Knox Authentication Manager
Last updated November 14th, 2024
Knox Authentication Manager is a managed app for shared Samsung devices that provides multiuser facial biometrics and sign-in automation for increased frontline worker productivity and safety.
Supported UEMs or EMMs and management types
Knox Authentication Manager works with the following UEM or EMM solutions using fully managed devices with access to Managed Google Play:
| Solution | Main sign-in method |
|---|---|
| VMware Workspace ONE | Launcher |
| Microsoft Intune | Managed Home Screen |
| SOTI MobiControl | Customer Microsoft Entra ID credentials1 |
| Samsung Knox Manage | Customer Microsoft Entra ID credentials1 |
Required network capabilities
See below for the network requirements for Knox Authentication Manager:
-
Groups of devices must be able to communicate with one another through Wi-Fi for device-to-device syncing.
-
Devices must be able to reach Google Firebase to coordinate syncing (no subscription is needed).
-
If your enterprise is behind a firewall, you must add our Knox servers to your firewall’s allowlist. For details, see Samsung Knox firewall exceptions.
-
Since Knox Authentication Manager communicates with Firebase using HTTPS, you must add port 443, the standard port for HTTPS transmissions, and URLs that end with
.firebaseio.comto your firewall’s allowlist. -
Knox Authentication Manager uses UDP and TLS protocols for device communication and data exchange over port numbers. The default ports for UDP are 49158 and 49159, and the default port number for TLS is 7788, but these ports can be customized. Add these ports, or the ones you set, to your firewall’s allowlist.
-
Knox Authentication Manager relies on the Network Time Protocol (NTP) to determine the most up-to-date user profile when performing device-to-device syncing. You’ll need to provide a firewall exception on your network for
time.android.comon UDP port 123 in order to communicate with the NTP server.
When you set up Knox Authentication Manager in your UEM or EMM, you need to create a shared key to encrypt and protect user profiles and device group communication.
-
Mac and Linux users can generate this key using OpenSSL. Run
openssl rand -base64 24in a terminal to create a shared key. -
Windows users can generate this key using OpenSSL or Windows PowerShell:
-
Download and install OpenSSL. Next, run
openssl rand -base64 24in a terminal to create a shared key. -
Alternatively, run the following code in Windows PowerShell:
# Generate 24 random bytes $randomBytes = New-Object byte[] 24 [System.Security.Cryptography.RandomNumberGenerator]::Create().GetBytes($randomBytes) # Convert to base64 string $base64String = [Convert]::ToBase64String($randomBytes) # Output the result Write-Output $base64String
-
Required license
A valid Knox Suite license key is required to use Knox Authentication Manager. For more information, see Get started as an IT admin.
Additionally, to ensure that Knox Authentication Manager performs optimally, admins should configure specific Knox Service Plugin policies with their UEM or EMM. For more information on Knox Service Plugin requirements, see Get started as an IT admin and Knox Service Plugin.
Supported devices
Knox Authentication Manager is available for select Samsung Secured by Knox devices running Android 12 and higher, in an enterprise deployment. For a full list of compatible devices, see Devices secured by Knox.
Get started with Knox Authentication Manager
See the below pages for guided workflows of Knox Authentication Manager for new admins and end-users.
-
When using SOTI or Knox Manage with Knox Authentication Manager, you need an Azure account. If you don’t already have an Azure account, sign up on the Microsoft Azure portal page. ↩︎ ↩︎
On this page
Is this page helpful?