- *BASICS*
- The Knox Ecosystem
- White Paper
- Samsung Knox Portal
- Knox Cloud Services
- General Knox Support
- Knox Licenses
- *FOR IT ADMINS*
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Introduction
- How-to videos
- Get started
- Features
- Register resellers
- Add an admin
- Create profiles
- Google device owner support
- MDM compatibility matrices
- Device users
- Activity log
- Enroll and unenroll devices
- Configure devices
- Provide KME feedback
- Use the Knox Deployment App (KDA)
- Recover Google FRP locked devices using KME
- Role-based access control (RBAC)
- Release notes
- FAQs
- Troubleshoot
- KBAs
- On-Premise
- Knox Configure
- Mobile
- Wearables
- Shared Device
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- View applications
- Add applications
- Introduction
- Add internal Android and iOS applications
- Add internal Windows applications
- Add public applications using Google Play Store
- Add public applications using iOS App Store
- Add public applications using Managed Google Play
- Add public applications using Managed Google Play Private
- Add public applications using Managed Google Play Store Private Web
- Add public applications using Microsoft Store
- Add Chrome OS applications
- Assign applications
- Introduction
- Assign internal Android and iOS apps
- Assign iOS App Store applications
- Assign Google Play applications
- Assign Managed Google Play applications
- Assign Managed Google Play Private applications
- Assign Managed Google Play public web apps
- Assign Windows applications
- Assign Chrome OS applications
- Manage applications
- Volume Purchase Program for iOS
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQs
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQs
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Introduction
- Accept or reject devices
- Upload devices
- Delete devices
- Complete payment
- Send payment overdue notification
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQs
- KBAs
- Support
- Samsung Care+ for Business
- *FOR RESELLERS*
- Knox Deployment Program
- *FOR MANAGED SERVICE PROVIDERS*
- Knox MSP Program
Shared Device
The Knox Configure Shared Device feature enables multiple users to access the same device without sharing data across multiple devices, thus reducing the risk of an exploited device.
About Shared Device
When powering on a Shared Device, each employee is prompted to log into a separate account with their Active Directory (AD) credentials and manage their own unique set of files and apps. Individual settings, accounts, applications and policies are utilized exclusively with a single user account. After a user logs out, data is wiped from the device and isn't shared with other users.
Shared device functionality is optional and not required when creating a Knox Configure profile.
Samsung Knox Single Sign On (SSO)
The Samsung SSO technology is based on the Kerberos protocol which enables device users to authenticate with a single account. Access a wide range of enterprise resources efficiently without having to log into each application. SSO eliminates the burden of recalling multiple passwords, and affords users the luxury of a single password that meets corporate password policies. Once an employee is done with the Shared Device, they simply log out and hand the device to the next user who then enters their own secure credentials.
The application client and Samsung's SSO solution on the device authenticate with Enterprise Active Directory as follows:
- SSO client on the device communicates with Active Directory for Kerberos authentication through VPN or by using on-premise Wi-Fi.
- Upon successful authentication, the SSO client provides the requested authentication token to the app.
- The authentication token, Negotiate token (for HTTP Negotiate) or SAML response (for SAML 2.0) is then forwarded to an Intranet service or cloud device respectively depending on the token request time.
Prerequisites
The following prerequisites are required to utilize a Shared Device:
- Active Directory
- End user credentials
- Kerberos (port 88) must be enabled for the Shared Device authentication
- A supported Samsung device running Knox 2.6 to 3.5
Create a Shared Device supported profile
To begin using a Shared Device, you must create a Shared Device supported profile. When creating a profile, the IT admin can customize device settings, company name and branding, device lock mechanisms, applications, booting sequence, animation, setup wizard cancellation, Kiosk Mode and hard key remapping.
To create a Shared Device supported profile:
- Select Profiles from the left-hand navigation menu.
- Click the CREATE PROFILE button from the upper-right portion of the screen.
- Specify the profile is intended for a PHONE OR TABLET.
- Select DYNAMIC EDITION for the profile type. Shared device support is not available with Setup edition Knox Configure profiles.
- Create a Dynamic edition profile by configuring the required fields.
- After creating the profile, you should now able to configure a Shared Device to enable multiple users, or employees, to access and share a single device.
Configure a Shared Device
Provide the information required information required to enable the Shared Device agent. Configuring the Shared Device agent differs depending on the Knox version running on the device.
For Knox 2.8 and previous
To configure Shared Device support on devices running Knox version 2.8 or earlier:
- Select Profiles from the left-hand navigation menu.
- Select a dynamic edition profile from those listed.
- Select SHARED DEVICES from the Profile configuration dashboard.
- Enable Shared Device - Select to upload the Shared Device agent on to the device.
- Background image - click SELECT to choose a display image for the Shared Device login screen.
- Enable Kerberos SSO - It's recommended to select this option to upload the Samsung Kerberos Authenticator for Shared Device validation.
- Optionally use the Upload XML configuration file setting to select and upload a XML formatted file. If you do not have a properly formatted configuration file, select Click here for sample XML file to display a sample file you can use for reference.
- Set the following Enterprise branding information to set Shared Device organizational logos and company name branding:
- Choose the Select button and set a Company logo to display on the Shared Device(s). Ensure the file utilized adheres to the listed image requirements and recommended dimensions.
- Enter a Company name for Shared Device utilization does that not exceed the 20 character maximum
- Click SAVE then PUSH UPDATE on the top right corner of the screen.
For Knox 2.9 or above
Devices supporting Knox version 2.9 or above support additional Shared Device configuration options not supported in earlier Knox versions.
Follow the steps below to configure a Shared Device:
- Select Profiles from the left-hand navigation menu.
- Select a dynamic edition profile from those listed.
- Select SHARED DEVICES from the Profile configuration dashboard.
- Shared Device - Select Enable to upload the Shared Device agent to the device.
- AD domain - Enter the name of the corporate Active Directory provisioning the Shared Device accounts.
- Background image - Click SELECT to upload an image for the Shared Device login screen.
- Set the following Enterprise branding information to provide Shared Device organizational logos and company name:
- Company logo - Click SELECT to upload an image for Shared Device branding. Ensure the file utilized adheres to the listed image requirements and recommended dimensions.
- Company name (max. 20 characters) - Enter the company name. Note that the maximum allowable number of characters is 20.
- Screen timeout (minutes) - Set the maximum amount of time a Shared Device can remain idle before password credentials must be re-entered to resume access.
- Maximum allowed screen lock attempts reached - Set a threshold to limit for the number of failed lock screen attempts permitted on a Shared Device.
- Select applications to prevent data clearing - Select Add include additional applications to retain Shared Device application packages once the device’s shared mode is disabled. To remove and application select X.
- Enable Kerberos SSO - Select this option to upload Samsung’s recommended Kerberos authenticator to the Shared Device.
- Click SAVE, then PUSH UPDATE on the top right corner of the screen.
Prevent users from performing a factory reset
Samsung recommends utilizing a KC policy that prevents users from factory resetting their device.
To disable a factory reset:
- Select Profiles from the left-hand navigation menu and select the target profile to modify.
- Select a profile to restrict factory resets.
- Select RESTRICTIONS from the Profile configuration dashboard.
- Select the EDIT button from the top right corner of the screen.
- Navigate to the SECURITY portion of the screen and select Disable factory reset.
- Click SAVE then PUSH UPDATE on the top right corner of the screen.
Prevent users from stopping the Knox Shared Device app
Samsung recommends blocking the Force Stop and Clear Data options for the Knox Shared Device. Consider deploying policies to prevent users from going to Application Manager and using the Force Stop or Clear Data options to prevent a Shared Device app from running properly.
If you programmatically manage a Knox Shared Device, call the APIs referenced below and pass com.sec.enterprise.knox.shareddevice
and com.sec.enterprise.knox.shareddevice.keyguard
as the packageList
input parameter:
addPackagesToForceStopBlackList (List <String> packageList)
addPackagesToClearDataBlackList (List <String> packageList)
addPackagesToClearCacheBlackList (List <String> packageList)
setApplicationUninstallationDisabled (List <String> packageName)
Use the Knox Configure Shared Device
Refer to the following information to setup and login into a Knox Shared Device, and if necessary uninstall Knox Shared Device.
Setup Knox Shared Device
To configure Knox Shared Device support on the actual device:
- Enter the following credentials provided by your IT admin, then tap Sign in.
- Domain name
- Username
- Password
- Select an unlock method.
- Current password
- PIN
- Pattern
- Fingerprint
- Select and confirm the unlock method
Sign into Knox Shared Device
To sign into Knox Shared Device:
- Enter the following credentials provided by your IT admin.
- Domain name
- Username
- Password
- Tap Sign in.
Sign out of Knox Shared Device
To sign out of a Knox Shared Device:
- Swipe down from the top of the screen to display the status bar.
- Tap Sign out on the notification pane with your Knox Shared Device username.
OR
- Lock the device.
- Tap SIGN OUT from the top right-hand corner of the device.
Uninstall Knox Shared Device
If you attempt to uninstall Knox Shared Device without factory resetting the device, some user data may remain on the device.
To uninstall Knox Shared Device:
- Deploy a factory reset policy to the device
- Alternatively
- Log in to your Knox Shared Device account.
- Navigate to Settings > Backup and reset > Factory data reset.
- Tap RESET DEVICE.