Knox Authentication Manager
Last updated December 7th, 2023
Knox Authentication Manager is a managed app for shared Samsung devices that provides multiuser facial biometrics and sign-in automation for increased frontline worker productivity and safety.
Supported UEMs and management types
Knox Authentication Manager works with the following UEM solutions using fully managed devices with access to Managed Google Play:
| UEM solution | Main sign-in method |
|---|---|
| VMware Workspace ONE | Launcher |
| Microsoft Intune | Managed Home Screen |
| SOTI MobiControl | Customer Azure AD credentials1 — devices must be in kiosk mode (Lockdown) |
| Samsung Knox Manage | Customer Azure AD credentials1 — devices must be in kiosk mode |
1 When using SOTI or Knox Manage with Knox Authentication Manager, you need an Azure account. If you don’t already have an Azure account, sign up on the Microsoft Azure portal page.
Required network capabilities
See below for the network requirements for Knox Authentication Manager:
-
Groups of devices must be able to communicate with one another through Wi-Fi for device-to-device syncing.
-
Devices must be able to reach Google Firebase to coordinate syncing (no subscription is needed).
-
If your enterprise is behind a firewall, you must add our Knox servers to your firewall’s allowlist. For details, see Samsung Knox firewall exceptions.
-
Since Knox Authentication Manager communicates with Firebase using HTTPS, you should add port 443, the standard port for HTTPS transmissions, and URLs that end with *.firebaseio.com to your firewall’s allowlist.
-
Knox Authentication Manager uses UDP and TLS protocols for device communication and data exchange over port numbers. The default ports for UDP are 49158 and 49159, and the default port number for TLS is 7788, but these ports can be customized. Add these ports, or the ones you set, to your firewall’s allowlist.
-
Knox Authentication Manager relies on the Network Time Protocol (NTP) to determine the most up-to-date user profile when performing device-to-device syncing. You’ll need to provide a firewall exception on your network for time.android.com on UDP port 123 in order to communicate with the NTP server.
When you set up Knox Authentication Manager in your UEM, you need to create a shared key to encrypt and protect user profiles and device group communication. One way to generate this key is through OpenSSL. Mac and Linux users can run openssl rand -base64 24 in a terminal. Windows users first have to install OpenSSL. See the OpenSSL documentation for more information.
Required license
A valid Knox Suite license key is required to use Knox Authentication Manager. For more information, see Get started as an IT admin.
Additionally, to ensure that Knox Authentication Manager performs optimally, admins should configure specific Knox Service Plugin policies with their UEM. For more information on Knox Service Plugin requirements, see Get started as an IT admin and Knox Service Plugin.
Supported devices
Knox Authentication Manager is available for all Samsung devices secured by Knox running Android 12 and higher in an enterprise deployment. The device must be fully managed by an EMM. For a full list of compatible devices, see Devices secured by Knox.
Get started with Knox Authentication Manager
See the below pages for guided workflows of Knox Authentication Manager for new admins and end-users.
On this page
Is this page helpful?