Menu

Shared Device

The Knox Configure Shared Device feature enables multiple users to access the same device without sharing data across multiple devices, thus reducing the risk of an exploited device.

About Shared Device

When powering on a Shared Device, each employee is prompted to log into a separate account with their Active Directory (AD) credentials and manage their own unique set of files and apps. Individual settings, accounts, applications and policies are utilized exclusively with a single user account. After a user logs out, data is wiped from the device and isn't shared with other users.

Shared device functionality is optional and not required when creating a Knox Configure profile.

NOTE - The Knox Configure client will ignore shared device configurations on devices running the Android Q version operating system and above. The Knox Configure console provides a warning for now unsupported status of shared device and E-billing on the Q version operating system. If the shared device feature was already enabled on an existing device, and that device was FOTA updated to the Q version operating system, the shared device feature should be disabled when a newly applied profile has shared device disabled.

Samsung Knox Single Sign On (SSO)

The Samsung SSO technology is based on the Kerberos protocol which enables device users to authenticate with a single account. Access a wide range of enterprise resources efficiently without having to log into each application. SSO eliminates the burden of recalling multiple passwords, and affords users the luxury of a single password that meets corporate password policies. Once an employee is done with the Shared Device, they simply log out and hand the device to the next user who then enters their own secure credentials.

NOTE - To log into a Shared Device, users must maintain an active connection to their corporate Wi-Fi network or VPN. Shared device functionality does not work on devices utilizing a Knox container. Ensure device containers are removed prior to activating a Shared Device.

The application client and Samsung's SSO solution on the device authenticate with Enterprise Active Directory as follows:

  • SSO client on the device communicates with Active Directory for Kerberos authentication through VPN or by using on-premise Wi-Fi.
  • Upon successful authentication, the SSO client provides the requested authentication token to the app.
  • The authentication token, Negotiate token (for HTTP Negotiate) or SAML response (for SAML 2.0) is then forwarded to an Intranet service or cloud device respectively depending on the token request time.

Prerequisites

The following prerequisites are required to utilize a Shared Device:

  1. Active Directory
    • End user credentials
    • Kerberos (port 88) must be enabled for the Shared Device authentication
  2. A supported Samsung device running Knox 2.6 to 3.5

Create a Shared Device supported profile

To begin using a Shared Device, you must create a Shared Device supported profile. When creating a profile, the IT admin can customize device settings, company name and branding, device lock mechanisms, applications, booting sequence, animation, setup wizard cancellation, Kiosk Mode and hard key remapping.

To create a Shared Device supported profile:

  1. Select Profiles from the left-hand navigation menu.
  2. Click the CREATE PROFILE button from the upper-right portion of the screen.
  3. Specify the profile is intended for a PHONE OR TABLET.

  4. Select DYNAMIC EDITION for the profile type. Shared device support is not available with Setup edition Knox Configure profiles.
  5. Create a Dynamic edition profile by configuring the required fields.
  6. After creating the profile, you should now able to configure a Shared Device to enable multiple users, or employees, to access and share a single device.
NOTE —Once completed with the Shared Device configuration, optionally navigate to the Summary screen to review the attributes of the newly created Shared Device KC profile.

Configure a Shared Device

Provide the information required information required to enable the Shared Device agent. Configuring the Shared Device agent differs depending on the Knox version running on the device.

For Knox 2.8 and previous

To configure Shared Device support on devices running Knox version 2.8 or earlier:

NOTE —The configuration options within the Shared Devices screen differ if the device is utilizing Knox version 2.9 or above.
  1. Select Profiles from the left-hand navigation menu.
  2. Select a dynamic edition profile from those listed.
  3. Select SHARED DEVICES from the Profile configuration dashboard.

  1. Enable Shared Device - Select to upload the Shared Device agent on to the device.
  2. Background image - click SELECT to choose a display image for the Shared Device login screen.
  3. Enable Kerberos SSO - It's recommended to select this option to upload the Samsung Kerberos Authenticator for Shared Device validation.
    • Optionally use the Upload XML configuration file setting to select and upload a XML formatted file. If you do not have a properly formatted configuration file, select Click here for sample XML file to display a sample file you can use for reference.
  4. Set the following Enterprise branding information to set Shared Device organizational logos and company name branding:
    • Choose the Select button and set a Company logo to display on the Shared Device(s). Ensure the file utilized adheres to the listed image requirements and recommended dimensions.
    • Enter a Company name for Shared Device utilization does that not exceed the 20 character maximum

  5. Click SAVE then PUSH UPDATE on the top right corner of the screen.

For Knox 2.9 or above

Devices supporting Knox version 2.9 or above support additional Shared Device configuration options not supported in earlier Knox versions.

Follow the steps below to configure a Shared Device:

  1. Select Profiles from the left-hand navigation menu.
  2. Select a dynamic edition profile from those listed.
  3. Select SHARED DEVICES from the Profile configuration dashboard.

  1. Shared Device - Select Enable to upload the Shared Device agent to the device.
  2. AD domain - Enter the name of the corporate Active Directory provisioning the Shared Device accounts.
    3. NOTE — When powering on, Shared Device users receive a prompt to log in with the credentials for this Active Directory domain. A successful login is required to access Shared Device resources.
  3. Background image - Click SELECT to upload an image for the Shared Device login screen.
    4. NOTE — The selected image overwrites the image set in the Home and Lock screen field.
  4. Set the following Enterprise branding information to provide Shared Device organizational logos and company name:
    • Company logo - Click SELECT to upload an image for Shared Device branding. Ensure the file utilized adheres to the listed image requirements and recommended dimensions.
    • Company name (max. 20 characters) - Enter the company name. Note that the maximum allowable number of characters is 20.

  5. Screen timeout (minutes) - Set the maximum amount of time a Shared Device can remain idle before password credentials must be re-entered to resume access.
    6. NOTE — The default setting is 120 minutes if left unspecified.
  6. Maximum allowed screen lock attempts reached - Set a threshold to limit for the number of failed lock screen attempts permitted on a Shared Device.
    7. NOTE — If unspecified, the default setting for failed lock screen attempts is 5.
  7. Select applications to prevent data clearing - Select Add include additional applications to retain Shared Device application packages once the device’s shared mode is disabled. To remove and application select X.
    8. NOTE —Retained applications will not be cleared when Shared Device mode is disabled.
  8. Enable Kerberos SSO - Select this option to upload Samsung’s recommended Kerberos authenticator to the Shared Device.
  9. Click SAVE, then PUSH UPDATE on the top right corner of the screen.

Prevent users from performing a factory reset

By default, users can factory reset their device after logging in to their Shared Device account. Once the device is factory reset, the Knox Shared Device APK is removed and the device can be used as a regular Android device with no restrictions. When factory reset, Wi-Fi, and mobile data is disabled in Knox Configure. Consequently, the device is no longer able to update the profile they are enrolled in, and are unable to unenroll if need be. The device requires a network connection be re-established to receive updates and changes from Knox server resources.

Samsung recommends utilizing a KC policy that prevents users from factory resetting their device.

To disable a factory reset:

  1. Select Profiles from the left-hand navigation menu and select the target profile to modify.
  2. Select a profile to restrict factory resets.
  3. Select RESTRICTIONS from the Profile configuration dashboard.

  1. Select the EDIT button from the top right corner of the screen.

  1. Navigate to the SECURITY portion of the screen and select Disable factory reset.
  2. Click SAVE then PUSH UPDATE on the top right corner of the screen.

Prevent users from stopping the Knox Shared Device app

By default, users can disable the Knox Shared Device app by navigating to Settings > Application Manager. After the app is disabled, the device converts to a regular Android device without restrictions beyond the policies that you have already deployed.

Samsung recommends blocking the Force Stop and Clear Data options for the Knox Shared Device. Consider deploying policies to prevent users from going to Application Manager and using the Force Stop or Clear Data options to prevent a Shared Device app from running properly.

If you programmatically manage a Knox Shared Device, call the APIs referenced below and pass com.sec.enterprise.knox.shareddevice and com.sec.enterprise.knox.shareddevice.keyguardas the packageList input parameter:

  • addPackagesToForceStopBlackList (List <String> packageList)
  • addPackagesToClearDataBlackList (List <String> packageList)
  • addPackagesToClearCacheBlackList (List <String> packageList)
  • setApplicationUninstallationDisabled (List <String> packageName)

Use the Knox Configure Shared Device

Refer to the following information to setup and login into a Knox Shared Device, and if necessary uninstall Knox Shared Device.

Setup Knox Shared Device

To configure Knox Shared Device support on the actual device:

  1. Enter the following credentials provided by your IT admin, then tap Sign in.
    • Domain name
    • Username
    • Password
  2. Select an unlock method.
    • Current password
    • PIN
    • Pattern
    • Fingerprint
  3. Select and confirm the unlock method

Sign into Knox Shared Device

NOTE — Once enrolled in Knox Shared Device, you cannot use the device without signing in to your account.

To sign into Knox Shared Device:

  1. Enter the following credentials provided by your IT admin.
    • Domain name
    • Username
    • Password
  2. Tap Sign in.

Sign out of Knox Shared Device

To sign out of a Knox Shared Device:

  1. Swipe down from the top of the screen to display the status bar.
  2. Tap Sign out on the notification pane with your Knox Shared Device username.

OR

  1. Lock the device.
  2. Tap SIGN OUT from the top right-hand corner of the device.

Uninstall Knox Shared Device

If you attempt to uninstall Knox Shared Device without factory resetting the device, some user data may remain on the device.

NOTE —Samsung recommends you deploy a policy to prevent users from factory resetting their device. Otherwise, they may accidentally uninstall Knox Shared Device.

To uninstall Knox Shared Device:

  • Deploy a factory reset policy to the device
  • Alternatively
    1. Log in to your Knox Shared Device account.
    2. Navigate to Settings > Backup and reset > Factory data reset.
    3. Tap RESET DEVICE.