Back to top

Knox Authentication Manager

Last updated September 26th, 2023

Knox Authentication Manager is a managed app for shared Samsung devices that provides multiuser facial biometrics and sign-in automation for increased frontline worker productivity and safety.

Supported UEMs and management types

Knox Authentication Manager works with the following UEM solutions using fully managed devices with access to Managed Google Play:

UEM solution Main sign-in method
VMware Workspace ONE Launcher
Microsoft Intune Managed Home Screen
SOTI MobiControl Customer Azure AD credentials1 — devices must be in kiosk mode (Lockdown)
Samsung Knox Manage Customer Azure AD credentials1 — devices must be in kiosk mode

1 When using SOTI or Knox Manage with Knox Authentication Manager, you need an Azure account. If you don’t already have an Azure account, sign up on the Microsoft Azure portal page.

Required network capabilities

See below for the network requirements for Knox Authentication Manager:

  • Groups of devices must be able to communicate with one another through Wi-Fi for device-to-device syncing.
  • Devices must be able to reach Google Firebase to coordinate syncing (no subscription is needed).
  • If your enterprise is behind a firewall, you must add our Knox servers to your firewall’s allowlist. For details, see Firewall exceptions.
  • Since Knox Authentication Manager communicates with Firebase using HTTPS, you should add port 443, the standard port for HTTPS transmissions, and URLs that end with *.firebaseio.com to your firewall’s allowlist.
  • Knox Authentication Manager uses UDP and TLS protocols for device communication and data exchange over port numbers. The default ports for UDP are 49158 and 49159, and the default port number for TLS is 7788, but these ports can be customized. Add these ports, or the ones you set, to your firewall’s allowlist.

When you set up Knox Authentication Manager in your UEM, you need to create a shared key to encrypt and protect user profiles and device group communication. One way to generate this key is through OpenSSL. Mac and Linux users can run openssl rand -base64 24 in a terminal. Windows users first have to install OpenSSL. See the OpenSSL documentation for more information.

Required license

A valid Knox Suite license key is required to use Knox Authentication Manager. For more information, see Get started as an IT admin.

Additionally, to ensure that Knox Authentication Manager performs optimally, admins should configure specific Knox Service Plugin policies with their UEM. For more information on Knox Service Plugin requirements, see Get started as an IT admin and Knox Service Plugin.

Supported devices

Knox Authentication Manager is only available for select fully managed, devices running Android 12 or higher. For the supported devices, see the table below.

Device Platform/OS Knox version

Galaxy A13 series

Galaxy A14 LTE

Galaxy A23 5G

Galaxy A32

Galaxy A32 5G

Galaxy A33 5G

Galaxy A34 5G

Galaxy A52

Galaxy A52s 5G

Galaxy A52 5G

Galaxy A53 5G

Galaxy A54 5G

Android — Secured by Knox 3.9
Galaxy N20 series Android — Secured by Knox 3.9

Galaxy S20 series

Galaxy S21 series

Galaxy S21 FE

Galaxy S22 series

Galaxy S23 series

Android — Secured by Knox 3.9

Galaxy XCover Pro

Galaxy XCover 5

Galaxy XCover 6

Galaxy XCover 6 Pro

Android — Secured by Knox 3.9

Galaxy Tab S7

Galaxy Tab S8+

Galaxy Tab Active 3

Galaxy Tab Active4 Pro

Galaxy Tab S9 series

Android — Secured by Knox 3.9

Galaxy Z series

Galaxy Z3 series

Galaxy Z4 series

Android — Secured by Knox 3.9

Get started with Knox Authentication Manager

See the below pages for guided workflows of Knox Authentication Manager for new admins and end-users.

Is this page helpful?