Menu

Knox Manage release notes—November 5, 2020

Android Legacy mode deprecation for Android 11

Android device management now uses Android Enterprise instead of Android Legacy. Going forward, Knox Manage does not support new enrollments of Android 11 devices to the Android Legacy mode. Android 10 devices previously enrolled in Android Legacy mode are still supported even when they're upgraded to Android 11.

For devices running an OS earlier than Android 11, Knox Manage continues to support Android Legacy. However, the scope of this support is limited to bug fixes. New features and product design are focused on the Android Enterprise implementation.

Device Admin deprecation

Due to evolving needs of Enterprise users, the Device Admin API is currently used for a wider array of use cases than it was originally designed for. Since Device Admin isn’t well suited to support today’s enterprise requirements, Android is deprecating Device Admin. As a part of this transition, starting with the Android Q release, the following policies are no longer supported in Android Legacy mode. To ensure continued data and device security, change these policies to use managed device and work profile modes to manage your devices.

  • Android Legacy > System > Camera
  • Android Legacy > Security > Device Password (including KeyGuard)
  • Android Legacy > Interface > Wi-Fi
  • NOTE — Following the KM v20.11 release, the Wi-Fi policy is set to Allow by default, regardless of the value set.
NOTE — Samsung Knox devices will continue to support Camera and Password policies, but these policies are no longer supported on non-Samsung devices.

Work profile enhancements in Android 11

Android 11 introduces improved support for work profiles on company-owned devices. With the Android 11 release, the following enhancements are available:

  • New Work profile type — The Work Profile on Company-owned device (WP-C) profile type is now available. There are several commands available for each device using this profile type.

    NOTE — For the KM v 20.11 release, Work Profile on company-owned mode does not support the use of Samsung Knox policy, except for Knox Service Plugin (KSP) features. If you apply Samsung Knox policies to your devices, we recommend that you postpone updating to Android 11 OS until KM release v20.12 or later.


  • Deprecated Fully Managed with Work Profile device profile type — The Fully Managed with Work Profile device profile is no longer available. For devices previously enrolled in this profile, you can automatically convert these devices to Work Profile on Company-owned devices when you upgrade their firmware to Android 11. However, we recommend using Knox Manage's device command Switch to Fully Manage (Remove Work Profile) before you upgrade the device's firmware. After you change to the new device profile, you can modify the profile settings from the Organization / User menu.

Follow these instructions to set up a Work Profile on a Company-owned Device (WP-C) device profile.

  1. Enroll your company-owned devices using either the QR code or Zero Touch method.
  2. Go to Android Enterprise > System, and enable the appropriate switches for each profile menu.

QR code method

Use the following process to enroll your devices using the QR code method.

  1. Unbox your device and press the Power button to start it up. When the Welcome message shows, tap Next five times. The Scanning for a QR code screen opens.
  2. Use your phone's camera to scan the QR code included in the email you received from your network admin.
  3. Follow onscreen instructions to finish setting up your device.

Zero Touch method

Use the following process to enroll your devices using the Zero Touch method.

  1. Connect to https://partner.android.com/zerotouch/ to begin setting up your device.
  2. Go to Configurations > Work Profile on Corporate-owned Device > Mode > Property, enter one of the following to configure zero touch:
    • For corporate-owned devices, personally enabled devices (COPE), enter PO.
    • For fully managed devices, enter DO.

After the devices are factory reset, they are automatically enrolled to WP-C mode.

KSP availability

From the KM v20.11 release, KSP features are available on Fully managed with Work Profile devices. To use KSP features on devices previously enrolled with Fully Managed with Work Profile, the IT admin must modify the Organization/User setting, and re-enroll these devices to the Fully Managed with Work Profile device profile.

Certificate alias enhancements

The certificate alias includes improvements to automatically follow the name of the certificate.

Certificate Type EMM Management Certificate Connector interworking Issuing external CA
Alias Setting Advanced > Certificate > External Certificate > External Certificate Name Advanced > Directory Service > Service Name Advanced > Certificate > Certificate Template > Template Name
Certificate Setting

Device enrollment enhancements

Starting with KM v20.11, the following device enrollment enhancements are available.

  1. Limited enrollment — IT admins can now limit device enrollment based on OS version or model names. Depending upon the settings specified, only the devices that meet the required conditions are enrolled.
    NOTE — Currently, Limited Enrollment is only available for Android devices.
  2. Windows device enrollment — Enrolling Windows 10 devices is now easier using the Deep Link Windows specifications, instead of the PPKG type of installation. To enroll a new Windows device, users only need to sign in with their EMM account details and all the settings and associated information is automatically made available on the device. On the other end of this enrollment process, all necessary authentication processes are already completed by the KM client, so the IT admin does not need to enter any information manually. This enhanced way of enrollment, makes the process easier and seamless.

Geofencing-related security enhancements

NOTE — Currently, this feature is not available in the US.

From v20.11, IT admins can setup a security policy to automatically lock a device if it moves out of a predetermined and preset geolocation boundary. This profile is, in a nutshell, the ability to set up a virtual fence for the device. After the IT admin sets up the geofencing boundary, if the device moves out of this boundary, it is locked. The lock process is automatic and needs intervention from the IT admin or the user to unlock the device. In case of a device with multiple profiles, the device is locked when it moves out of all fenced areas.

NOTE — Currently, this feature is available only on Samsung devices with Android Enterprise running Android P OS or less for legacy enrollments.

Once a device is locked, it does not unlock until either the user unlocks it using a code or the IT admin unlocks it using an unlock device command.

Content management improvements

For devices running Android 10 and higher, Knox Manage now includes the following restrictions.

  • Download path limitations — For devices running Android Q OS and higher, users can only download contents in the preset Download folder on the device.
  • File overwrite restrictions — For devices running Android Q OS, users cannot update existing files with new content even if the file names match.
  • File open restrictions — For devices running Android Q OS, users cannot open files downloaded from the Knox Manage Agent.

Secure Browser enhancements

The inbuilt Knox Manage Secure Browser also includes the following enhancements.

  • Add shortcut to home screen — Users can now add Secure Browser bookmarks as shortcuts to the device's home screen. Doing so helps users quickly navigate to previously visited URLs.
  • Bookmark information — Secure user bookmarks now provide an additional information screen that includes details such as app version and open source license details.
  • Ability to show pop-up dialogs —Starting with this release, Secure Browser can now show pop-up dialog boxes or windows for websites that use them; for example to show third party authentication or file upload windows.

Other enhancements

KM v20.11 also includes the following additional enhancements for increased security and better user experience.

  • Show linked account details—The account information screen now shows information about the Samsung Account linked to the KM account on the device.
  • License key type—The License screen now includes information about they type of KM License Key for the device, for example trial or commercial license.
  • Modify contact and phone component details—The Modify Kiosk screen now includes two separate components for contacts and phone.
  • Sync improvements—The VPP sync process is now modified to exclude Mac apps from the sync process.
  • Deleted device information—The information related to deleted devices, such as unenrollment code, unlock code, and deletion date, are now shown in a separate view. To see details of a delete device, go to Device screen, and then click Deleted Devices to open the Deleted Devices screen.

Resolved issues and improvements

  • [KMVOC-9912 / 00203946] Unable to get update for the device enrolled day by day
  • [KMVOC-9883 / 00202636] APN is not being set as default
  • [KMVOC-9829 / 00201006] Knox Manage Remote Support Client issues (Android 9 OS Device)
  • [KMVOC-9824 / 00201189] Differences in the display of application content
  • [KMVOC-9810 / 00201870] OTP for KM console login isn't sending text messages
  • [KMVOC-9784 / 00201230] Request to delete my Knox Manage Tenants polycor.com & can.rockofages.com
  • [KMVOC-9761 / 00199539] Remote Support is not working in T515 and P615 devices
  • [KMVOC-9739 /199142] KM Sub admin accounts getting inactive
  • [KMVOC-9737 / Internal] Device command not show in Device Info (HOTFIX)
  • [KMVOC-9709 / 00199165]Units not taking APN information on enrollment
  • [KMVOC-9608 / 196679] Device does not display applied policies (HOTFIX)
  • [iOS][00201234]Sodexo - KM - URGENT Issue with assigning users
  • [iOS][00200410] App deployment problem (DEP)
Share it: