Knox Manage 25.01 release notes

New

Introducing Knox Suite Plans

Knox Suite has evolved into a multi-plan offering to better fit your digital transformation journey. As a result, Knox Manage license names have been updated to reflect the new Knox Suite Plans.

Licenses are now auto-assigned and managed from Knox Admin Portal. All license management features and commands, including options to change and assign licenses, have been removed from Knox Manage.

New macOS Knox Manage agent with DMG support

We’ve released a new Knox Manage agent for macOS that supports DMG (Disk Image) format for internal apps. The agent is automatically installed and authenticated during enrollment.

You can deploy DMG apps using the agent, and even specify if they should be automatically or manually installed. In addition, you can manually install VPP and PKG apps, and download and update assigned apps from the agent’s Application Store page.

See Add internal Android, iOS, and macOS apps and Assign internal Android, iOS, macOS, and Windows apps for relevant steps.

New policies

The following policies have been added in 25.01. You can configure policies from Profile > profile name > Modify Policy. To find a specific policy, start typing the policy name in Search Policy.

New Android Enterprise policies

• Speed Lock
• Always on VPN
• 5G Network Slicing

See Android Enterprise policies for details.

New Wear OS policies

• Indicator only
• Touch Sensitivity Control

See Wear OS policies for details.

New iOS policies

• eSIM transfer between devices
• Web distributed app installation
• Change device name
• Device name modification

See iOS policies for details.

Managed Configuration support for Wear OS apps

During Wear OS app assignment, you can now set up a Managed Configuration just like Android apps. To do so, go to Application > Wear OS app > Assign > Managed Configuration > Set Configuration.

Wear OS device command for push notifications

You can now send a Push Notification command to Wear OS devices to display a brief message title and message (go to Device > Wear OS device name > Device Command > Push Notification).

Option to remove eSIM upon factory resetting Android Enterprise devices

By default, eSIMs are preserved on Android Enterprise devices even after a factory reset. Starting with 25.01, you can choose to remove the eSIM by selecting Remove eSIM upon factory reset while unenrolling a device (Device > device name > Unenroll), or while sending a factory reset device command (Device > device name > Device Command > Factory Reset).

Allow or deny file extensions for content file uploads

You can now allow or deny content files based on their file extension type (Setting > Configuration > Basic Configuration > Content). Available options are All, Allowlist, and Denylist.

Updates

Improved device names for Wear OS devices

For Wear OS devices that have an IMEI number comprised of only zeroes (such as sample devices placed in stores), the Device Name now reflects the serial number instead of the IMEI to make it easier to identify the device.

Improved runtime permissions for Android Enterprise internal apps

For Android Enterprise, you can now specify internal apps in Runtime Permissions for All Apps > App Permission Exception Policy List.

You can now block multiple Samsung Knox (Android Enterprise) apps

The improved App Component Blocklist > App List lets you specify multiple apps to block (separated by “|”).

Android Enterprise setting page now shows all admin email addresses

Previously, you could only see one admin email address listed in the Android Enterprise setting page, so you had to browse to Managed Google Play to view other admin email addresses for the same organization. Starting with 25.01, all email addresses of Administrator type are automatically synced (Setting > Android > Android Enterprise).

Email addresses of Owner type are synced with the Test & Sync button.

Kiosk quick share links have been disabled

To prevent redirections to other webpages, kiosk open source license screens (accessible from the kiosk info icon) no longer allow quick-sharing links.

Factory Reset Protection for Android Enterprise now correctly requires verification email address

Previously, you could enable Factory Reset Protection for Android Enterprise devices without specifying an email address to receive verification emails. This has been fixed in 25.01.

Device list now shows AMAPI companion app version

The Agent Version column on the Device page now supports displaying and exporting Android Management API companion app version numbers.

Wear OS device details now include eSIM information

The Wear OS device details screen has been enhanced to include SIM Status, SIM Country & Carrier, ICCID Information, and Roaming fields for eSIMs.

Ability to delete unlinked iOS VPP apps

You can now delete iOS VPP apps that don’t have a VPP token linked to the Knox Manage console.

Device location data now available for up to 180 days

The maximum retention period for device location information has been extended from 30 days to 180 days. You can look up device location records from the Check Location page (see View location data for steps).

Custom SAML connection type added

You can now add custom SAML connections to authenticate users. To add a custom SAML connection, go to Setting > Identity & Directory > Connection > Connection Type > Custom SAML.

Findability improvements for devices with unregistered push tokens

Devices which don’t have a push token registered can’t receive device commands sent from Knox Manage. Starting with this version, you can search for matching Android, iOS, and macOS devices using a Push Token Not Registered filter, which is available from the following locations:

• The Device page (Device > Advance Search > Issues)
• The Device widget on the Knox Manage Dashboard (Dashboard > Device > issues button, if there are relevant issues)

Display Name field added to multiple report queries

The following report queries now include a Display Name output field for enhanced reporting:

• Device Basic Information
• Device Details Information
• Device by Group
• Device License
• Device Command in Request
• Device Command Queue Count
• Device Security Status
• Group Information
• Organization Information
• User Basic Information
• User by Group

For a complete list of output fields, see Report queries.

Email notifications now include the log date for audit events

Tenant email notifications now include a Log date column to distinguish audit events for the same device.

Action required

New step for device users to grant location data access

To comply with Google’s updated User Data Policy, starting with Knox Manage 25.01, Android users who have the Knox Manage app installed in their work profile area must first allow the app to collect location data While using the app or Only this time. After that, they need to select Location permission > Allow all the time for persistent location tracking.

The first part of the process didn’t exist in previous versions, so we recommend communicating this change to your consumers if you rely on device location tracking.

Upcoming rate limits for API calls

Starting from 25.07, Knox Manage APIs will allow a maximum of 300-1800 calls per minute. See the 25.01 developer release notes for details.

Depending on your current API usage, this may impact your consumer experience – therefore, any necessary modifications to apps or integrations will need to be made by your development team before the 25.07 release.

Support ending for SafetyNet Attestation

Google has announced that they will discontinue the SafetyNet Attestation API. The substitute policy, Play Integrity, has been available in Knox Manage since 23.06.

If your Knox Manage agent version is lower than 23.06, you are using the SafetyNet Attestation API – which will not be supported beyond January 31 2025. Please update your agent to a later version to use Play Integrity and ensure devices are calling the intended API.

Back to release notes