Knox Manage 21.02 release notes
Last updated July 26th, 2023
This Knox Manage 21.02 release scheduled to go live on February 25, 2021 includes several improvements and enhancements to existing features and functionality.
Android Enterprise enhancements
This version of Knox Manage adds or improves the following features:
- Unified password policy
- Work profile on company owned device
- Wi-Fi setting > MSCHAPV2 authentication type
New updates and improvements in Unified Password Policy
With this KM 21.02 release, Password and KeyGuard policies are now separated from the Security category and are moved to a new Password category. This change improves the usability of the KM console and helps IT admins set password-related policies — for both Fully Managed and Work Profile devices — easily.
Using this new section on the KM console, IT admins can now:
Configure the result of failed login attempts — Depending upon the type of profile on the device, the following things can happen:
- For WP-C devices IT admins can specify the number of failed log in attempts after which the devices are factory reset. Devices are unenrolled from KM upon factory reset.
- For WP-P devices IT admins can specify the number of failed work profile log in attempts after which the work profile is removed from the device. Devices are not unenrolled from KM even if the work profile is removed from the device.
Configure password compliance policies — IT admins can now specify what happens when device passwords do not comply with IT security standards. Some examples of non-compliance are either the password does not meet the minimum length or if the password has expired. The following options are available to IT admins upon non-compliance:
- Hide Work apps
- Hide Work apps and suspend Personal apps
- Take no action
Work profile on company-owned device improvements
This release offers the following improvements to Android Enterprise work profiles:
Encourage device users to use work profile — In some cases, device users may turn off work profiles on their WP-C devices. IT admins can now specify that after a set amount of time, if the device user has not restarted the Work profile, all Personal apps — outside of emergency calls and a few other important apps — are suspended. IT admins can specify a maximum number of days (between 3 to 30 days) or hours (between 72 and 720 hours) after which the device users see a notification on their device alerting them as to the reason for suspension of Personal apps.
Restrict the use of personal Google Play accounts and apps — Currently, users can set up personal Google Play accounts and install apps on the Personal area of their WP-C enrolled devices. Starting with this release, IT admins can now configure allowlist and blocklist policies to restrict the use of personal Google Play accounts and installation of personal apps on devices. IT admins can choose to block all or selected apps; or allow selected apps only on target devices.
These policies apply to apps downloaded from managed Google Play only, apps that are already installed or are directly installed using APKs are not impacted. For already installed apps, use the previously set up app blocklist and allowlist policy.
Usability improvements — Starting with this release, IT admins can turn on the Highlight Work Profile on Company-owned Devices Profile Only setting to show the available policies highlighted in blue.
Additional authentication support for Wi-Fi setting
Starting this release, KM now supports a new MSCHAPV2 authentication type for Wi-Fi settings.
Azure Domain Service-based Azure AD synchronization support
Starting KM 21.02, IT admins can now connect to cloud-based Azure AD and synchronize the following information directly to the KM admin console:
- Directory type — Azure AD
If Azure Domain Service is selected as the directory type, the account does not connect to the server through the cloud connector. If you experience connection errors, you may need to turn off the firewall on the target device.
KME integration improvements
This release adds the following functionality to the KM and KME integration:
KME profiles — Until KM 21.01, IT admins could create KME profiles from within the KM admin console. Starting KM 21.02, IT admins can modify KME profiles from the KM admin console.
AE enrollment for devices running Android OS 11 — KM now supports enrollment of Android devices running OS Android 11. The IT admin can choose between fully managed and WP-C enrollment types during the provisioning process. The enrollment settings for devices running Android OS 10 or lower remain unchanged.
Limited Enrollment improvements
KM 21.02 adds the following two improvements to the Limited Enrollment settings:
Additional limited enrollment condition — The default condition available for limited enrollment is OR. This release adds a new AND condition. Using this new condition, IT admins can choose to limit enrollment to devices matching more than one criteria, such as Android 11, Model Name, and IMEI.
KME integration — IT admins are now able to choose between enrolling all devices or only for devices managed using KME in Limited Enrollment. For KME devices, IT admins cannot enroll devices using manual registration or Zero Touch.
Improved kiosk permission process
Currently, Kiosk mode is not supported on Android Go edition devices.
IT admins now have an improved Kiosk permissions process at their disposal. Upon installation of Kiosk launchers — both single and multi-Kiosk modes — KM automatically grants call and SMS permissions to devices. Device users can then optionally choose to grant or deny additional permissions, such as notification permissions for multi-Kiosk devices, or Window overlay permission for single kiosk devices. Until this release, the only way to close the permission settings notifications on the device was for the device user to accept all permissions. Now, IT admins can choose to show the permission notification only when the Kiosk Launcher app is running. The device user can now choose to close the notification without granting any permissions to the app.
This release adds the following iOS improvements:
Force OS Update — IT admins can now force iOS devices enrolled under the supervised mode to the latest OS version. IT admins can choose between the following update methods:
- Download or install
Download and install doesn’t happen continuously. If the update file is already downloaded on the device, then only the install command is carried out. If the update file is not downloaded to the device, deploying this command downloads the file. To install the OS update, deploy the Download or install or Install only option.
IT admins can access this option on the KM admin console under iOS Device Command > Device > OS Update (Supervised).
Support for lost or stolen devices — In case of iOS devices that are lost, stolen, or otherwise misplaced, IT admins can now remotely enable Lost Mode on these devices. When Lost Mode is enabled on a device, the device is locked with a message, contact phone number, and instructions on what to do when such a device is found. IT admins can now check the location of such devices, even when location permissions are turned off. Devices with Lost Mode enabled cannot be unenrolled from KM. IT Admins must disable Lost Mode to allow the device user to use the device again.
IT admins can access this option on the KM admin console under iOS Device Command > Device > Enable/Disable Lost Mode (Supervised).
Device Location History Improvements — Going forward, location history for iOS devices is stored for 30 days from the last collection date. The check location device command is activated in the case where device location is collected. Note that the device user must run the KM agent and agree to allow collection of the device’s location.
Open API documentation improvements
Samsung Knox’s Developer Documentation site now includes KM Open API references.
Geofencing event notifications
Consider the following items:
- Geofencing is not available in USA.
- For Note 8 devices running the N OS, the Geofencing area radius size set in the admin console unit is recognized in miles not meters.
IT admins can now configure email notifications for geofencing events such as devices entering or exiting a geographic (geofence) area. To configure such email notifications, do as follows:
On the Geofencing section, on the Add Profile page, for the Notification field, click Turn on.
On the History page, under Alert > Alert email settings, select one or more of the following:
- Devices outside the geofencing area — Select to receive a notification when the device travels outside the geofencing area.
- Device within geofencing area — Select to receive a notification when the device returns to the geofencing area.
Click Save to receive an alert email when a geofencing event happens.
App export improvement
This release adds export functionality to Application and Group detail pages. IT admins can now choose to export a device’s assigned group or organization list of specific app and assigned app list of specific group to CSV format.
To export these details, do as follows:
- Application detail page > Assigned Group/Organization tab > Export to CSV button.
- Group detail page > Application tab > Export to CSV button.
- Application detail page > Device tab > Export to CSV button.
Starting KM 21.02, the application’s name is added to the CSV file.
This release also includes the following enhancements:
Special characters for lock device messages — IT admins can now use special characters — except [, ], or \ — when sending messages to locked devices.
Bulk Add for Control Apps — IT admins can now upload Control Apps in bulk. IT admins can download a bulk add template from the Manage Control App page.
Device Detail Information report improvements — The Device Detail Information report now includes the offline unenrollment code.
Main dashboard improvements — The main dashboard now includes a shortcut link to dashboard management.
Remote support improvements — Remote Support is supported in WP-C devices using SMS. When the device calls the Remote Support Agent, SMS delivery is used instead of push service.
The web-based Remote Support tool is planned to be available with full functionality with the KM 21.04 release. At that time, the current installed Remote Support app version is planned to be deprecated and made unavailable.
Resolved issues and improvements
- [KMVOC-10317 / 00210852] Knox Manage Tag cannot be removed
- [KMVOC-10292, KMVOC-10011 / 00205970] Constant notification access screen popping up
- [KMVOC-10283 / 00210100][ETS] Failed to apply device management profiles
- [KMVOC-10274 / 00209915] Cannot wipe device in AE DO on unenrollment or manually
- [KMVOC-10252 / 00209295] KM not listing devices with installed app (HOTFIX)
- [KMVOC-10231, KMVOC-10134 / 00208470] Cannot add single AD/LDAP use
- [KMVOC-10144 / 00208316] Android Go device: Content, MultiKiosk: notification
- [KMVOC-10138 / 00208199] Managed Configuration Google Play not applied (HOTFIX)
- [KMVOC-10131 / 00208341] User Cannot Download Audit Logs (HOTFIX)
- [KMVOC-10113 / 00208283] Bulk user add failing (HOTFIX)
- KMVOC-10110 / 00208185] Cannot modify kiosk (HOTFIX)
-  (iOS) Factory Reset device command on iOS devices (HOTFIX)
Is this page helpful?
Thank you for your feedback!