Configure console. Consequently, inactive KLM keys could not be added and registered to a Knox Configure server before their actual activation date. To satisfy customer requests, an IT admin can now add a new KLM license (but not an inactive license) before its actual SLM activation date, enabling the admin to optimally register the license and assign a profile and devices before the license activation date. A pop-up warning message will be included to communicate the activation date for the license has not yet started.
With this enhancement, an IT admin can customize a ProKiosk device's keyboard settings by turning On/Off predictive mode or enabling/disabling keyboard settings.
The Predictive mode setting and Keyboard setting options function independent from one another, so there are no constraints on using these options together.
Related API options are available within Knox Customization SDK.
To date, when a device lock is applied, there was no option but to make a call to the number predefined by an IT admin. This posed a significant problem for users in an emergency, since they may not be able to reach out to an appropriate emergency responder.
The new EMERGENCY CALL button provides a means of contacting a default emergency resource when a device PIN cannot be provided and the device unlocked.
The following KC console enhancements are included in this release: