Knox Manage 20.08 release notes
Last updated July 26th, 2023
Pre-notice — Legacy enrollment from Android 11 is no longer supported
Android device management has been shifting from Android Legacy to Android Enterprise. While most EMM vendors stopped supporting Android Legacy for Android 10, Knox Manage continued to do so.
However, Knox Manage cannot support new enrollments of Android 11 devices to the Android Legacy mode. Android 10 devices previously enrolled in Android Legacy mode are still supported even when they’re upgraded to Android 11.
Knox Manage continues to support Android Legacy for devices running an OS earlier than Android 11, however, the scope is limited to bug fixes. New features and product design are focused on the Android Enterprise implementation.
Pre-notice — Work profile enhancements in Android 11
Android 11 introduces improved support for work profiles on company-owned devices. In Knox Manage, devices enrolled in the Fully Managed with Work Profile type are upgraded to the newly designed type in Android 11.
For more information, visit the following web pages:
Some features in the fully managed device area may not be available when a device is upgraded to Android 11. If this concerns you, we recommend you use the fully managed type or the work profile type instead of the fully managed with work profile type.
In 20.10 (October 2020), the Knox Manage console’s terminology usage and feature guidance will reflect these changes. The Knox Manage team will also provide the following:
- A list of affected features.
- A migration guide.
Console
KSP zero-day support
Knox Service Plugin (KSP) now comes with zero-day support, which means the full functionality of KSP is provided without any delay. The latest KSP features are immediately available in Knox Manage as soon as the KSP app is updated, regardless of the Knox Manage release.
. | Before 20.08 | Starting 20.08 |
---|---|---|
Supported KSP features | A range of select KSP features. | All features from the KSP application. |
New feature delivery | Upon Knox Manage release. | Upon KSP version update (zero day). |
Location | KSP policies are mixed in various sections of the Samsung Knox menu, along with non-KSP policies. | All KSP features are in the Knox Service Plugin category in the Samsung Knox menu. |
Values of KSP settings | Allow, Disallow, Enable, Disable | True, False |
Setting Debug Mode to True allows you to check which policies were applied through KSP agents.
Limitations
KSP features are directly pulled from the KSP app. That is, all KSP features are dependent on the KSP app. The following are limitations in the Knox Manage admin portal due to the KSP implementation.
Note these limitations to ensure that your policies are properly applied.
-
Knox Service Plugin is only available in English. Hence, the KSP policies in Knox Manage are only available in English, regardless of the language set in the Knox Manage admin portal.
-
Mandatory fields are not highlighted. When configuring KSP features, the IT admin must know the critical input values they need to provide.
-
Configuring duplicate policies can result in abnormal behavior. Some KSP policies have the same functionality as built-in Knox Manage policies. To prevent IT admins from setting duplicate policies, the Knox Manage admin portal shows a
-
When you set multiple KSP profiles for an end user, only the profile with the highest priority is applied to their device. If you want to apply all KSP policies from those profiles, we recommend you do either of the following solutions:
- Apply all the KSP policies to the profile with the highest priority.
- Create a profile for KSP policies only and give that profile the highest priority.
-
Existing KSP configurations are automatically migrated to the Knox Service Plugin category, and the values of these settings are changed as follows:
- Allow or Enable → True
- Disallow or Disable → False
This change cannot be adjusted by feature. The following two KSP policies need more attention:
Before 20.08 Starting 20.08 System > Device Customization Controls > Predictive Text
Possible values --- Enable or Disable
Disable Predictive Text
Possible values --- True or False
System > Device Customization Controls > App Suggestion
Possible values --- Enable or Disable
Disable App Suggestion
Possible values --- True or False
Notice that in 20.08, the policies above are the opposite of the corresponding policies from before 20.08. Suppose you previously set Predictive Text to Enable. When the migration is complete, the new policy name is Disable Predictive Text and its value is now True. In this case, your policy has effectively been reversed during migration. Hence, we recommend that you review your settings for these two policies in 20.08.
- A profile you exported before 20.08 cannot be imported to 20.08 of the Knox Manage admin portal. Please export that profile again in 20.08.
Other console enhancements
-
Profile names — Profile names can now include spaces.
-
iOS VPP app management enhancements:
-
You can now assign up to 10 VPP apps at the same time, as long as the apps have the same settings like assignment type, install type, and targets.
-
When you set an iOS VPP app to be installed automatically, you can set it to be updated automatically as well.
-
When you unassign an iOS VPP app, the app will be removed automatically.
-
-
Admin management — When an admin account is removed from the Knox Manage admin portal, that account’s session will be terminated immediately.
-
Users, groups, and organizations synced through AD/LDAP can now be deleted all at once.
Device commands
USIM PIN lock or unlock through device commands
SIM card locking is now supported through device commands. Previously, profiles were used to perform this operation.
The following are the new device commands:
- Lock SIM PIN — Enable SIM lock with a new PIN.
- Unlock SIM PIN — Disable a SIM PIN or set a new PIN.
If a SIM lock policy has been previously configured through a profile, that policy is still in effect. You can modify and unlock the SIM PIN through a device command.
These policies are available in both Android Legacy and Android Enterprise (DO and COMP)
Before 20.08 Starting 20.08 How to apply By assigning and applying a profile to a group or organization. By sending a device command to one or more devices or to a group. New device commands
Lock SIM PIN
Unlock SIM PIN
Applications
Managed configurations for MGP Private apps
You can now set up managed configurations for managed Google Play (MGP) apps. Previously, Knox Manage only supported managed configurations for general MGP apps.
AE App Permission policy enhancement
When configuring the App permission exception policy list under Profile > Android Enterprise > Application > App Permission, you can now do the following.
- Automatically apply the same action ( Prompt, Grant, or Deny ) to all configurable items through the Apply to all items below field.
- Set Apply to all items below to ‘-’ to specify a different action for each configurable item.
Profile
Windows 10 support enhancements for PC
The following enhancements were made:
Reboot Device command
The Reboot Device command was added. When you send this device command, the end user has 5 minutes to finish any ongoing work on their device before the reboot starts.
App Install/Run Blocklist option
Previously, when adding apps to the application blocklist, only apps of type APPX were supported. Starting this release, you can add SnippingTool.exe to the list of apps that can be blocked.
When adding or modifying a Windows profile, you can find this setting in Windows > Application > Add App Install Block/Allowlist (select Application blocklist settings ) > App Install/Run Blocklist.
Removable Storage
You can block write access to removable storage devices (such as a USB memory stick) by setting the Removable Storage policy to Disallow. If you set this policy to Allow, or if you do nothing with this policy, write access to the removable storage is allowed.
When adding or modifying a Windows profile, you can find this setting in Windows > Interface > Removable Storage.
The USB policy ( Interface > USB ) only applies to Windows mobile devices.
VPN update for Windows devices
-
You can now allow (or disallow) end users to change their VPN settings.
When adding or modifying a Windows profile, you can find this setting in Windows > System > VPN.
-
When setting up the VPN configuration on devices, you can distribute end users across the following VPN clients:
- Pulse Secure
- Check Point Capsule VPN
- F5 Access
- Palo Alto Networks GlobalProtect
- SonicWall Mobile Connect
When adding or modifying a Windows profile, you can find this setting in Windows > VPN.
Device name configuration for iOS DEP
You can now configure iOS DEP device names to include the user ID, according to the DEP style. This feature is available in Setting > iOS > DEP Server Setting > DEP Device Name.
Certificate installation area in Android Enterprise
Previously, a certificate could only be installed in both the Fully Managed and the Work Profile areas. Now, you can install certificates according to your needs—in either Fully Managed or Work Profile or both.
When adding or modifying an Android Enterprise profile, you can find this setting in Android Enterprise > Certificate > Install Area.
Kiosk
Single App Kiosk mode
The following enhancements were made:
-
The Single App Kiosk mode’s delivery method was enhanced to use an Android launcher similar to the one used for the Multiple App Kiosk mode.
This enhancement allows you to create Single App Kiosks stably and easily.
-
You can now set device settings for Single App Kiosks in the Kiosk Wizard.
Single App Kiosks created before 20.08 will continue to work without updates as long as no changes are made on them.
- This new Single App Kiosk works only with the Knox Manage 20.08 agent. Hence, the Knox Manage agent must be updated to the latest version.
- Only one app can be assigned in a Single App Kiosk.
Exit Kiosk without unenrollment
All Kiosk modes (Single App, Multiple App, and Kiosk Browser) can be temporarily turned off without unenrollment, regardless of whether they’re in offline or online state.
This feature is only applicable to Kiosks created in 20.08 or later.
To exit Kiosk mode
Provide an Exit Kiosk Code to the end user. You can get the code from Device Detail > Security > Kiosk Mode Status > Exit Kiosk Code.
The code is randomly regenerated after it’s applied to the device to prevent it from being used again without authorization from an IT admin.
The user managing the Kiosk device must do the following:
-
Tap the
icon.In the case of a Single App Kiosk, you’ll need to tap the Home or Back button to make this icon appear. The icon disappears after 5 seconds of inactivity.
-
In the “About Kiosk” screen, tap Exit Kiosk.
-
Enter the Exit Kiosk Code from the IT admin.
To re-enter Kiosk mode
An IT admin must apply a profile update to the device.
Other Kiosk enhancements
The Knox Manage agent must be updated to the latest version for these new features to take effect.
-
Bookmark in Multiple App Kiosk mode now supports file uploads and downloads.
-
You can now set Kiosk Browser and Secure Browser to be automatically updated through profile policies.
When adding or modifying a profile, you can find these settings in the following locations:
-
Secure Browser: Android Enterprise > Secure Browser > App Auto Update.
-
Kiosk Browser: Android Enterprise or Android Legacy > Kiosk > Kiosk app settings (select Kiosk Browser ) > App Auto Update.
-
-
The loading status is now shown on the progress bar:
Content
Increased maximum file size limit
Previously, the maximum content size was 300 MB. In 20.08, this limit was increased to 1.0 GB.
Knox E-FOTA license usage with Knox Suite
In addition to the Knox E-FOTA admin portal, you can now view the Knox E-FOTA license usage in the following locations as well:
-
License widget in the Knox Manage admin portal’s Dashboard.
-
SamsungKnox.com Dashboard.
Remote Support session timeout
In this release, a session timeout was introduced in the Remote Support tool to prohibit security issues at the customers’ end.
When controlling devices through the Remote Support Viewer, 15 minutes of inactivity (regardless of the end user’s device-side action) will trigger a popup asking if you want to extend the session. If you choose to extend it, your session’s timer is restarted. Otherwise, your session will end after 5 minutes.
Resolved issues and improvements
Items marked with (HOTFIX) were released before 20.8.
- [KMVOC-9709 / 00199165]Units not taking APN information on enrollment
- [KMVOC-9700 / 00198697] TSE: Data on Dashboard & CSV are not same
- [KMVOC-9668 / 00198092]Provile VPN Pulse Secure not installed
- [KMVOC-9667 / 00198457] [ETS]Requesting last known location of devices showing expired in console.
- [KMVOC-9613 / 00196655][Problem with setting: Android Managed Type]
- [KMVOC-9611 / 00192178] Installation problem
- [KMVOC-9593 / 00196890] KM can’t be unenrolled from the device
- [KMVOC-9583 / 00195802] Knox Remote Support File Explorer does not open with kiosk mode in Android 10
- [KMVOC-9565 /00196257] Unable to create Organization (HOTFIX)
- [KMVOC-9560 / 0019345] Custom animation feature is not available in KM portal (HOTFIX)
- [KMVOC-9528 / 00195038] Kiosk App Cause Security Policy Error
- [KMVOC-9514 / 00195295] Knox manage Kiosk Mode doesn’t work (HOTFIX)
- [KMVOC-9506 / 00195143] Work profile not triggered in COPE mode
- [KMVOC-9449 / 00194328] getting Error in uploading internal app (HOTFIX)
- [KMVOC-9422 / 00193767] Device Location Dashboard shows location of only 2000 devices out of 8000 enrolled devices
- [KMVOC-9410 / 00192576] [SEA] AE > Container >Bluetooth share = Disallow not working on OS 10
- [KMVOC-9345 / 00192188] Group name creation and synchronization Problem
- [00195882] indicateur hors/sous tention
- [00198692]Knox Manage iOS DEP and VPP app installation queries
On this page
Is this page helpful?