Get started as an IT admin

Last updated October 16th, 2023

The following tutorial is intended for IT admins and guides you through the basics of setting up Knox Authentication Manager.

Step 1: Get a Knox Suite license

A valid Knox Suite license is required to use Knox Authentication Manager. To get a Knox Suite license:

Sign up for a Samsung Knox account if you haven’t done so already. Refer to Create a Samsung account to learn more.
Next, Apply for access to Knox Suite. After you apply, a trial license is automatically generated for you, which covers 30 active devices and expires after three months. Once your trial license expires, you can purchase a commercial Knox Suite license from your local reseller. For more information on Knox Suite licenses, see Confirm and register your license.

Additionally, you must ensure your enterprise devices have access to Samsung Knox servers. When you activate Knox services, your enrolled devices will verify their license keys and exchange data with the Knox servers. Devices periodically check their licenses a few times a week.

Step 2: Set up Knox Service Plugin

To ensure that Knox Authentication Manager performs optimally, admins should configure specific Knox Service Plugin policies with their UEM. For more information on Knox Service Plugin requirements, see Knox Service Plugin.

For instructions on how to set up Knox Service Plugin with your UEM, see its documentation.

Step 3: Set up your UEM

Knox Authentication Manager requires devices to be set up in a particular way, depending on your UEM. Read on to learn about how to set up these methods for your respective UEM.

VMware Workspace ONE

To work with VMware Workspace ONE, Knox Authentication Manager requires devices to be set up with the Workspace ONE Launcher.

For more information, see About VMware Workspace ONE Launcher in the UEM’s documentation.

SOTI MobiControl

To work with SOTI MobiControl, Knox Authentication Manager requires devices to be set up in Lockdown. Lockdown, or lockdown mode, is a means of setting up a dedicated device, and is similar to kiosk mode in Knox Manage. It limits device access to a home screen with approved apps and web pages.

For more information, see Lockdown (Android Enterprise-Work Managed) in the SOTI MobiControl documentation.

Microsoft Intune

To work with Microsoft Intune, Knox Authentication Manager requires devices to be set up with the Intune Managed Home Screen app.

For more information, see Configure Managed Home Screen app in the Microsoft Intune documentation.

Knox Manage

To work with Knox Manage, Knox Authentication Manager requires devices to be set up in kiosk mode. Kiosk mode is a means of setting up a dedicated device, by constraining the device’s functionality to suit that of an on-premises or embedded computer.

For more information, see Create a kiosk in the Knox Manage documentation.

Step 4: Add Knox Authentication Manager as a managed app in your UEM

To add Knox Authentication Manager from Google Play as a managed app through your UEM, see the pages below.

For Knox Manage and SOTI MobiControl environments, you have to register Knox Authentication Manager in the Azure portal. To register Knox Authentication Manager in the Azure portal:

Sign in to the Azure portal and navigate to Azure services > Azure Active Directory.
Under Manage on the page that opens, select App registrations > New registration.
Enter a name and click Register. Under Manage on the page that opens, select Authentication > Android.
Enter the package name and signature hash for Knox Authentication Manager.
- Package name — com.samsung.android.knox.kam
- Signature hash — nKUXDzgZGd/gRG/NqxixmhQ7MWM=
Click Configure.

Knox Authentication Manager is now registered in your AAD tenant.

Step 5: Configure and assign the app

In your UEM, create a managed configuration for Knox Authentication Manager according to the table below.

If you’re a Microsoft Intune customer, you can download and use the following JSON file to help configure your Knox Authentication Manager app. Refer to the table below for detailed explanations of the key-value pairs, then edit the JSON file according to your fleet’s deployment needs. All keys with a value of “CHANGEME” must be edited for the configuration to work.

Download JSON file for Intune

Category	Policy	Description
Enable Knox Authentication Manager policy controls	License Key	Specifies the Knox Suite license key used by Knox Authentication Manager. Values Enter your Knox Suite license key. To find your license key, navigate to the Licenses section of your Knox Admin Portal.
Enable Knox Authentication Manager policy controls	Auto Delete Unused Profile After (Months)	Specifies the number of months a user profile is inactive for before it's autodeleted. Values Specify a period between 1 to 36 months. If left unset, this setting defaults to 3 months.
Manage Login controls	Main Login App	Determines the UEM app used to authenticate users. Values VMware Workspace ONE Launcher Microsoft Managed Home Screen (This option will only be applicable to Intune users). Other-Kiosk Mode — Select this setting when you have dedicated devices managed by Knox Manage (in kiosk mode) or SOTI MobiControl (in lockdown mode). Knox Authentication Manager v1.3, planned for September 2023, will include support for Microsoft Intune. Users can then authenticate with the Microsoft Managed Home Screen if it's set as the main sign-in method.
	Main Login Method	Determines how users sign in to Knox Authentication Manager. For Face sign-in, please read and acknowledge the biometric notice below. Values Manual Face
	I have read and understand the notice in the description (required for Face login)	Specifies that you permit the collection, storage, and use of user biometric data on devices when you set the Main Login Method to Face. Values No response Yes — Choose this setting to enable face sign-in if you agree to the terms of the notice displayed in your UEM console. This setting is mandatory to enable face sign-in.
	Main Login PIN Length	Sets the required PIN length when face login is used. Values 4 6 8
Manage Kiosk Mode controls (These settings apply when you use SOTI or Knox Manage as a UEM)	Azure AD Tenant ID	Specifies the tenant ID for your organization registered in your Azure portal. Values Enter your Azure AD tenant ID. To find your tenant ID, navigate to Azure Active Directory in your Azure portal. Under Overview, find your tenant ID.
	Azure AD Client ID	Specifies your client ID for the Knox Authentication Manager app registered in your tenant in Azure portal. Values Enter your Azure AD client ID for Knox Authentication Manager. To find your client ID, navigate to Azure Active Directory > App registrations and select Knox Authentication Manager. Under Overview, find the Application (client) ID.
	Azure AD Login Auto-Launch	Determines whether the Knox Authentication Manager sign-in pop up is auto-launched at device unlock. Values True False
	Auto Logout on Charge	Determines whether Knox Authentication Manager automatically signs out the current user when a device is charged. Values True False
	Auto Logout on Screen-Off After (Minutes)	Specifies how many minutes a device screen must remain off before Knox Authentication Manager automatically signs out the current user. Values Enter a time period in minutes.
	Clean-Up on Logout	Determines whether to clean-up app data and accounts when users sign out, to ensure that users don't have access to previous users' signed in apps. Values True False
	Clean-Up Excluded Apps (Package Names)	Specifies a list of productivity apps that are excluded from clean-up. Values Enter apps by their package names and separate entries with commas.
Manage Debug Controls	Debug Mode	Enable Debug mode settings on the Knox Authentication Manager app. False True
Manage Sync controls	Sync Org ID	Sets a single identifier for your company or organization, under which your device sync groups are organized. Values Enter an Org ID. This should be the same for devices that you want to sync with one another. Your Org ID must only consist of letters and numbers.
	Sync Devices By	Determines how device sync groups are defined. Values Group ID — Devices sync when they're in the same admin-defined group. WiFi Subnet — Devices sync when they're on the same Wi-Fi subnet.
	Sync Group ID	Sets a unique identifier for a group of devices across which user profiles will be synced. This setting only applies if your devices sync by group ID. Group IDs often correspond to device groups you configured in your UEM. Values Enter an group ID. This should be the same for devices that you want to sync with one another. Your group ID must only consist of letters and numbers.
	Sync Group Key	Sets a sync group key to encrypt and protect user profiles and device group communication. Values Enter a 32-character key. This should be the same for devices that you want to sync with one another. One way to create the key is to run `openssl rand -base64 24` in a terminal. Your group key must only consist of letters and numbers.
	Sync Send UDP Port	Specifies a UDP port number on devices which is used to send device communications such as sync requests Values Enter a UDP port number. If left unset, the default is 49158.
	Sync Receive UDP Port	Specifies a UDP port number on devices which is used to send device communications such as sync requests. Values Enter a UDP port number. If left unset, the default is 49159.
	Sync TCP Port	Specifies a TLS communication port number on devices which is used to sync data between devices. Values Enter a TLS communication port. If left unset, the default is 7788.

Once you configure the Knox Authentication Manager app, you should assign it to your device group to push and automatically install it to devices. If you use SOTI MobiControl or Knox Manage, add Knox Authentication Manager to the kiosk profile or configure them in Lockdown before you deploy to your devices.

Additionally, you should configure the below settings in your UEM.

Ensure that any Knox Authentication Manager-related activities are enabled in your UEM.
Set the Knox Service Plugin Package Name for Auto-Launch policy to auto-launch Knox Authentication Manager. See the UEM guides for instructions on how to set up Knox Service Plugin with your UEM.
Add Knox Authentication Manager to the Knox Service Plugin Force Stop Blocklist policy so users can’t force stop Knox Authentication Manager.
Add Knox Authentication Manager to the Knox Service Plugin Battery optimization allowlist policy to exempt it from battery usage optimizations that could suspend its process.
Exclude Knox Authentication Manager from clean up, which may delete inactive device records, if you use VMware or Intune.

This policy is available with the Knox Service Plugin 23.06 release. To use this policy, a Knox Platform for Enterprise Premium license is required, which is available at no cost with a Knox Suite license. To learn more, see Knox Platform for Enterprise licenses.

To ensure Knox Authentication Manager performs optimally:

Allow Knox Authentication Manager main activity if you use VMware to allow the Knox Authentication Manager sign-in screen to pop up before the user signs in to the VMware launcher.
For SOTI MobiControl and Knox Manage, if users use Microsoft 365 accounts, ensure that you or the user don’t set the account to stay signed in.

Step 6: Test devices and device syncing

After you deploy Knox Authentication Manager, test that Knox Authentication Manager works as expected.

Unlock a device. Knox Authentication Manager automatically launches on devices managed by VMware Workspace ONE. Knox Authentication Manager doesn’t automatically launch on devices managed by Knox Manage or SOTI unless you configured it to. In this case, open the app and click Sign in or enroll.

A dialog should pop up asking users to enter their enterprise username.

Once you know Knox Authentication Manager works as expected, test that Knox Authentication Manager syncs across your devices.

Knox Authentication Manager relies on the Network Time Protocol (NTP) to determine the most up-to-date user profile when performing device-to-device syncing. You’ll need to add the following firewall exception on your network in order to communicate with the NTP server:

time.android.com – UDP port 123

You need two devices with Knox Authentication Manager installed that are in the same device group or on the same Wi-Fi subnet, depending on how you configured Knox Authentication Manager in your UEM. These devices are referred to as Device A and Device B below.

Dock or plug in Device B. When you charge a device, a Starting sync service notification appears on its lock screen.
Enroll a new user account with Knox Authentication Manager on Device A. To learn how to enroll for Knox Authentication Manager as an end user, see Get started as a user.
Dock or plug in Device A and wait 1-2 minutes for the devices to sync.
On Device B, enter the enterprise credentials you used to create the new user account on Device A in Knox Authentication Manager. If Knox Authentication Manager signs in without asking you to enroll the account, then the devices synced successfully.

For more information on device syncing, see Troubleshoot device syncing.