Knox Guard release notes

Sept 6th 2022 Knox Guard feature updates

SIM policy improvements

Previously, a new policy could be created using the same settings as an existing one. This oversight could lead to confusion, as there could be multiple policies which provided identical behavior. In addition, deleting an existing policy wasn't possible.

Knox Guard 22.08 closes these gaps in policy management by allowing you to:

  • Check for policy settings duplication. If an old policy with the same settings is detected, an error message is shown.
  • Delete obsolete polices that aren't applied to any devices.

See SIM control for more information.

May 25th 2022 Knox Guard feature updates

Options for Relock reminder configuration

Previously, relock reminders always gave device users the option to call support.

To better accommodate enterprises that don’t need that option in their support strategy, starting with KG 22.05 you can now define granular settings for relock reminders and specify whether to provide device users the option to call a support phone number or launch a support app.

SIM control policy enhancement

Devices with a dual SIM card configuration can now use restricted features as long as one of the SIM cards is allowed. To enable this behavior, use the new Minimum restriction setting in the SIM control policy. If both SIM cards are blocked, they are restricted according to the control policy, as before.

The new IMSI Lock menu and how to use it

Bulk query for detailed information

Starting with KG 22.05, you can search for devices in bulk and get the device information of each IMEI or serial number at once. The device information can be downloadable as a CSV file.

The new IMSI Lock menu and how to use it

Firmware information in Customize device table

The firmware version of a device is added to the Customize table on the Device tab. This information is available for download as a CSV file.

Previously, there was an issue when searching for devices with 14-digit IMEIs by entering a 15-digit IMEI. The proper device wouldn’t appear in the query when entering a 15-digit IMEI.

As of Knox Guard 22.05, regardless of whether a device is registered with a 14- or 15-digit IMEI, you can search for it with a 14- or 15-digit query and return the correct device in the results.

March 26th 2022 Knox Guard feature updates

Improvements to device lock based on IMSI change

A new IMSI Lock menu is available under the SIM control page. This feature allows customers to enable or disable IMSI policies regardless of whether MCC/MNC information is provided. This feature is implemented in the case where the IMSI is changed after a different SIM card is inserted into the device.

The new IMSI Lock menu and how to use it

Knox Guard console dashboard improvements

The Knox Guard dashboard now includes more granular device state information to provide device details at a glance.

For Normal devices:

  1. A new Offline locked device state is available in the Attention section.
  2. Click Offline locked from the dashboard to see a list of devices with that status.

For Pay-as-you-go (PAYG) devices:

  1. The following statuses are listed for each device:
    • Attention — Active | Locked
    • In progress — Activating, Resetting, Completing
  2. Next to each status, the number of devices with that status is displayed.

The DEVICE STATUS view on the Knox Guard dashboard, with the new statuses

The device list with a device and its status

Updates to Knox Guard menu labels

To support more use cases, the menu labels on the Knox Guard portal now use more general terms. For example, Default lock screen now displays as Lock screen.

Bulk customization notifications

Customers can now send messages to device users both individually and in bulk. Messages can be customized to display a different message per device. This feature is also available through an API operation — /kcs/v1.1/kg/devices/customMessageAsync.

The updated flow for sending notifications, which now includes a SEND CUSTOM MESSAGES choice

Device lock and wipe

For missing or stolen devices, IT admins can lock and wipe the contents of the device through Actions > Wipe out. The device wipes as soon as it connects to a server. This action is irreversible.

IMPORTANT — To use this feature, the Wipe devices permission is required. This feature only applies to B2B users.

January 19th 2022 Knox Guard feature updates

End of support for Internet Explorer 11

Microsoft announced that they will end support for Internet Explorer 11 (IE11) on June 15, 2022. In preparation for this, as of 22. 01 you will not be able to access Knox Guard console on Internet Explorer. KG console is best viewed in Edge, Chrome, or Firefox

November 18th 2021 Knox Guard feature updates

Configure multi-SIM policy in single tenant

The changes for this upcoming release allow for the configuration of multiple SIM policies:

In the current implementation, a configured SIM policy must apply to the device once an admin has Enabled it. The applied policy will be the same for all devices with the enabled SIM policy.

Device users can configure multiple SIM policies (max 5). For example, SIM policy 1 could apply to device 1 by the Enable SIM policy function. Another SIM policy 2 could apply to device 2. Device 1 and device 2 would then receive different SIM policies.

Change the default duration of Offline lock

IT admins can specify how long a device can stay offline before it automatically locks. For the default setting, the value is set to 30 days.

The date range for configurable offline days before a device locks has been changed from 15-200 days to 3-200 days.

Improved KG notifications

To align with existing Knox cloud service solutions and improve the visibility of portal messages/responses, a new Notification Centre has been implemented on KG.

The Messaging tab on the KG portal has been replaced with a Notification Centre.

Updated notification title

If a customer's company name is too long, the displayed notification title will shorten from Notice from company name to Company name.

Filtering devices with updateTime

Customers can now request devices that have been changed after a specific time frame and KG will only return the devices that match the condition:

POST /kcs/v1.1/kg/devices/list

September 1st 2021 Knox Guard feature updates

MSP Support for KG Customers

Customers can register as MSP and manage multiple Knox Guard tenants from the MSP portal, which helps streamline the overall KG tenant operations. MSP can also create new KG tenants or migrate any existing customer’s tenants and manage it from the MSP portal efficiently.

Relock reminder feature for PAYG tenant

IT admins can send a reminder message to device users regarding Timestamp expiry or to request payment prior to a device lock. These reminders are available for Activating and Active devices.

NOTE — This particular feature requires additional permissions and is available for PAYG type of license only.

SIM policy applied information is available on CSV file

The downloadable CSV file (from Device > Actions > Download devices as CSV) now contains SIM policy information for customers to see which devices have SIM policies applied.

Provide more information of Device Status-Active/Lock

A new device status was added to provide customers additional information about devices. The new status is ActiveLocked. This ActiveLocked status indicates the device is locked due to the Relock time being passed. This feature is only applicable to PAYG tenants where the device status information is provided either using the device table or a CSV file.

June 16th 2021 Knox Guard feature updates

Single API for device upload and SIM policy enabled for easy operation

Customers can now apply the SIM policy right after the device is enrolled by using the Upload device API, for example: Add parameter to kcs/v1.1/kg/devices/upload.

CSV containing exact information of device shown on KG console

Currently, the downloaded CSV files contain detailed device information but some information regarding the device status is not included. For example, if the device’s status changes to offline lock, then the device shows as Active/Offline, but the CSV shows the status as Active. Starting with this release, the missing information is now available in the downloaded CSV file.

Change the behavior of network verification

To support a case where a customer can service multiple networks—For example, multiple MCC/MNC of one carrier—network verification is now changed to two steps:

  1. Compare the inserted SIM information with the allow-listed SIM configured from the KG console.
  2. Next, compare the network information with the allow-listed SIM’s configured information on the device.

Once these two steps are completed successfully, the device is unlocked and remains unlocked until it is rebooted or the SIM changes.

Lock Screen Customization

Starting with this release, the lock screen now has more customizable options to allow customers to support their end-users. Along with making device payments using an app to unlocking the phone, customers can now make calls and access their device information from the lock screen. This update only applies to Android R OS devices.

Customize lock message or Relock timestamp for Activating a device

Customers can now update the lock message as well as the Relock timestamp for devices that are in the process of activation. This feature is available in the KG portal and the Cloud API as well.

  1. KG Portal: ‘Send Relock timestamp’ menu (from Actions) is available for Activating devices. This feature is also available for devices in bulk.
  2. Cloud API: Customers can use POST/kcs/v1.1/kg/devices/actions for Activating devices.

Categorize the menus or bulk actions for better user experience

Now includes categories for an improved user experience.

Add Serial Number for Device ID

Serial number (S/N) information is now available in the Device Table.

April 28th 2021 Knox Guard feature updates

Customers using KG can now use other services in KCS

Currently, customers using Knox Guard (KG) can use Knox Configure (KC) and Knox Mobile Enrollment (KME) only after internal policy changes. Starting this release, customers using KG can additionally register to use other KCS services, such as KC, KME, KAI, and KM. This availability comes with the following improvements:

  • Register to use one or more of KCS services—Customers who want to use additional KCS services can follow a registration process to gain access to all of these services.
  • Information synced across all services—Once customers complete the registration process to access all KCS services, device information in KG is synced across all KCS services.

March 24th 2021 Knox Guard feature updates

Set allow-list for Incoming call on lock screen

There is a new option to configure an allow-list for incoming calls for locked devices.

This configuration is available in the Default lock screen/PAYG lock screen only, but it will also be applied for Remote, SIM, PAYG and Offline lock cases.

This feature allows end users to receive incoming calls from allow-listed numbers even if the device is locked (Customers can add their Customer Support numbers to the allow-list and give guidance/request overdue payment when the device is locked).

Per-device auto-lock

Currently, the auto-lock option is applied by the tenant meaning all devices registered to a given tenant get locked once this option is enabled. For Knox Guard 1.38, auto-lock can be applied to certain devices in the case where the device is missing/stolen.

It is not required to Enable auto-lock again for devices that already have auto-lock applied (the device will continue to have auto-lock applied). This permission is given per Tenant, not device. If a new device is registered, you must select and apply the auto-lock function to that new device manually.

Update the lock messages

With the KG 1.38 release, customers can update the lock message per device without changing the device state.

For normal/AntiTheft tenants, go to Action > Update Lock message

For PAYG tenant, go to Action > Send Relock timestamp

This particular feature is available in Bulk Action menu for multiple devices at once.

New information available on ‘Device Tab’ Device upload/accepted/activated Times and client version

There are three device relevant times which are found on the KG customer portal (Device table). These times are:

  1. Device uploaded time
  2. Device accepted time
  3. Device activated time

Each device time is available on the Device table as a separate column

The Agent version is also available on the Device table so customers are now able to view which version is installed on each device.

Inform user of payment complete/Device unlock

Customers can notify device users of status changes for better user experience. Messages can be sent when a payment has successfully been completed and the when the device has been unlocked after an overdue payment has been completed. These messages can be customized.

This feature is available via the KG console and by API calls

Distinguished enrollment type (URL Enrollment or OOBE)

A new menu is available on the SA portal (Samsung Super Admins and Subsidiary Admins can enable/disable this option).

Devices where the tenants have enabled ‘URL enrollment’ permissions can enroll in KG via URL.

For existing KG users, URL Enrollment permissions are pre-configured as ON.

SA Portal – Improve the user flow

There have been some usability improvements for the Admin side of the KG client:

  1. If the Admin clicks ‘Go back to customer table’, it returns to the search result rather than the starting page
  2. The ability to search a customer by Customer ID has been added

Improve activity log to capture all user actions generated in KG portal

A new event will be logged whenever the ‘Search’ function is used and a detailed description containing the search keywords will be generated in the activity log. A new event will also be recorded in the activity log if the user logs out.

Improve ‘Always show’ option for enrollment notification

The option to set a non-dismissible message for Enrollment Notice worked only when ‘Always show on notification panel’ and ‘Show after completing enrollment’ were selected together. This was not by design because the two options are not dependent on each other.

There are two types of notifications:

  1. Persistent Notification: Notifications are always displayed on the notification panel once KG is enrolled and users cannot clear this notification as long as the device is enrolled to KG
  2. Dismissible Notification: Configured when the enrollment notification is displayed (After enrollment or Device reboot)

For KG 1.38, users can set each option separately without the two being dependent

Add customer type for customer analytics

Currently, KG categorizes customers as ‘End Customer’ or ‘Samsung Employee’. However, this does not cover all the KG business cases, especially Partnership model cases.

Samsung Admins can categorize the customer type (Samsung Employee, End Customer or Partner) and add partner information.

  1. Samsung Admins can add Customer type when approving the customer request along with a Tenant type
  2. Samsung admins can type or select a partner name after selecting the Customer type

Access KG with AD login Credential

Because AD login is available within the Knox Portal, customers can access KG with their AD credentials.

If the AD is configured and the customer is logged in via AD login:

  • Customer can launch the KG console from the KP Dashboard with their AD credentials (no additional credential is required to launch the KG console)

If the AD is disconnected in the Knox Portal:

  • Only Samsung Account login is available for all admins
  • If admins don’t have a Samsung account, then it is required to create a Samsung Account to access the KG portal

December 16th 2020 Knox Guard feature updates

Advanced SIM Control based on IMSI

Customers can set their SIM Control policy based on the IMSI value. If a device detects a different IMSI value from what was registered (paired), the device will immediately get locked. This allows our customers, such as operators or finance companies, prevent fraudulent reselling.

Please note that additional permissions are required to enable this feature

Increase application size for Application Installation Policy

Currently, apps on the KG console have a size limit of 100MB based off the average size of an app. To support the request to increase the maximum size for KG customers, the limit has been increased to 150MB. Any size greater than the limit will produce an error message in the KG Console.

November 4th 2020 Knox Guard feature updates

SIM lock for PAYG

This update introduces a SIM ‘Lock’ function for the PAYG model. This feature allows customers to prevent devices being resold to other countries by locking the device if a blocklisted SIM is inserted.

Additionally, a submenu called ‘Network registration verification’ checks if the inserted SIM (even for allowlisted SIM) is an active one

Overdue message over lock screen

Devices get locked for various reasons and end-users try to unlock it through various methods. However, if a user does not know how to unlock, then they call the customer care center for assistance. This may increase call volume from the customer’s perspective and take more time to resolve the issue.

This feature can help customers by guiding them on how to unlock their devices or how to make a payment if needed. Through these messages, customers can save time and resolve their issues without having to call customer support.

New lockscreen concept for R OS

From R OS, the following changes have been made to optimize the screen for the customer’s benefit:

  • Customer app is placed at the main lockscreen (the App icon is extracted from the apk and its title text can be customized by the customer)
  • More space is available for the lock message by changing the buttons into icons.

R OS lockscreen will have the following GUI characteristics

  • Normal user lockscreen look and feel as much as possible
  • Vivid background
  • Call/Email button to the options screen to simplify main lock screen
  • Wi-Fi and mobile data icon button
  • Flexible Lock message area (with min & max height)

Remove applied policies once completing

Currently, some policies are applied to devices at the ‘completing’ status, which leads to issues if the device is locked due to the policy. ‘Completing’ is the prior step to complete which means the customer has made full payment and is waiting for the device to be released from KG control.

The policies have been removed once the device has made its payment. The removed policies include:

  1. SIM policy
  2. Notices such as Enrollment and SIM card change
  3. Relock timestamp
  4. Offline lock

PIN is not supported for Blink Reminder

Currently, users can clear the ‘Blink reminder’ with a PIN code, but it is not necessarily required given that this reminder can be dismissed with an ‘OK button’.

The PIN input for the Blink reminder is not supported from KG 1.36 and onward

New option for enrollment message

Customers may worry about their device being resold to someone else, so a message that indicates the device is currently under a finance program is implemented.

  • KG Console: there is a new option for displaying an enrollment notification (e.g. ‘Always display the notification once KG enrolled’)

  • Client: if the customer selects to display the enrollment notice to always show on the notification panel, it should be registered on the notification panel once the device is enrolled. This notification cannot be cleared until the device itself is deleted

Sept 2nd 2020 Knox Guard feature updates

Auto launch of app installation

This enhancement addresses customers who are installing an app via KG, and want to auto-launch the app when the device is initially booted after app install. For more details on the feature, see 'Advanced controls' section in Manage default policies.

With this release, an option has been added to the App installation screen enabling an app to optionally launch automatically after installation so device users can use the app immediately. The app auto launches only at initial enrollment and factory reset.

Localized device information

Some Knox Guard supported countries use multiple languages. As a result, some customers want to send both customized and lock messages in the same language as the device language setting.

With this release, a customer can obtain language info using the Knox Guard REST API (Get Device Info). Using the API, a customer can know the language utilization of the device. Once determined, the customer can send a message in multiple languages corresponding to the end-user device language. This feature is also supported on pay-as-you-go devices since it doesn't have any dependency on the KG service type.

June 29th 2020 Knox Guard feature updates

Trial to commercial license conversion enhancements

To date, customers have been able to use trial licenses as needed to test their commercial devices in SLM, but commercial license conversion remains problematic.

Going forward, trial licenses can now be converted to KG commercial licenses in SLM with greater ease. Additionally, trail to commercial license conversion is now reflected in the KG console, along with the new 3 to 12-month activation period for the commercial license.

Device status enhancements

With this release, the Knox Guard device state flow has been changed to reduce limitations with any particular Knox Guard status state and enable admins to navigate seamlessly as events progress within the Knox Guard lifecycle.

In particular, the Overdue status state and its related information have been removed. This will help reduce customer confusion and communication overhead by eliminating a largely unused device state.

Additionally, when a blink reminder is initiated for a payment delinquent device, an admin can now move directly to locking the device without releasing the blink reminder state. This helps reduce administration time by eliminating the need to place the device in an active state prior to initiating a device lock.

For more information on Knox Guard status states, go to: Knox Guard status flow.

February 26th 2020 Knox Guard feature updates

New email management

To date, a KG admin may receive too many emails when uploading devices, accepting devices, or deleting devices. Consequently, their computer may be unable to receive important system emails because their email inbox is full. To address this issue, admins (including Super Admins) can now choose to receive system generated emails themselves for a specific group of system generated events. For more information on where to locate this setting, go to About the dashboard.

Increased length of overdue and default lock screen messages

Customers expressed the need to submit specific messages in several languages, and the 250m character maximum message length has proven inadequate in such instances. To address this request, the following notification and message length increases are implemented:

  • Default overdue notification message length – Increase to 500 characters
  • Default lock screen message length – Increase to 350 characters

Console search capability improvements

Recently the KG team has been fielding reports from customers stating it takes too long to search for devices using a partial search for approval ID from the KG console. As more devices are added into KG the search latency increases proportionally. Going forward, only a full search will be supported of a device’s IMEI or approval ID. The expectation is device searches should now only take approximately one second.

Copyright notice added to all KG generated emails

Going forward, each emails sent from either KG or the KG Samsung Admin console will have a copyright notice appended to the footer of the email. This requirement is based on a recent review requiring a copyright be appended to KG emails for legal compliance.

Role deletion now permitted for all admin states other than active

This feature addresses IT admin requests to delete a Knox Guard admin role with a pending, revoked or blocked state (any state but active). Prior to the role deletion, a message displays the intended admins impacted by the role deletion. Existing administrators assigned to the target role must be re-assigned to another role before the deletion can proceed. For more information on where to locate this setting, see Delete a role.

December 18th 2019 Knox Guard feature updates

New lock screen settings

A lock command is typically delivered to a device when Wi-Fi is enabled and available at home, work etc. However, a device may be unable to receive an unlock command if the device user not at home or work and unable to secure the required network connection. Even when a locked device user was to secure data connectivity at their carriers store, their device lock screen still does not provide the means to change network connectivity setting to receive the unlock command.

To address this shortcoming, mobile data and Wi-Fi on/off settings are required on the Lock screen when the device is in a locked state.

Updated license depletion notification email

Currently, the email informing and admin of a low license count is not received in time to re-order before depletion.

To better support our customer deployments and better ensure license seats can be re-applied before depletion, we have changed the time and frequency license depletion emails are sent. With this release, admin emails are now sent when the license count is down to 10% (out of total) remaining seats, then another email when at 5%, and a final email at 3%.

Location tracking enhancements

The Knox Guard team recently decided to remove the located device map from the console, since the utilization of the map requires a contract requiring individual user consent.

Going forward, the Knox Guard console will just display latitude and longitude data and provide a means for an admin to integrate this data to the map service of their choosing.

Once the device’s location is detected, its coordinates display as well as the time remaining before the next location refresh is available. The location can be refreshed up to 10 times a day. Once viewed, the location display cannot be refreshed for 10 minutes. The Locate device menu item only displays if the tenant has been granted permission, otherwise the menu item is hidden. Only a single device can be selected at a time.

Approval ID search with special characters

Customers often upload devices and approval IDs into Knox Guard, but are unable to search for a particular device using an approval ID, since an approval ID is not a filterable column option. Additionally, there is a limitation on the special characters that can be used in a search, even though approval IDs frequently use special characters like (/).

To remedy this shortcoming, an approval ID is now included as a device search option within the Devices tab. Additionally, these special characters will be supported as search parameters (@, :, $, /, *, %, ^, &, \, (, ), +, ?, {}, [],).

First time device upload enhancements

Customers have reported frustration locating the portion of the Knox Guard console used for first time device uploads into Knox Guard.

To reduce console navigation uncertainty, an UPLOAD DEVICES button has been added to the Devices screen. Once selected, the Upload devices screen displays. A tool tip is also included describing the subsequent device upload actions available to an admin by invoking this action.

Device user overdue messaging enhancements

Currently, payment overdue notifications can be easily ignored from the device’s notification center, somewhat defeating the purpose of the overdue notification.

To make overdue notifications difficult to ignore, an Initially show notifications as a full-screen message on user’s device checkbox option has been added to the Default overdue notifications screen. When selected, the device user sees the fullscreen message before the message displays on the notification panel. If unsure how the notification will display on the target user’s device, select Preview fullscreen message.

Device event log collection

Upon request, a device log has been implemented to capture events that are either sent automatically when a specific condition is met or dynamically when a push commend is received from the Knox Guard server. The device log is for internal debugging purposes and does not require a device user interface with log generation. The receipt of diagnostic information is optional.

Admins now capable of invitation to multiple services

To date, an admin is unable to invite another admin belonging to a different Knox Cloud Service. With this release, a Super Admin or an admin with Admin invitation permissions can now invite an admin belonging to a different service to a role in their service. For example, Admin 1 belongs to just KG with a non-Super Admin role. Admin 2 belongs to KME with a non-Super Admin role, but has Admin invitation permissions. Therefore, Admin 2 can invite Admin 1 to join KME for any role for which Admin 2 currently has permission.

September 25th 2019 Knox Guard feature updates

Activity log updates for administrative roles

With this release, the activity log has been enhanced to provide a broader range of Knox Guard administrative event changes. These administration events include, administrator invitations, administrator modifications, resent/reactivated/revoked invitations, and deactivated/reactivated accounts.

Performance enhancements for console searches

Currently, it takes too long to search device IMEIs, serial numbers and approval IDs within Knox Guard Devices screen, since only a single query can be made at one time for a device search parameter.

To address this shortcoming, the Knox Guard console now permits more granular searches based on the IMEI&SN, or ApprovalID selected as the search parameter.

This update will increase search response time and improve performance.

View only permissions added

This KCS enhancement addresses customer requests to assign an administrator view only permissions. Once assigned, no profile configuration, device management, license, or reseller administration is permitted, just view only access.

When a View only radio button is selected, all nested options under that category (Devices and Uploads, Policies, Licenses, etc.) are disabled. Additionally, if a radio button has nested options and that category does not have View only selected, at least one of its permission checkboxes must also be selected. New roles have View only enabled by default.

Added IMEI number to lock screen email

To date, when a customer has locked the device of a delinquent user, the user sends an email from their Locked screen to their Customer Support. However, the IMEI has already been used to upload/enroll the device, and the customer cannot identify the Serial Number and are unable to locate the device within the Knox Guard console.

To remedy this issue, an additional IMEI field has been added to the email sent to Customer Support. Going forward, when a customer receives an email from a locked device user they should be able to view the IMEI of the device for easier reference and identification.

August 28th 2019 Knox Guard feature updates

Dashboard statistic and visualization enhancements

With this release, the Knox Guard Dashboard has been enhanced with a new DEVICE TRENDS graph. The Device Trends graph displays Knox Guard event status for a selectable trending period.

Additionally, a new Locked Device Types graph provides a breakdown of the various device lock types occurring for currently locked devices during a selected trending period. The various lock types trended include Default locked, Offline locked, and SIM control locked. For more information on the Knox Guard Dashboard, go to: Dashboard.

CSV file enhancements

To date, duplicate IMEIs display within a Knox Guard generated CSV file. These duplicate IMEIs can bloat the size of the file and skew the data in the file unnecessarily.

To remedy this situation, a shell script command is now run against the CSV file. The command keeps the initial response of the device IMEI within the file and removed subsequent duplicates. With duplicate entries removed, the file is generated faster, and is more beneficial to administrators trending actual device behavior.

July 31st 2019 Knox Guard feature updates

KG Rest API error return improvements

API calls can only be made to device in a specific state. However, too many “device_state_invalid” errors have been encountered, and each time such an error occurs it’s difficult to determine a device’s accurate status to properly troubleshoot the problem.

To resolve this issue, rather than calling “get device info” to obtain the state, the Knox Guard server will return the device state whenever a “device_state_invalid” error is triggered.

Disable blink reminders for scheduled intervals

Customers have reported blink notifications can bother their device users, especially at night and on weekends, and have requested the ability to disable them for specific configurable periods.

With this release, customers can now disable blink reminders for a configurable period of time without stopping or starting the blink reminder again. During the time blink reminders are disabled, they will remain as notifications.

Phone number or email address required for contact information

With this release, either a phone number or email address is required when setting a blink reminder, lock (automatic lock), offline lock (warning), or SIM control lock. With this requirement satisfied, a contact resource is now available if the device is rendered inoperable due to a device or SIM control lock.

Last Seen parameter added for requesting customers

A LAST SEEN column is now also available as a display option within the Knox Guard Devices screen. This column displays the last time a listed device IMEI/SN connected to the KG server. Both the Last Seen and Carrier fields are gated behind a feature flag so they can only be enabled for requesting customers.

For more information on enabling this feature, contact your Knox Guard Samsung admin.

Re-defined device log policies

This update does not represent a change to existing Knox Guard statuses, and maintains the use of ~ing for various event states. However, sent has been added to the event description to better distinguish what we sent clearly. For example, Unlock device has been updated to Unlock device sent. Additionally, there has been so many device errors showing in device log that it becomes confusing for the customer to discern legitimate errors from non-essential internal errors.

' To remedy this confusion, the Knox Guard team has reduced the number of unnecessary internal errors and now only maintains valid errors interpreted as important to users.

License usage dashboard improvements

To date, when a license is added into Knox Guard and is activated the same month, the license utilization count within the Knox Guard Dashboard does not properly increment and accurately reflect the update.

To remedy this situation, the Dashboard has been updated to accurately reflect license activations within the same month they were added into the Knox Guard console.

June 26th 2019 Knox Guard feature updates

In process state cancellation improvements

To date, when a device is in a transitional state, an admin is required to cancel the current in-process operation (Locking, Unlocking, Completing, Starting Reminder, or Stopping Reminder) from the Device details screen before they can transition the device into a different desired state With this enhancement, an admin can now move a device from the transitional state to an intended state without first canceling the in-process transitional state. As a result, the CANCEL button has been removed the bottom each Device details screen. Additionally, an admin can perform state transitions in batch mode for multiple devices by either selecting multiple devices or using a file.

Carrier information added to Device screen display

To date, admins have not been able to discern a listed device’s carrier from the menu and filter options available within the Knox Guard Devices screen.

To remedy this shortcoming within the Knox Guard console, a Carrier column is now available for display from amongst the 7 columns that can be selected for display within the Devices screen. Additionally, Carrier is also available as an option within the Devices screen STATUS column.

May 29th 2019 Knox Guard feature updates

Special characters now allowed in phone number fields

With this enhancement, special characters (*) and spaces are now permitted within the Knox Guard console. This update is applied everywhere a phone number is input within the Knox Guard console (enrollment notice, SIM card change, blink reminder, overdue notification , SIM control lock screen, Offline device lock screen, etc.).

Enrollment notice displayable after each device reboot

To prevent a device from being manipulated and resold during the Knox Guard installment management period, a notification that KG is enrolled on the device will now display during each reboot.

Similar to SIM event notifications, a customizable message can be enabled (its off by default), composed, and displayed after each device reboot stating the device is enrolled in a service plan.

The display of this message is intended to help deter the resale of a device to an unwitting 2nd party.

April 24th 2019 Knox Guard feature updates

SIM card swap enhancements

To date, customers are unsure whether Knox Guard is working as intended in respect to SIM card swaps and SIM swap data reporting. In particular, how many device users have attempted to swap their SIM card. With this release, SIM card change attempts can be logged and sent to the Knox Guard Server to provide greater visibility into potential device rooting events.

To implement this enhancement, the Knox Guard Devices screen has filter options added within the IMEI/SN column to select SIM Control enabled and/or SIM change attempts detected

Additionally, a SIM card policy icon is added indicating when a SIM card change attempt is detected. A pop-up will display when hovering over the icon describing the SIM card change attempt in greater detail.

Limitation added to administrator invitation role assignments

To avoid the further escalation of Knox Guard administrative roles and permissions issues, an existing admin who does not have a manage roles permission requires additional restrictions regarding the roles they can assign to other administrators.

With this release, existing administrators without a manage role permission can only invite admins with a matching set of their own role permissions. As a result, the Invite administrator screen’s Role drop-down menu choices have been customized for the particular role of the admin creating the invitation.

URL link available within overdue message and blink reminder preview image

With this release, a properly formatted URL (http://www...) can be now included in the device preview image text defined for either an overdue payment notification or blink reminder. When the device user taps the URL hyperlink, it opens the relevant Web page within the device browser. The addition of the URL is optional, but could be of great assistance to subscribers who want to make device user payment queries as seamless as possible for their customers.

Dashboard statistics and visualization enhancements

With this release the Knox Guard Dashboard has been updated to provide action success/fail rates and a License overview. Device SIM card changes are also displayed to provide greater visibility into potential; device rooting attempts. Hover over actions are also supported for more granular trending information.

Each of these Dashboard enhancements has its own trending period drop-down menu as well as the ability to save graph content to a CSV or excel file for archive.

Customizable SIM messages

Currently, a SIM change message is only supported in English, and the system defined message cannot be translated into other languages. Consequently, non-English customers cannot adequately protect against cheating and the resell of a device to a 2nd buyer when an installment balance is remaining.

To remedy this issue, a customizable SIM change notification is now displayed with every SIM change to help deter an unauthorized secondary device sale.

March 27th 2019 Knox Guard feature updates

License count and utilization enhancements

This enhancement enables the console to only display 100% of the total ad remaining license seats available, as opposed to 110% of the seats available, which contributed to confusion over the actual number available for both total and remaining license seats.

Additionally, the number of assigned licenses now displays in red when the count exceeds 100% of the assigned allocation to more efficiently display and differentiate and exceeded allocation. The red exceeded license display is also accompanied by a pop-up message stating the license seat limit has been exceeded, and to contact your reseller to purchase more license seats to regain compliance.

License usability console improvements

Currently, the status and expiration date displayed in the console’s License menu do not adequately reflect the service period. Consequently, the license activation display requires an update to be meaningful in respect to the actual license activation and license seat consumption.

To remedy this issue, and reduce uncertainty with Knox Guard’s service license concept, the console’s License screen will be updated display additional information about the license’s activation, service period, and expiration date.

Additionally, a new tool-tip is included to inform administrators the license expiration date is predicated on the actual license activation date. The Device screen is also updated to show the expiration date for each device utilizing the license, and the Device Details screen reflects a particular device’s license activation date.

Improved license consumption messaging

When a Knox Guard admin enters a commercial license key, they need to informed of the new KCS license exhaustion policy. To address this issue, the KCS team has added an explanation to prevent mistakes using a commercial/trial license.

The new message will state that if you enter a commercial key and use it for commercial purposes, you should delete the trial key used as a test first. If the Trial key remains or is newly added, that the trial key is exhausted first

Dashboard visualization improvements

With this release, license status and consumption trending can be customized from the console’s Dashboard for more efficient license availability assessment.

SIM control notification customizations

This feature addresses customer requests to send a customizable device notification message when an approved SIM is removed from a Knox Guard managed device. The message is intended to notify the device user their SIM cannot be detected, or is from an unsupported service provider and requires a different SIM. To address this request, the console UX has been updated to allow an admin to provide a customized message from the SIM control lock screen.

March 3rd 2019 Knox Guard feature updates

KG + KC/KME on the same device

This feature enables KG and KC/KME services to be used together on the same device so customers can protect their devices with KG, use KC for automatic device configuration or re-branding updates, and also use KME for device enrollment, management and app installations.

Typically, customers want to use KG with KC/KME to provide better device branding and management for deployments within their specific marker segments. In turn, this will drive up their sales, generate additional revenue for KCS, and expand the overall customer base for Knox services.

To accommodate the combined use of these services, a reseller can now upload a device to KG as well as KC/KME using one customer ID and account.

Role-based access control (RBAC)

This release introduces a new Role-based access control (RBAC) capability that allows customer (tenant) admins who are responsible for account creation (Super Admin) to assign more refined role permissions to individual admins as their specific enterprise requirements dictate. Though each supported Knox Cloud Service utilizes admin roles unique to that service, a Super Admin cuts across all supported services.

With the new RBAC service, existing customers will have their administrators migrated automatically. Administrators with their own unique set of permissions (manage administrators, delete devices etc.) will be assigned new roles that map to their current permissions. If needed, new roles beyond what the migrated admins are currently assigned can be created based on a list of permissions unique for each service.

The only role that cannot be assigned is the Super Admin role, which applies across all supported services. Only one person can assume a Super Admin role per company. Upon migration, the Super Admin role is assigned to the person who originally created the customer account. The Super Admin role receives every permission option available. For information on creating a new admin account and assigning them unique roles and permissions, go to: Manage administrators.

Upload devices directly to the KG server

Currently, to use devices in KG they must be purchased through a reseller. The customer must request registration (upload device IMEIs) in their reseller portal or using reseller API. Additionally, the customer can only use devices registered through their reseller within the KG console once approved and accepted with a valid KG license.

However, the process described above does not enable non-carriers, such as financial institutions, to use KG since they are not in a physical device channel, or function as resellers. For such customers, the KG team has provided tenant permission control within the Samsung Admin portal and provided user permission control within the KG console to grant permissions to limited users. Additionally, an IMEI verification step has been added to ensure a wrong device IMEI is not auto-accepted and registered.

Device deletion improvement for KG + KC/KME

This feature introduces a new device deletion concept when KC/KME is deployed with Knox Guard. Once devices are uploaded to a customer ID with KG/KC/KME accesses, devices are added to all three consoles by default. If the customer would like to use only KG on their devices, they can remove those devices from just the KC and KME consoles only.

December 5th 2018 Knox Guard feature updates

An emergency message is now available on a locked device

To date, a Knox Guard managed device cannot receive and display emergency messages when in a locked device state. This restriction can create serious legal issues in countries and regions where the broadcast of emergency messages is required.

To remedy this situation, emergency messages are now displayed above a device’s lock screen while the device remains in its current locked state. No additional device-side screens are introduced with the addition of the emergency.

Offline device lock capability added

To date, Knox Guard does not provide the ability to lock an offline device. Consequently, if a user does not purposely connect to network, the device is rendered out of Knox Guard control by not receiving its policy from its dedicated Knox Guard server.

Beginning with this release, a device can be locked when out of network after a configurable period of time. Before the timer is expired and the device is locked, an admin can display an offline lock warning message at a defined frequency. Once an offline device is locked, the device user is required to contact their carrier to restore functionality. The device user must share the challenge code on their device's lock screen (generated when the device was locked), and then the admin provides a PIN to the device user to enter on their device to restore its functionality.

The offline lock feature is only supported on devices running Android P or above.

Device unlock functionality update

Beginning with this release, a device user and an IT admin must collaborate to unlock a device. An IT admin needs to generate a PIN from the passkey displayed on the user's device, then share the PIN with the device user to unlock their device. In this case, both the PIN generation algorithm and password generation method are updated.

This device unlock update is only supported on devices running Android P or above.

Separate default enrollment and SIM change messaging now available

With this release, enrollment notices can be optionally enabled for end-user devices. Once globally enabled, separate completion of enrollment and SIM change messages can be optionally enabled as well. The completion of enrollment message is a customizable, 200-character maximum, message displayed once the setup wizard is completed on the device. The SIM card change message is a non-customizable message displayed when the SIM card is changed on the mobile device.

October 31st 2018 Knox Guard feature updates

Phone number within default enrollment notice now an optional parameter

Prior to this release, the Phone number provided within the Default enrollment notice was a mandatory parameter.

However, some subscribers have reported that they do not want to expose their customer’s (company) phone number within a Knox Guard enrollment notice. Going forward, only a welcome and enrollment Message is required, and a phone number contact resource is optional.

October 4th 2018 Knox Guard feature updates

Customizable app notification icon

To remove the potential recognition of Samsung device management and control as much as possible, the enhancement provides an option to change the icons displayed within customer subscription notifications. Going forward, notification icons are interchangeable, just like overdue message icons.

Knox Guard auto tour for console enhancements

The Knox Guard auto tour is a new customer communication mechanism designed to communicate new updates to the Knox Guard console, especially changes impacting console navigation and the uncertainty that can result in the existing user base.

August 29th 2018 Knox Guard feature updates

Overdue message template now editable by Knox Guard admin

With this enhancement, a subscription payment overdue message template can now be edited by a Knox Guard admin from within the Knox Guard console. Additionally, the number of overdue message templates available for message creation and selection is increased from 3 to 10.

Accept multiple devices from console Devices menu

To date, device acceptance options included accepting a single device at a time or accepting devices in bulk using a properly formatted CSV (.csv) file. To increase the device acceptance options available, multiple pending devices can now be selected from the console's Devices menu and accepted in a single operation.

Excel file now available for bulk uploads

To date, only a CSV file was available to support bulk uploads into the Knox Guard console. To enhance usability options going forward, am Excel file format (.xls) is also available to provide customers greater flexibility.

Samsung images removed from device screens within console

Samsung images have been removed from device screens displaying in the Knox Guard console to better reflect the ability to customize them to unique customer requirements.

July 25th 2018 Knox Guard feature updates

New Knox Guard UX

The Samsung Knox team is introducing a new version of Knox Guard console to provide optimal uniformity amongst our growing family of enrollment and configuration solutions. Knox customers will find the updated version of Knox Guard easier to navigate, as user interface elements have been logically combined to reduce the number of steps required to complete key management tasks.

The central update is the introduction of a collapsible left-hand navigation menu, replacing the previous horizontal menu bar. This provides a visual hierarchy of key Knox Guard payment management activities and administrator "call-to-actions."

The new Knox Guard console is personalized, with improved status updates from each user's previous login. Colorized status indicators optimally display "at-a-glance" event severity to administrate with best in class efficiency.

In-process cancellation options added

With this release, a Cancel link displays within the Device Details screen when the selected device Status is either Locking, Unlocking, Completing, Starting Reminder, or Stopping Reminder. This option allows the in-process operation to be stopped once begun if for some reason the operation was initiated in error or the device status needs to be reverted to its previous state.

June 27th 2018 Knox Guard feature updates

Knox Guard service APIs available

Knox Guard service API can now be generated on behalf of a requesting company’s system. A developer generates an API key from Knox Guard Console and embeds the key in calls to the API. Data from the API is secured by whitelisting a specified IP address. If the API’s active key is lost or compromised, a new key can be regenerated and the old key deleted. Knox Guard APIs support device uploads, device acceptance, subscription payment overdue messaging and blink reminders, device lock/unlock, and licensing.

To use the API, a dedicated account requires creation by the Samsung Knox Guard team on behalf of the integrating customer. For more information, contact your Samsung Knox Guard representative.

Auto-refresh enhancements

To date, the data displayed within the console was not refreshing in real-time and consistently amongst all screens as data was updating, resulting in customer confusion as to what data is current and what requires a refresh. With this enhancement, console data is consistently auto-refreshed as data is changed or updated.

Contact resource flexibility added

With this release, a device user’s blink reminder and device lock contact resource can be provided as a phone number or E-mail address. Either a phone number or E-mail address is required, but now it is optional which subscriber contact type is used.

Completing status cancellation period added

If a device is marked as Payment Complete, its status changes to Completing… and remains this way for 2 days. The user has 2 days to cancel it while in the Completing… state, which reverts the device back to an Active state. If no action is taken after 2 days, the status changes to Payment complete and the Knox Guard application is uninstalled permanently. The device however is not automatically deleted from the server, and must be removed manually.

Device deletion improved

A Knox Guard admin can delete a device from the Knox Guard console when the device is in a payment complete or rejected state. When a device is deleted from Knox Guard, the device is removed from the server and the Knox Guard client is uninstalled. When deleted, all of the device's information and history are removed.

May 17th 2018 Knox Guard feature updates

Activity log

Knox Guard administrators can now refer to a new Activity Log to assess Knox Guard subscription events, including when they occurred, the impacted Knox Guard administrators, event category, action type, and description. The activity log trending period is user configurable to either increase or decrease the length of time configuration activities are fetched from the present time

Knox Guard console enhancements

New Knox Guard console enhancements provide the following functionality and benefits:

  • New Resellers screen allows admins to register Samsung-approved resellers so Samsung can verify their device ownership and assist in preventing erroneous enrollments. You can also edit reseller device approval preferences or delete a reseller from the list available in the Knox Guard console.
  • Manage Administrators as new admin accounts and their permissions require, or revise the account privileges of an existing administrator.
  • Manage Default settings for enrollment notices, device lock settings, blink reminders, subscription overdue notifications, and EULA agreements.