Knox Guard 1.8 release notes

KG + KC/KME on the same device

This feature enables KG and KC/KME services to be used together on the same device so customers can protect their devices with KG, use KC for automatic device configuration or re-branding updates, and also use KME for device enrollment, management and app installations.

Typically, customers want to use KG with KC/KME to provide better device branding and management for deployments within their specific marker segments. In turn, this will drive up their sales, generate additional revenue for KCS, and expand the overall customer base for Knox services.

To accommodate the combined use of these services, a reseller can now upload a device to KG as well as KC/KME using one customer ID and account.

Role-based access control (RBAC)

This release introduces a new Role-based access control (RBAC) capability that allows customer (tenant) admins who are responsible for account creation (super admin) to assign more refined role permissions to individual admins as their specific enterprise requirements dictate. Though each supported Knox Cloud Service utilizes admin roles unique to that service, a super admin cuts across all supported services.

With the new RBAC service, existing customers will have their administrators migrated automatically. Administrators with their own unique set of permissions (manage administrators, delete devices etc.) will be assigned new roles that map to their current permissions. If needed, new roles beyond what the migrated admins are currently assigned can be created based on a list of permissions unique for each service.

The only role that cannot be assigned is the super admin role, which applies across all supported services. Only one person can assume a super admin role per company. Upon migration, the super admin role is assigned to the person who originally created the customer account. The super admin role receives every permission option available. For information on creating a new admin account and assigning them unique roles and permissions, go to: Manage administrators.

Upload devices directly to the KG server

Currently, to use devices in KG they must be purchased through a reseller. The customer must request registration (upload device IMEIs) in their reseller portal or using reseller API. Additionally, the customer can only use devices registered through their reseller within the KG console once approved and accepted with a valid KG license.

However, the process described above does not enable non-carriers, such as financial institutions, to use KG since they are not in a physical device channel, or function as resellers. For such customers, the KG team has provided tenant permission control within the Samsung admin portal and provided user permission control within the KG console to grant permissions to limited users. Additionally, an IMEI verification step has been added to ensure a wrong device IMEI is not auto-accepted and registered.

Device deletion improvement for KG + KC/KME

This feature introduces a new device deletion concept when KC/KME is deployed with Knox Guard. Once devices are uploaded to a customer ID with KG/KC/KME accesses, devices are added to all three consoles by default. If the customer would like to use only KG on their devices, they can remove those devices from just the KC and KME consoles only.