Get started as an IT admin
Last updated June 5th, 2024
The following tutorial is intended for IT admins and guides you through the basics of setting up Knox Authentication Manager.
Step 1: Get a Knox Suite license
A valid Knox Suite license is required to use Knox Authentication Manager. To get a Knox Suite license:
- Sign up for a Samsung Knox account if you haven’t done so already. Refer to Create a Samsung account to learn more.
- Next, Apply for access to Knox Suite. After you apply, a trial license is automatically generated for you, which covers 30 active devices and expires after three months. Once your trial license expires, you can purchase a commercial Knox Suite license from your local reseller. For more information on Knox Suite licenses, see Confirm and register your license.
Additionally, you must ensure your enterprise devices have access to Samsung Knox servers. When you activate Knox services, your enrolled devices will verify their license keys and exchange data with the Knox servers. Devices periodically check their licenses a few times a week.
Step 2: Set up Knox Service Plugin
To ensure that Knox Authentication Manager performs optimally, admins will need to configure specific Knox Service Plugin policies with their UEM/EMM. Refer to the Knox Service Plugin requirements page for more information.
For instructions on how to set up Knox Service Plugin with your UEM/EMM, see Set up with a UEM.
Step 3: Set up your UEM/EMM
Knox Authentication Manager requires devices to be set up in a particular way, depending on your UEM/EMM. Read on to learn about how to set up these methods for your respective UEM/EMM.
Knox Manage
For Knox Authentication Manager to work with Knox Manage, it is recommended that devices be set up in Kiosk mode, but it is not a firm requirement. Kiosk mode is a means of setting up a dedicated device, by constraining the device’s functionality to suit that of an on-premises or embedded computer.
For more information, see Create a kiosk in the Knox Manage documentation.
SOTI MobiControl
For Knox Authentication Manager to work with SOTI MobiControl, it is recommended that devices be set up in Lockdown mode, but this is not a firm requirement. Lockdown, or lockdown mode, is a means of setting up a dedicated device, and is similar to kiosk mode in Knox Manage. It limits device access to a home screen with approved apps and web pages.
For more information, see Lockdown (Android Enterprise-Work Managed) in the SOTI MobiControl documentation.
VMware Workspace ONE
To work with VMware Workspace ONE, Knox Authentication Manager requires devices to be set up with the Workspace ONE Launcher.
For more information, see About VMware Workspace ONE Launcher in the UEM’s documentation.
Microsoft Intune
To work with Microsoft Intune, Knox Authentication Manager requires devices to be set up with the Intune Managed Home Screen app.
For more information, see Configure Managed Home Screen app in the Microsoft Intune documentation.
Step 4: Add Knox Authentication Manager as a managed app in your UEM/EMM
Next, you’ll need to add Knox Authentication Manager as a managed Google Play app in your UEM/EMM. See the respective guides below for details on how to add apps:
For Knox Manage and SOTI MobiControl environments, you have to register Knox Authentication Manager in the Azure portal. To register Knox Authentication Manager in the Azure portal:
-
Sign in to the Azure portal and navigate to Azure services > Microsoft Entra ID.
-
Under Manage on the page that opens, select App registrations > New registration.
-
Enter a name and click Register. You’ll be taken to the Overview page of your newly registered app.
-
Under Manage click Authentication, then under Platform configurations, click Add a platform and select Android.
-
In the side panel, enter the package name and signature hash for Knox Authentication Manager.
-
Package name — com.samsung.android.knox.kam
-
Signature hash — nKUXDzgZGd/gRG/NqxixmhQ7MWM=
-
-
Click Configure, then click Done.
Knox Authentication Manager is now registered in your AAD tenant.
Step 5: Configure and assign the app
In your UEM/EMM, create a managed configuration for Knox Authentication Manager according to the settings below.
If you’re a Microsoft Intune customer, you can download and use the following JSON file to help configure your Knox Authentication Manager app. Refer to the table below for detailed explanations of the key-value pairs, then edit the JSON file according to your fleet’s deployment needs. All keys with a value of “CHANGEME” must be edited for the configuration to work.
License key
Specifies the product license key. Enter your Knox Suite license key, which can be found on the Licenses page of your Knox Admin Portal.
Auto Delete Unused Profile After (Months)
Specifies the number of months a user profile must remain unused before it is automatically deleted. Use this to enforce your company’s retention policy in compliance with local privacy laws.
Values:
- Range: 1 - 36 months
- Default: 3 months
Main Login App
Determines the UEM/EMM app used to authenticate users.
Values:
- VMware Workspace ONE Launcher
- Microsoft Managed Home Screen (This option will only be applicable to Intune users).
- Other-Kiosk Mode — Select this setting when you have dedicated devices managed by Knox Manage (in kiosk mode) or SOTI MobiControl (in lockdown mode).
Main login method
Determines how users sign in to Knox Authentication Manager. For Face sign-in, please read and acknowledge the biometric notice below.
Values:
- Manual
- Face
I have read and understand the notice in the description (required for Face login)
Specifies that you permit the collection, storage, and use of user biometric data on devices when you set the Main Login Method to Face.
Values
- No response
- Yes — Choose this setting to enable face sign-in if you agree to the terms of the notice displayed in your UEM/EMM console. This setting is mandatory to enable face sign-in.
Main Login PIN Length
Sets the required PIN length when face sign in is used.
Values:
- 4
- 6
- 8
These settings apply when you use SOTI or Knox Manage as a UEM/EMM.
Azure AD Tenant ID
Specifies the Knox Authentication Manager Directory (tenant) ID registered in Microsoft Entra ID. Refer to Microsoft’s documentation for detailed instructions on how to find your tenant ID.
Azure AD Client ID
Specifies the Knox Authentication Manager Application (client) ID registered in Microsoft Entra ID. Refer to Microsoft’s documentation for detailed instructions on how to find your client ID.
Auto Logout on Charge
Determines whether Knox Authentication Manager automatically signs out the current user when a device is charged (user can cancel).
Values:
- True
- False
Auto Logout on Screen-Off After (Minutes)
Specifies how many minutes a device screen must remain off before Knox Authentication Manager automatically signs out the current user.
Values:
Enter a time period in minutes 0 = disabled
Clean-Up on Logout
Allows the removal of app and account information when users sign out, to ensure that they don’t have access to the previous user’s signed-in apps and data.
Values:
True False
Clean-Up Excluded Apps (Package Names)
Specifies the package names of apps — as a comma-delimited list — that are excluded from clean-up.
Default values:
- None
Clean up on login
Allows the removal of app and account information when users sign in, to ensure that they don’t have access to the previous user’s signed-in apps and data.
This feature is primarily intended for Samsung Knox Manage and SOTI MobiControl customers. For VMware Workspace One and Microsoft Intune customers, clean up is normally handled by the UEM/EMM
Values:
- True
- False
Clean-up apps (package names)
Specifies the package names of apps — as a comma-delimited list — you want to clean up after users log in.
You must set the Clean up on login policy to True in order for this policy to work.
Default values:
- com.microsoft.appmanager, com.microsoft.office, com.microsoft.office.excel, com.microsoft.office.officehubrow, com.microsoft.office.onenote, com.microsoft.office.outlook, com.microsoft.office.powerpoint, com.microsoft.office.word, com.microsoft.sharepoint, com.microsoft.skydrive, com.microsoft.teams
Enable Lightweight Launcher mode
Enables or disables Knox Authentication Manager’s own lightweight launcher. When enabled, users must authenticate with Entra ID before they can access work-related apps and data, thus preventing unauthorized access to sensitive information on a company-owned device.
This setting is primarily intended for Samsung Knox Manage and SOTI MobiControl customers. Microsoft Intune and VMWare Workspace ONE customers already have a launcher included with their UEMs, and therefore don’t need to enable this setting.
Values:
- True
- False
PIN for KAM admin to exit Lightweight Launcher
The PIN set by the IT admin used to exit lightweight launcher mode.
Values:
- None (default)
- Any string consisting of alphanumeric characters and special characters
Time period after which user reverified (minutes)
The time period after the screen is turned off before the user must reverify their identity on the device.
Values:
- Any number (in minutes)
- 0 = Disabled
Sync Org ID
Sets a single identifier for your company or organization, under which your device sync groups are organized.
Values:
- Enter an Org ID consisting of only letters and numbers. This should be the same for devices that you want to sync with one another.
Sync Devices By
Determines how device sync groups are defined.
Values:
- Group ID — Devices sync when they’re in the same admin-defined group.
- WiFi Subnet — Devices sync when they’re on the same Wi-Fi subnet.
Sync Group ID
Sets a unique identifier for a group of devices across which user profiles will be synced. This setting only applies if your devices sync by group ID. Group IDs often correspond to device groups you configured in your UEM/EMM.
Values:
- Enter an group ID consisting of only letters and numbers. This should be the same for devices that you want to sync with one another.
Sync Group Key
Sets a sync group key to encrypt and protect user profiles and device group communication.
Values
- Enter a 32-character key consisting of only letters and numbers. This should be the same for devices that you want to sync with one another. One way to create the key is to run
openssl rand -base64 24in a terminal.
Sync Send UDP Port
Specifies a UDP port number on devices which is used to send device communications such as sync requests
Values
- Enter a UDP port number. If left unset, the default is
49158.
Sync Receive UDP Port
Specifies a UDP port number on devices which is used to send device communications such as sync requests.
Values
- Enter a UDP port number. If left unset, the default is
49159.
Sync TCP Port
Specifies a TLS communication port number on devices which is used to sync data between devices.
Values
- Enter a TLS communication port. If left unset, the default is
7788.
Debug Mode
Enable Debug mode settings on the Knox Authentication Manager app.
Values:
- False
- True
Once you configure the Knox Authentication Manager app, you should assign it to your device group to push and automatically install it to devices. If you use SOTI MobiControl or Knox Manage, add Knox Authentication Manager to the kiosk profile or configure them in Lockdown before you deploy to your devices.
Additionally, you should configure the below settings in your UEM/EMM.
-
Ensure that any Knox Authentication Manager-related activities are enabled in your UEM/EMM.
-
In your UEM/EMM, configure the Knox Service Plugin’s Package Name for Auto-Launch policy to auto-launch Knox Authentication Manager. You can do this by adding the following package and component names as a single string without spaces:
com.samsung.android.knox.kam/com.samsung.android.knox.kam.ui.SplashScreenActivitySee the respective guides for instructions on how to configure the Knox Service Plugin in your UEM/EMM.
-
Add Knox Authentication Manager to the Knox Service Plugin Force Stop Blocklist policy so users can’t force stop Knox Authentication Manager.
-
Add Knox Authentication Manager to the Knox Service Plugin Battery optimization allowlist policy to exempt it from battery usage optimizations that could suspend its process.
-
Exclude Knox Authentication Manager from clean up, which may delete inactive device records, if you use VMware or Intune.
To ensure Knox Authentication Manager performs optimally:
-
Allow Knox Authentication Manager main activity if you use VMware to allow the Knox Authentication Manager sign-in screen to pop up before the user signs in to the VMware launcher.
-
For SOTI MobiControl and Knox Manage, if users use Microsoft 365 accounts, ensure that you or the user don’t set the account to stay signed in.
Step 6: Test devices and device syncing
After you deploy Knox Authentication Manager, test that Knox Authentication Manager works as expected.
Unlock a device. Knox Authentication Manager automatically launches on devices managed by VMware Workspace ONE. Knox Authentication Manager doesn’t automatically launch on devices managed by Knox Manage or SOTI unless you configured it to. In this case, open the app and click Sign in or enroll.
A dialog should pop up asking users to enter their enterprise username.
Once you know Knox Authentication Manager works as expected, test that Knox Authentication Manager syncs across your devices.
Knox Authentication Manager relies on the Network Time Protocol (NTP) to determine the most up-to-date user profile when performing device-to-device syncing. You’ll need to add the following firewall exception on your network in order to communicate with the NTP server:
time.android.com – UDP port 123
You need two devices with Knox Authentication Manager installed that are in the same device group or on the same Wi-Fi subnet, depending on how you configured Knox Authentication Manager in your UEM/EMM. These devices are referred to as Device A and Device B below.
- Dock or plug in Device B. When you charge a device, a Starting sync service notification appears on its lock screen.
- Enroll a new user account with Knox Authentication Manager on Device A. To learn how to enroll for Knox Authentication Manager as an end user, see Get started as a user.
- Dock or plug in Device A and wait 1-2 minutes for the devices to sync.
- On Device B, enter the enterprise credentials you used to create the new user account on Device A in Knox Authentication Manager. If Knox Authentication Manager signs in without asking you to enroll the account, then the devices synced successfully.
For more information on device syncing, see Troubleshoot device syncing.
On this page
Is this page helpful?