Back to top

Knox Manage 23.12 release notes

Last updated February 5th, 2024

Enhancements to identity provider federated authentication

Previously, enterprises could use on-premises AD, or LDAP-based Azure AD Domain Service and Azure AD Graph to sync user information with Knox Manage servers.

Starting in 23.12, Knox Manage also supports user authentication for Azure AD (Graph API) and supports both user sync and authentication for two additional identity providers — Okta and Ping Identity.

Setting connection to identity provider in the Knox Manage console

To set up user authentication, IT admins for the service providers must specify their information in the identity provider portals.

Azure AD Graph, Okta, and Ping Identity use the OIDC (OpenID Connect) authentication standard and support the following:

  • During device enrollment, user authentication is directly managed by the identity providers. Instead of the Knox Manage sign-in UI, device users are routed to the respective identity providers for authentication.

    Sign in screens for user authentication on enrolled devices

  • Users must be set up in both the Knox Manage console and the identity provider portals.

  • Multi-factor authentication (MFA) is supported for newly-enrolled devices.

    Note

    On Android, only fully managed devices support MFA. Support for Android devices with a work profile is in active development.

Okta and Ping Identity support the SCIM (System for Cross-Domain Management) protocol. Knox Manage user and group information is automatically synchronized after specifying the settings for Okta and Ping Identity.

Since both LDAP and SCIM protocols are now supported, the Knox Manage console menus reflect the following changes:

Previous menu New menu
Advanced > AD/LDAP Sync Setting > Identity & Directory
Sync Service Connection
Sync History History
Advanced > Azure AD integration (Removed)

Support for macOS

This version of Knox Manage adds macOS to its supported device platforms. For the time being, the Ventura release of the OS is supported. You can now enroll Macs using Apple Automated Device Enrollment (ADE). The following management features are supported for this release:

  • You can view device details related to security, general information, and networking.

  • You can use Volume Purchase Program (VPP) for public app management. The apps are synced with the Apple Business Manager (ABM) console. Apps supported by both iOS and macOS are registered separately in the Knox Manage console, but share a single license.

  • You can use device commands and apply policies, similar to other platforms. The supported policies and device commands are:

    Category Policies
    System

    Camera

    Screen capture

    Manual installation for profile

    Factory reset

    USB restricted mode

    Security

    Passcode policies

    Passcode modification

    Screen unlock with Touch ID

    Touch ID timeout (min)

    iCloud

    Private relay

    Document synchronization

    Configurations Wi-Fi, Certificate
    Category Device commands
    Device

    Push profile

    Lock device

    Factory reset

    Power off device

    Reboot device

    Knox Manage Unenroll device
    Device info.

    Sync device information

    Sync installed app list

Improvements to shared profiles for Android

Previously, you could only apply the staging device settings to a staging user. Moreover, the settings were limited to a smaller set of options as compared to other users.

With Knox Manage 23.12, you can now apply regular Android Enterprise profiles to staging users on shared devices. You can find the updated staging user profile settings at Profile > Kiosk & Staging > Staging Device Settings while managing profiles.

Kiosk & Staging policy menu in the Knox Manage console

Important

You must manually migrate existing staging devices to the new settings. To do so, on the Kiosk & Staging page, create a new profile for the staging user with the required settings. On the Setting > Configuration > Staging Device page, click Push Profile to apply the profile to the staging user, which automatically also updates the Knox Manage agent on the device to the 23.12 version. The Staging Device menu option isn’t available for new customers or for customers who don’t have any enrolled staging devices, or if their staging devices are disconnected or their licenses expired.

Staging Device page with the Migrate button

Additionally, when setting up an APN for an Android Enterprise shared device, the APN settings now automatically apply to secondary users, too. Previously, the APN settings were applied only to the staging user.

Updates to Bluetooth policy for Android

With Knox Manage 23.12, the Interface policy group for Android Enterprise is renamed to Connectivity.

Additionally, the Bluetooth > Data Transfer policy is deprecated. Existing profiles that set this policy will continue to apply it to devices, but it can’t be modified in the profile itself.

The configurations previously available through the Data Transfer policy are now included in the Bluetooth Share policy. When saving the profile, you’ll be prompted to verify updates to the Bluetooth Share policy values. The following table shows how the values are mapped between the policies:

Data transfer policy value (Android 5 and higher) Bluetooth Share policy value (Android 8 and higher) Changes
Disallow

Allow

Disallow

If the Bluetooth Share policy is set to N/A or Allow, it's changed to Allow.

If the Bluetooth Share policy is set to Disallow, sharing is turned off for devices running Android 8 and lower.

Allow N/A, Allow, Disallow No change. The Bluetooth Share policy continues to apply to devices.
N/A N/A, Allow, Disallow No change. The Bluetooth Share policy continues to apply to devices.

New policy for custom wallpaper for Android

Previously, background images were resized to fit the screen, which reduced the image quality.

With Knox Manage 23.12, a new Screen Orientation policy is available, with Portrait and Landscape orientation values available to better fit custom wallpapers on the screen, removing the need to resize the image.

Screen Orientation settings for custom wallpaper

For more information, see Application policies for Android Enterprise.

New and updated app restriction policies for Android

With Knox Manage 23.12, the app restriction policies are updated as follows:

Policy Change
App Execution Blocklist Setting Updated policy. Excluded apps now remain in the app list as icons, but they can’t be launched.
Hide Apps Setting New policy. Specifies apps that must be hidden in the interface.

App Execution Blocklist and Hide App policies for Android Enterprise devices

Changes to 802.1xEAP policy for Android

Previously, configuring the 802.1xEAP policy required you to also set CA certificate and either Domain or Alternate Subject.

With Knox Manage 23.12, for Android devices running Android 13 and higher, including Wear OS devices if you set Trust On First Use to Use, no additional policies are required. However, if Trust On First Use, CA certificate, and Domain are each set, the values for CA certificate and Domain take precedence.

Trust On First Use policy for Wi-Fi on Android Enterprise devices

Enhancement to Location policy for work profile devices on Android

Previously, when enrolling a device with a work profile, the device user was always asked to provide location permissions, even if the no location policies were set.

With Knox Manage 23.12, work profiles no longer require location permissions unless the Report Device Location policy is configured.

Report Device Location value Impact on work profile
Allow Immediately upon enrollment, the device user is prompted to provide permission to enable location tracking on the device.
User Consent The device’s location is polled periodically, and a persistent notification asks them to consent to full monitoring. If they consent to the monitoring, then the notification is dismissed.

Location tracking permission notification during device enrollment

\

Enhancements for Android kiosks

For improved security, you can now set a limit on the number of attempts a device user can take to exit kiosk mode. If they exceeding the limit, they must wait 10 or 30 minutes before they can try again.

Option to specify the maximum number of attempts for exiting a kiosk

Additionally, you can choose to hide or show the information icon displays on the Kiosk screen.

Information icon displayed on the kiosk screen

New ID in work profile devices for AMAPI

Starting in Knox Manage 23.12, AMAPI devices enrolled with work profiles are provided an enrollment-specific ID. This ID is used instead of standard device identifiers, such as serial number and IMEI/MEID, which are hidden in work profiles. You can view this new ID on the Device Details page, on the Device Information tab, as Enrollment Specific ID.

Enrollment Specific ID for AMAPI work profile devices

For Wear OS kiosks running Wear OS 4, several policy changes are available. These policies relate to sound, widget tiles, and the interface.

Policy Change
Sound Mode Settings New policy. Specifies whether users can change sound modes on the device.
Sound Mode > Vibrate with Sound New policy. Controls vibration when the Sound mode policy is set to Sound.
Widget Tile Settings New policy. Allows the device user to add or remove widget tiles.
Quick Panel & Notifications Updated policy. New Notification only value shows the notification drawer but hides the quick panel.

Administrative templates for Group Policy in Windows

Knox Manage 23.12 lets you populate Windows policies in the Knox Manage console using administrative templates. For example, you can configure Microsoft Defender Antivirus by building a template that sets the service’s policies.

To add an administrative template, in the Administrative Templates > List policy, click Add, and then work through each policy you wish you set.

Using administrative templates for Windows Group Policy

Ability to monitor Chromebooks in the Brazil region

Knox Manage 23.12 comes with a new location monitoring service that enables you to efficiently keep track of managed Chromebooks if you operate a tenant in the Brazil region.

Chromebooks are monitored by installing a new Chrome extension called Samsung Knox Manage, available for Brazilian users on the Chrome web store. On the Knox Manage console, add the extension as an app and assign it to an organization. You can also force-install the extension on individual Chromebooks. Once installed, you can review the location data of the devices from the console.

For detailed instructions on this topic, see Check the location of ChromeOS devices in Brazil.

Location tracking data of Chrome OS devices in the  Knox Manage console

New agent policy for collecting location data

With Knox Manage 23.12, a new Knox Manage agent policy — Allow Collecting Location Data — lets you track a Windows or iOS device’s location during enrollment and according to the scheduled software inventory collection cycle.

Allow Collecting Location Data policy for tracking iOS/Windows devices

Knox Asset Intelligence integration with Knox Manage

Knox Manage 23.12 integrates Knox Asset Intelligence directly into the Knox Manage console for a more streamlined enrollment process. You can now deploy the intelligence service to devices in a small number of clicks on the Setting > Android > Knox Asset Intelligence page.

When deploying the service, the Knox Asset Intelligence agent automatically installs on devices, which are granted the permissions it needs. You can then find intelligent data about devices on their details page.

Knox Asset Intelligence set up in Knox Manage console

For more information, see Enroll devices.

Enhancements to admin management

With Knox Manage 23.12, you can now grant sub-admins the ability to access and manage reports.

Option to provide sub-admins access to reports in the  Knox Manage console

Additionally, you can also export the list of admins as a spreadsheet.

Export in Excel button to export a list of all administrators

For more information, see Add an administrator.

After a license expires, most Knox Manage features are restricted on devices. With Knox manage 23.12, the following additional changes apply to Android devices after the license expires:

  • Device inventory syncing is restricted
  • The Day & Time event profile is restricted
  • Knox Manage agent versions lower than 23.09 are now supported

Enhancements to device information

On the Device page, you can now search for a device by its integrated circuit card ID (ICCID). The device list also now has a column for ICCIDs.

Lastly, the Device Details page now has an ICCID Information field for eSIMs on iOS devices.

ICCID information on the Device page

Updates to the Custom Animation policy for Samsung devices

Previously, the Custom Animation policy was only available with a Knox Suite Premium license.

With the latest licensing changes, the policy is now available for all license types.

The Premium icon premium-icon is now also removed from the interface.

Terminology updates for Android Enterprise and Samsung Knox policies

With Knox Manage 23.12, the Android Enterprise and Samsung Knox policies are renamed and reorganized as follows:

Previous category Previous policy name New category New policy name
System System Update System System Updates
Automatic Date and Time Date and Time
Interface Wi-Fi Change Connectivity Wi-Fi Setting
Password Password Lock Screen Screen Lock Policies
Minimum Complexity (Android 12 or later) Set Minimum Complexity
Minimum Strength (Android 11 or earlier) Set Minimum Strength
Minimum Number of Letters Minimum Letters
Minimum Number of Non-Letters Minimum Non-Letters
Minimum Number of Lowercase Letters Minimum Lowercase Letters
Minimum Number of Capital Letters Minimum Capital Letters
Minimum Number of Numeric Characters Minimum Numeric Characters
Minimum Number of Special Characters Minimum Special Characters
Maximum Number of Sequential Numbers Maximum Sequential Numbers
Maximum Number of Sequential Characters Maximum Sequential Characters
Password Lifecycle Settings (Android 6 or later) Screen Lock Requirements
Password Expiration Timeout (Days) Screen Lock Expiration (days)
When to Send Notification Before Expiration (Fully Managed) Send Notification Before Expiration (Fully Managed)
Maximum Failed Login Attempts Unlock Attempt Limit
If the Maximum Failed Login Attempts Are Exceeded (Fully Managed, Fully Managed with Work Profile) Take Action If Attempts Are Exceeded (Fully Managed, Fully Managed with Work Profile)
If the Maximum Failed Login Attempts Are Exceeded (Work Profile) Take Action If Attempts Are Exceeded (Work Profile)
Password Required Range (hours) Screen Lock Timer (hours)
Password History Screen Lock History
If Password Compliance is Violated Screen Lock Compliance Violation
Maximum Screen Timeout Maximum Screen Timeout Allowed
Kiosk Set Application Kiosk Kiosk Package Name
App Auto Update Automatic App Updates
File Upload File Uploads
Text Copy Copy Text
Utilities Setting Utilities Settings
- Power - Power Off
- Home - Home Button
- Key Guard - KeyGuard
JavaScript Run JavaScript
HTTP Proxy Use HTTP Proxy
Application Installation of App from Untrusted Sources App restrictions Untrusted App Sources
System App Activation Setting System App Reactivation Setting
Wi-Fi Remove Available Wi-Fi Allow User to Remove the Network
Attempt Automatic Connection Automatically Connect to the Network

Policy menu changes for Android Enterprise and Samsung Knox

With Knox Manage 23.12, the Android Enterprise and Samsung Knox policy categories are updated as follows:

Policy Previous category New category
Developer mode Samsung Knox > System Android Enterprise > System
External SD Card System Connectivity
Screen Timeout Security Lock Screen
Maximum Screen Timeout Allowed Security Lock Screen

The following Android Enterprise and Samsung Knox policy values are also updated:

Policy Previous values New values
System > Camera

Allow

Disallow all

Allow

Disallow

Connectivity > Wi-Fi

Allow

Disable off

Disable on

Allow

Force on

Force off

Connectivity > Bluetooth

Allow

Disable on

Allow

Force off

Kiosk > Automatic App Updates

Use

Do not use

Allow

Disallow

Enhancements to admin invitations

Previously, two separate admin invitation emails were sent from the Knox Admin Portal and Knox Manage console when adding an admin.

With Knox Manage 23.12, only one common invitation email is sent, from the Knox Admin Portal.

Furthermore, predefined emails and SMS messages are sent in multiple languages based on the country code set in for your tenant. Supported languages are Korean, English, French, German, Italian, Portuguese, Spanish, and Polish. For all other country codes, English is the default language.

For more information, see Administrator account overview.

Terminology changes in the Knox Manage console

With Knox Manage 23.12, the following terms have changed on the Knox Manage console:

Interface component Previous term New term
All Apply Profile Push Profile
Password Screen Lock
User page User Source
Organization page User Source
Profile page Manage Control App Manage System App
Android Enterprise EMM Registration Information page Register Link
Unregister Unlink
Chrome OS EMM Link Information page Register Link
Unregister Unlink
Device page Last Updated Status Last Updated

Additionally, the following components in the interface are also revised:

  • On the Device Details page, the Last Connected information is now displayed as a tooltip in the Last Seen field.
  • On the User page, Apple VPP is added as a new search filter. In the Source column, Apple VPP is displayed as tooltip where applicable.
  • On the Group page, when you delete a group, the changes are pushed to the group’s users immediately.
  • On the Audit Log page, for the the Audit Type field you can now choose between Console, Server, and Device. Previously, the available values were Console/Server and Device.

Support for new OS versions

Knox Manage 23.12 supports:

  • Android 14
  • iOS 17

Support for Play Store app feedback

With Knox Manage 23.12, you can now receive feedback from apps on the Play Store related to confirm whether apps added to the download blocklist are behaving accordingly.

Improvement to default time zone setting

Previously, upon creating a tenant, the default time zone was GMT (+00:00).

With Knox Manage 23.12, the default time is automatically set to the capital of the country where the tenant is created.

This release delivers a significant update to Knox cloud infrastructure that further hardens how fields with personally identifiable information (PII) are stored. This update impacts how you can search for PII across all Knox services.

For the technical details about this update, as well as an up-to-date breakdown of how this affects Knox Manage, see Security notice regarding storage and search behavior for PII.

Back to release notes

Is this page helpful?