Menu

Knox Manage release notes—August 27, 2020

Pre-notice—Legacy enrollment from Android 11 is no longer supported

Android device management has been shifting from Android Legacy to Android Enterprise. While most EMM vendors stopped supporting Android Legacy for Android 10, Knox Manage continued to do so.

However, Knox Manage cannot support new enrollments of Android 11 devices to the Android Legacy mode. Android 10 devices previously enrolled in Android Legacy mode are still supported even when they're upgraded to Android 11.

Knox Manage continues to support Android Legacy for devices running an OS earlier than Android 11, however, the scope is limited to bug fixes. New features and product design are focused on the Android Enterprise implementation.

Pre-notice—Work profile enhancements in Android 11

Android 11 introduces improved support for work profiles on company-owned devices. In Knox Manage, devices enrolled in the Fully Managed with Work Profile type are upgraded to the newly designed type in Android 11.

Some features in the fully managed device area may not be available when a device is upgraded to Android 11. If this concerns you, we recommend you use the Fully Managed type or the Work Profile type instead of the Fully Managed with Work Profile type.

In v20.10 (October 2020), the Knox Manage admin portal's terminology usage and feature guidance will reflect these changes. The Knox Manage team will also provide the following:

  • A list of affected features.
  • A migration guide.

Console

KSP zero-day support

Knox Service Plugin (KSP) now comes with zero-day support, which means the full functionality of KSP is provided without any delay. The latest KSP features are immediately available in Knox Manage as soon as the KSP app is updated, regardless of the Knox Manage release.

  Before v20.8 Starting v20.8
Supported KSP features A range of select KSP features. All features from the KSP application.
New feature delivery Upon Knox Manage release. Upon KSP version update (zero day).
Location KSP policies are mixed in various sections of the Samsung Knox menu, along with non-KSP policies. All KSP features are in the Knox Service Plugin category in the Samsung Knox menu.
Values of KSP settings Allow, Disallow, Enable, Disable True, False

TIP—Setting Debug Mode to True allows you to check which policies were applied through KSP agents.

Limitations

KSP features are directly pulled from the KSP app. That is, all KSP features are dependent on the KSP app. The following are limitations in the Knox Manage admin portal due to the KSP implementation.

IMPORTANT—Note these limitations to ensure that your policies are properly applied.

  • Knox Service Plugin is only available in English. Hence, the KSP policies in Knox Manage are only available in English, regardless of the language set in the Knox Manage admin portal.
  • Mandatory fields are not highlighted. When configuring KSP features, the IT admin must know the critical input values they need to provide.
  • Configuring duplicate policies can result in abnormal behavior. Some KSP policies have the same functionality as built-in Knox Manage policies. To prevent IT admins from setting duplicate policies, the Knox Manage admin portal shows a next to KSP policies that have the same functionality as built-in policies. This helps IT admins recognize and avoid potential conflicts between KSP and built-in features. For more information, see Which policy should I use if duplicate policies exist?
  • When you set multiple KSP profiles for an end user, only the profile with the highest priority is applied to their device. If you want to apply all KSP policies from those profiles, we recommend you do either of the following solutions:
    • Apply all the KSP policies to the profile with the highest priority.
    • Create a profile for KSP policies only and give that profile the highest priority.
  • Existing KSP configurations are automatically migrated to the Knox Service Plugin category, and the values of these settings are changed as follows:

    • Allow or EnableTrue
    • Disallow or DisableFalse

    This change cannot be adjusted by feature. The following two KSP policies need more attention:

    Before v20.8 Starting v20.8

    System > Device Customization Controls > Predictive Text

    Possible values: Enable or Disable

    Disable Predictive Text

    Possible values: True or False

    System > Device Customization Controls > App Suggestion

    Possible values: Enable or Disable

    Disable App Suggestion

    Possible values: True or False

    Notice that in v20.8, the policies above are the opposite of the corresponding policies from before v20.8. Suppose you previously set Predictive Text to Enable. When the migration is complete, the new policy name is Disable Predictive Text and its value is now True. In this case, your policy has effectively been reversed during migration. Hence, we recommend that you review your settings for these two policies in v20.8.

  • A profile you exported before v20.8 cannot be imported to v20.8 of the Knox Manage admin portal. Please export that profile again in v20.8.

Other console enhancements

  • Profile names—Profile names can now include spaces.

  • iOS VPP app management enhancements:

    • You can now assign up to 10 VPP apps at the same time, as long as the apps have the same settings like assignment type, install type, and targets.

    • When you set an iOS VPP app to be installed automatically, you can set it to be updated automatically as well.

    • When you unassign an iOS VPP app, the app will be removed automatically.

  • Admin management—When an admin account is removed from the Knox Manage admin portal, that account’s session will be terminated immediately.

  • Users, groups, and organizations synced through AD/LDAP can now be deleted all at once.

Device command

USIM PIN lock or unlock through device commands

SIM card locking is now supported through device commands. Previously, profiles were used to perform this operation.

The following are the new device commands:

  • Lock SIM PIN—Enable SIM lock with a new PIN.
  • Unlock SIM PIN—Disable a SIM PIN or set a new PIN.

If a SIM lock policy has been previously configured through a profile, that policy is still in effect. You can modify and unlock the SIM PIN through a device command.

These policies are available in both Android Legacy and Android Enterprise (DO and COMP)

  Before v20.8 Starting v20.8
How to apply By assigning and applying a profile to a group or organization. By sending a device command to one or more devices or to a group.

New device commands

Lock SIM PIN

Unlock SIM PIN

Application

Managed configurations for MGP Private apps

You can now set up managed configurations for managed Google Play (MGP) Private apps. Previously, Knox Manage only supported managed configurations for general MGP apps.

AE App Permission policy enhancement

When configuring the App permission exception policy list under Profile > Android Enterprise > Application > App Permission, you can now do the following.

  • Automatically apply the same action (Prompt, Grant, or Deny) to all configurable items through the Apply to all items below field.
  • Set Apply to all items below to '-' to specify a different action for each configurable item.

Profile

Windows 10 support enhancements for PC

The following enhancements were made:

Reboot Device command

The Reboot Device command was added. When you send this device command, the end user has 5 minutes to finish any ongoing work on their device before the reboot starts.

App Install/Run Blocklist option

Previously, when adding apps to the application blocklist, only apps of type APPX were supported. Starting this release, you can add SnippingTool.exe to the list of apps that can be blocked.

When adding or modifying a Windows profile, you can find this setting in WindowsApplicationAdd App Install Block/Allowlist (select Application blocklist settings) > App Install/Run Blocklist.

Removable Storage

You can block write access to removable storage devices (such as a USB memory stick) by setting the Removable Storage policy to Disallow. If you set this policy to Allow, or if you do nothing with this policy, write access to the removable storage is allowed.

When adding or modifying a Windows profile, you can find this setting in WindowsInterfaceRemovable Storage.

NOTE—The USB policy (Interface > USB) only applies to Windows mobile devices.

VPN update for Windows devices

  • You can now allow (or disallow) end users to change their VPN settings.

    When adding or modifying a Windows profile, you can find this setting in WindowsSystemVPN.

  • When setting up the VPN configuration on devices, you can distribute end users across the following VPN clients:

    • Pulse Secure
    • Check Point Capsule VPN
    • F5 Access
    • Palo Alto Networks GlobalProtect
    • SonicWall Mobile Connect

When adding or modifying a Windows profile, you can find this setting in WindowsVPN.

Device name configuration for iOS DEP

You can now configure iOS DEP device names to include the user ID, according to the DEP style. This feature is available in Setting > iOS > DEP Server Setting > DEP Device Name.

Certificate installation area in Android Enterprise

Previously, a certificate could only be installed in both the Fully Managed and the Work Profile areas. Now, you can install certificates according to your needs—in either Fully Managed or Work Profile or both.

When adding or modifying an Android Enterprise profile, you can find this setting in Android EnterpriseCertificate > Install Area.

Kiosk

New Single App Kiosk

The following enhancements were made:

  • The Single App Kiosk mode's delivery method was enhanced to use an Android launcher similar to the one used for the Multiple App Kiosk mode.

    This enhancement allows you to create Single App Kiosks stably and easily.

  • You can now set device settings for Single App Kiosks in the Kiosk Wizard.

Single App Kiosks created before v20.8 will continue to work without updates as long as no changes are made on them.

NOTE
  • This new Single App Kiosk works only with the Knox Manage v20.8 agent. Hence, the Knox Manage agent must be updated to the latest version.
  • Only one app can be assigned in a Single App Kiosk.

Exit Kiosk without unenrollment

All Kiosk modes (Single App, Multiple App, and Kiosk Browser) can be temporarily turned off without unenrollment, regardless of whether they're in offline or online state.

NOTE—This feature is only applicable to Kiosks created in v20.8 or later.

To exit Kiosk mode

Provide an Exit Kiosk Code to the end user. You can get the code from Device Detail > Security > Kiosk Mode Status > Exit Kiosk Code.

The code is randomly regenerated after it's applied to the device to prevent it from being used again without authorization from an IT admin.

The user managing the Kiosk device must do the following:

  1. Tap the icon.

    NOTE—In the case of a Single App Kiosk, you'll need to tap the Home or Back button to make this icon appear. The icon disappears after 5 seconds of inactivity.

  2. In the "About Kiosk" screen, tap Exit Kiosk.
  3. Enter the Exit Kiosk Code from the IT admin.

To re-enter Kiosk mode

An IT admin must apply a profile update to the device.

Other Kiosk enhancements

NOTE—The Knox Manage agent must be updated to the latest version for these new features to take effect.

  • Bookmark in Multiple App Kiosk mode now supports file uploads and downloads.

  • You can now set Kiosk Browser and Secure Browser to be automatically updated through profile policies.

    When adding or modifying a profile, you can find these settings in the following locations:

  • The loading status is now shown on the progress bar:

Content

Increased maximum file size limit

Previously, the maximum content size was 300 MB. In v20.8, this limit was increased to 1.0 GB.

Knox Suite: Knox E-FOTA One license usage

In addition to the Knox E-FOTA One admin portal, you can now view the Knox E-FOTA One license usage in the following locations as well:

  • License widget in the Knox Manage admin portal's Dashboard.

  • SamsungKnox.com Dashboard.

Remote Support: Session timeout

In this release, a session timeout was introduced in the Remote Support tool to prohibit security issues at the customers’ end.

When controlling devices through the Remote Support Viewer, 15 minutes of inactivity (regardless of the end user’s device-side action) will trigger a popup asking if you want to extend the session. If you choose to extend it, your session's timer is restarted. Otherwise, your session will end after 5 minutes.

Resolved issues and improvements

NOTE—Items marked with (HOTFIX) were released before v20.8.

  • [KMVOC-9709 / 00199165]Units not taking APN information on enrollment
  • [KMVOC-9700 / 00198697] TSE: Data on Dashboard & CSV are not same
  • [KMVOC-9668 / 00198092]Provile VPN Pulse Secure not installed
  • [KMVOC-9667 / 00198457] [ETS]Requesting last known location of devices showing expired in console.
  • [KMVOC-9613 / 00196655][Problem with setting: Android Managed Type]
  • [KMVOC-9611 / 00192178] Installation problem
  • [KMVOC-9593 / 00196890] KM can't be unenrolled from the device
  • [KMVOC-9583 / 00195802] Knox Remote Support File Explorer does not open with kiosk mode in Android 10
  • [KMVOC-9565 /00196257] Unable to create Organization (HOTFIX)
  • [KMVOC-9560 / 0019345] Custom animation feature is not available in KM portal (HOTFIX)
  • [KMVOC-9528 / 00195038] Kiosk App Cause Security Policy Error
  • [KMVOC-9514 / 00195295] Knox manage Kiosk Mode doesn't work (HOTFIX)
  • [KMVOC-9506 / 00195143] Work profile not triggered in COPE mode
  • [KMVOC-9449 / 00194328] getting Error in uploading internal app (HOTFIX)
  • [KMVOC-9422 / 00193767] Device Location Dashboard shows location of only 2000 devices out of 8000 enrolled devices
  • [KMVOC-9410 / 00192576] [SEA] AE > Container >Bluetooth share = Disallow not working on OS 10
  • [KMVOC-9345 / 00192188] Group name creation and synchronization Problem
  • [00195882] indicateur hors/sous tention
  • [00198692]Knox Manage iOS DEP and VPP app installation queries
Share it: