Get started as an IT admin

If you’re an IT admin setting up Knox Authentication Manager for the first time, this tutorial walks you through the basic steps required for deploying the app to your enterprise devices.

Step 1: Get a Knox Suite license

You must have a valid Knox Suite license if you want to deploy Knox Authentication Manager to your enterprise devices. To get a Knox Suite license, you must first sign up for a Samsung Knox account. See the Knox Suite documentation for instructions on how to sign up and obtain a license.

Step 2: Grant access to Knox services

In addition to creating a Samsung account and getting a Knox Suite license, you must also grant your enterprise devices access to the Knox servers in order to verify their licenses and exchange data. To do this, you’ll need to configure several firewall exceptions in your organization. See Samsung Knox firewall exceptions for more details.

Step 3: Set up Knox Service Plugin

To ensure that Knox Authentication Manager performs optimally, you’ll need to configure specific Knox Service Plugin policies with your UEM or EMM. See Knox Service Plugin’s minimum requirements and UEM set up instructions.

Recommended Knox Service Plugin policies

In addition to the app policies, you should also push the following Knox Service Plugin policies to enure the app runs optimally:

• Add com.samsung.android.knox.kam/com.samsung.android.knox.kam.ui.SplashScreenActivity to the Package Name for Auto-Launch policy to let the app automatically launch when you unlock the device.
• Add com.samsung.android.knox.kam to the Force Stop Blocklist policy in order to prevent users from force stopping the app.
• Add com.samsung.android.knox.kam to the Battery optimization allowlist policy to exempt the app from battery usage optimizations that could suspend its process.

Step 4: Set up your UEM or EMM

Depending on your UEM or EMM, you may need to configure your devices in a particular way in order to use Knox Authentication Manager.

VMware Workspace ONE¹

Knox Authentication Manager can be configured to launch with or without the VMware Workspace ONE Launcher. For more information, see About VMware Workspace ONE Launcher in the UEM’s documentation.

Microsoft Intune

Knox Authentication Manager can be configured to launch with or without the Intune Managed Home Screen app. For more information, see Configure Managed Home Screen app in the Microsoft Intune documentation.

Knox Manage or SOTI MobiControl

If you’re using Knox Manage or SOTI MobiControl, you can configure your devices to launch Knox Authentication Manager in Kiosk mode (Knox Manage) or Lockdown mode (MobiControl). These modes let you constrain users to a limited set of apps and settings after they sign in, but they are not a firm requirement for the app.

Step 5: Add Knox Authentication Manager as a managed app in your UEM or EMM

Next, you’ll need to add Knox Authentication Manager as a managed Google Play app in your UEM or EMM. See the respective guides below for details on how to add apps:

• Knox Manage
• SOTI MobiControl
• VMware Workspace ONE
• Microsoft Intune

For Knox Manage and SOTI MobiControl environments, you have to register Knox Authentication Manager in the Azure portal. To register Knox Authentication Manager in the Azure portal:

1. Sign in to the Azure portal and navigate to Azure services > Microsoft Entra ID.
2. Under Manage on the page that opens, select App registrations > New registration.
3. Enter a name and click Register. You’ll be taken to the Overview page of your newly registered app.
4. Under Manage click Authentication, then under Platform configurations, click Add a platform and select Android.
5. In the side panel, enter the package name and signature hash for Knox Authentication Manager.
   • Package name — com.samsung.android.knox.kam
   • Signature hash — nKUXDzgZGd/gRG/NqxixmhQ7MWM=
6. Click Configure, then click Done.

Knox Authentication Manager is now registered in your AAD tenant.

Step 6: Configure and assign the app

In your UEM or EMM, you’ll need to create a managed configuration for Knox Authentication Manager before deploying it to your enterprise devices. See Configure app policies for a list of available policies, descriptions, and options. Once you configure the Knox Authentication Manager policies, assign and install the app on your devices.

For Microsoft Intune admins:

• Optionally, you can download and use the following JSON file to help configure your Knox Authentication Manager app. Refer to the app policies page for an explanation of each key-value pair, then edit the JSON file according to your fleet’s deployment needs. All keys with the value CHANGEME must be edited for the configuration to work.
• Download JSON file for Intune

Required VMware Workspace ONE activities

If you’re a VMware Workspace ONE customer, you must also add several activities in the Workspace ONE console. When configuring a device profile, enable the following Launcher settings and enter the package and class name pairs listed below. For more information on Launcher settings, see Configure Workspace ONE Launcher Profile in the VMware Workspace ONE documentation.

Check In Check Out (CICO) Features

Enable Add Allowlist Activities on Check-in Check-out Screen and enter the following package name and class name pairs:

Advanced Customization

Enable Add Allowlist specific Android Activities and enter the following package name and class name pairs:

Other recommended settings

For VMware Workspace ONE or Microsoft Intune admins:

• Exclude Knox Authentication Manager from clean up to avoid deleting inactive device records, if you use Workspace ONE or Intune.
• Allow Knox Authentication Manager main activity if you use VMware to allow the Knox Authentication Manager sign-in screen to pop up before the user signs in to the VMware launcher.

For SOTI MobiControl or Knox Manage admins:

• If users have Microsoft 365 accounts, ensure that they don’t set their Microsoft 365 accounts to remain signed in.