Back to top

Get started as an IT admin

Last updated October 28th, 2024

If you’re an IT admin setting up Knox Authentication Manager for the first time, this tutorial walks you through the basic steps required for deploying the app to your enterprise devices.

Step 1: Get a Knox Suite license

You must have a valid Knox Suite license if you want to deploy Knox Authentication Manager to your enterprise devices. To get a Knox Suite license, you must first sign up for a Samsung Knox account. See the Knox Suite documentation for instructions on how to sign up and obtain a license.

Step 2: Grant access to Knox services

In addition to creating a Samsung account and getting a Knox Suite license, you must also grant your enterprise devices access to the Knox servers in order to verify their licenses and exchange data. To do this, you’ll need to configure several firewall exceptions in your organization. See Samsung Knox firewall exceptions for more details.

Step 3: Set up Knox Service Plugin

To ensure that Knox Authentication Manager performs optimally, you’ll need to configure specific Knox Service Plugin policies with your UEM or EMM. See Knox Service Plugin’s minimum requirements and UEM set up instructions.

In addition to the app policies, you should also push the following Knox Service Plugin policies to enure the app runs optimally:

  • Add com.samsung.android.knox.kam/com.samsung.android.knox.kam.ui.SplashScreenActivity to the Package Name for Auto-Launch policy to let the app automatically launch when you unlock the device.
  • Add com.samsung.android.knox.kam to the Force Stop Blocklist policy in order to prevent users from force stopping the app.
  • Add com.samsung.android.knox.kam to the Battery optimization allowlist policy to exempt the app from battery usage optimizations that could suspend its process.

Step 4: Set up your UEM or EMM

Depending on your UEM or EMM, you may need to configure your devices in a particular way in order to use Knox Authentication Manager.

VMware Workspace ONE1

To work with VMware Workspace ONE, Knox Authentication Manager requires devices to be set up with the Workspace ONE Launcher. For more information, see About VMware Workspace ONE Launcher in the UEM’s documentation.

Microsoft Intune

To work with Microsoft Intune, Knox Authentication Manager requires devices to be set up with the Intune Managed Home Screen app. For more information, see Configure Managed Home Screen app in the Microsoft Intune documentation.

Knox Manage or SOTI MobiControl

If you’re using Knox Manage or SOTI MobiControl, you can configure your devices to launch Knox Authentication Manager in Kiosk mode (Knox Manage) or Lockdown mode (MobiControl). These modes let you constrain users to a limited set of apps and settings after they sign in, but they are not a firm requirement for the app.

Step 5: Add Knox Authentication Manager as a managed app in your UEM or EMM

Next, you’ll need to add Knox Authentication Manager as a managed Google Play app in your UEM or EMM. See the respective guides below for details on how to add apps:

For Knox Manage and SOTI MobiControl environments, you have to register Knox Authentication Manager in the Azure portal. To register Knox Authentication Manager in the Azure portal:

  1. Sign in to the Azure portal and navigate to Azure services > Microsoft Entra ID.
  2. Under Manage on the page that opens, select App registrations > New registration.
  3. Enter a name and click Register. You’ll be taken to the Overview page of your newly registered app.
  4. Under Manage click Authentication, then under Platform configurations, click Add a platform and select Android.
  5. In the side panel, enter the package name and signature hash for Knox Authentication Manager.
    • Package name — com.samsung.android.knox.kam
    • Signature hash — nKUXDzgZGd/gRG/NqxixmhQ7MWM=
  6. Click Configure, then click Done.

Knox Authentication Manager is now registered in your AAD tenant.

Step 6: Configure and assign the app

In your UEM or EMM, you’ll need to create a managed configuration for Knox Authentication Manager before deploying it to your enterprise devices. See Configure app policies for a list of available policies, descriptions, and available options.

Once you configure the Knox Authentication Manager policies, assign and install the app on your devices.

For VMware Workspace ONE or Microsoft Intune admins:

  • Exclude Knox Authentication Manager from clean up to avoid deleting inactive device records, if you use Workspace ONE or Intune.
  • Allow Knox Authentication Manager main activity if you use VMware to allow the Knox Authentication Manager sign-in screen to pop up before the user signs in to the VMware launcher.

For SOTI MobiControl or Knox Manage admins:

  • If users have Microsoft 365 accounts, ensure that they don’t set their Microsoft 365 accounts to remain signed in.

  1. VMware Workspace ONE is also known as Omnissa Workspace ONE. ↩︎

Is this page helpful?