- *BASICS*
- The Knox Ecosystem
- White Paper
- Samsung Knox Portal
- Knox Cloud Services
- General Knox Support
- Knox Licenses
- *FOR IT ADMINS*
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Introduction
- How-to videos
- Get started
- Features
- Register resellers
- Add an admin
- Create profiles
- Google device owner support
- MDM compatibility matrices
- Device users
- Activity log
- Enroll and unenroll devices
- Configure devices
- Provide KME feedback
- Use the Knox Deployment App (KDA)
- Recover Google FRP locked devices using KME
- Role-based access control (RBAC)
- Release notes
- FAQs
- Troubleshoot
- KBAs
- On-Premise
- Knox Configure
- Mobile
- Wearables
- Shared Device
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- View applications
- Add applications
- Introduction
- Add internal Android and iOS applications
- Add internal Windows applications
- Add public applications using Google Play Store
- Add public applications using iOS App Store
- Add public applications using Managed Google Play
- Add public applications using Managed Google Play Private
- Add public applications using Managed Google Play Store Private Web
- Add public applications using Microsoft Store
- Add Chrome OS applications
- Assign applications
- Introduction
- Assign internal Android and iOS apps
- Assign iOS App Store applications
- Assign Google Play applications
- Assign Managed Google Play applications
- Assign Managed Google Play Private applications
- Assign Managed Google Play public web apps
- Assign Windows applications
- Assign Chrome OS applications
- Manage applications
- Volume Purchase Program for iOS
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQs
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQs
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Introduction
- Accept or reject devices
- Upload devices
- Delete devices
- Complete payment
- Send payment overdue notification
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQs
- KBAs
- Support
- Samsung Care+ for Business
- *FOR RESELLERS*
- Knox Deployment Program
- *FOR MANAGED SERVICE PROVIDERS*
- Knox MSP Program
MSP release notes— March 24, 2021
Grant sub admin access through role assignment including admin control per MSP customer
An MSP Super Admin—or any sub-admin with admin roles or permissions—can now create custom roles and invite other admins to these roles to manage a selected set of customers and services. This role based access control (RBAC) approach works the same way as roles for any other cloud services, including KME and KC. To know more on how to create, edit, and delete a role, see Manage roles.
The highlights of this feature are as follows:
- Seamless access—Once an MSP admin is granted permissions to access a customer’s service, the admin now has Super Admin level access to the customer’s data, but cannot view or modify the customer’s own role or admins.
- Manage multiple customers—A sub- admin can only manage customers to which they were granted access.
- Customized UI—Depending upon selected permissions, services, and customers, the UI shown to the MSP admin changes.
- Create new roles, including adding access permissions for one or more of the following:
- Manage customer account access permissions, such as adding and editing customer information, as well as linking and delinking customers from MSP.
- View MSP activity logs
- Add or edit MSP admins and other related role based access,
such as invite, add, and manage MSP admins as well as manage MSP
roles.
IMPORTANT—MSP admins can delete or edit permissions for other admins, making it important that you exercise caution when giving these permissions to a user.
- Edit existing roles
- Delete roles
The RBAC feature within MSP is similar to the feature offered within KC and KME.
Approved MSP admins can manage the Knox E-FOTA service using the MSP portal
Starting with this release, MSP admins can onboard Knox E-FOTA customers and manage their services on the MSP portal. This functionality allows MSP admins to easily manage multiple KCS services and customers from a consolidated view. For example, MSP admins can manage a customer who served with both Knox Mobile Enrollment (KME) and Knox E-FOTA on MSP portal. For Knox E-FOTA management on MSP portal, MSP admins can:
- Onboard Knox E-FOTA customers—The MSP admin can easily onboard Knox E-FOTA customers by migrating existing Knox E-FOTA customers with their customer ID or creating new customers with necessary customer information. In case of migrating existing customers, MSP can start management of their account after receiving consent of the super admin of the customer. This process is the same as the former KC and KME service management.
- Co-manage the Knox E-FOTA service with the customer–If a customer wants to manage their service along with MSP, they can ask for the Full Access permission from the customer.
- Manage Knox E-FOTA service–After customer onboarding, MSP admins
can manage the Knox E-FOTA service for Knox E-FOTA customers just as the
customer IT admins, such as:
- Manage devices
- Create campaigns and assign devices to the campaigns
- Manage licenses
- Manage device groups
- See Activity logs
- Update customer account—During management, MSP admins can update customer information like their address or phone number. MSP admins can also add managed services for the customer or add customer access permissions, such as changing No access permissions to Full access.
- Delink Knox E-FOTA customer—If a customer and the MSP admin agree to terminate their association with MSP, MSP admins can initiate the Delink process. Once the customer agrees to delink their account, then the customer is deleted from the MSP portal and MSP admins can no longer manage the customer’s account and services.
MSP admins receive necessary notification emails just like a customer IT admin.
For instructions to onboard an existing customer, see Add an existing customer.
Allow MSP to change "no access" MSP Customer "contact person" email address and first/last name
When an MSP admin creates an account on behalf of their customer, they need to provide certain important details, including their email address as well as first and last name. For customer accounts where the contact details of the default contact person are no longer valid, MSP admins can now change the first and last name as well as the contact email address associated with the customer ID. For instructions, see Edit customer account details.
The most common reason for changing this information is when one person leaves the company and another person is added as a replacement. The second reason is if the customer is added with a non-work email address and later on the MSP admin wants to delink the personal email address or give the customer full access. In such cases, you can only use a work email contact address. Changing the contact information does not change the customer ID.
MSP view integrated with Knox Admin Portal implementation
The initial MSP home page is linked to the customer’s services. This situation only arises if the MSP admin is managing a customer with both KME and KC services. For MSP admins whose customers have more than one service, when the MSP admin clicks the KC — Active link on the customer list view of the MSP portal, the Knox Admin Portal > KC page opens, even if the default Knox Admin Portal view is set to KME, thereby over-riding any user preference settings. Conversely, when the MSP admin clicks the KME – Active link on the customer list view of the MSP portal, the Knox Admin Portal > KME page opens.
Improvements to the delink feature
This release includes the following enhancements and improvements to the delink feature.
- Freeze customer information for Delink Pending Status—The delinking process includes an enhancement that helps secure customer information from unintentional changes. When the MSP admin sends a delink request to the customer, and if the customer has not accepted that request, the status of the customer account changes to Delink Pending. For accounts with this status, MSP admins can still manage customers providing the appropriate KCS services, but cannot change any customer information available from the Manage Customer Account menu.
- MSP can resend the Delink email request—MSP admins can now resend an email request to delink the customer account and stop managing their KCS services from within MSP. Resending the request may be necessary to remind customers who have not yet accepted the delink request or have lost access to the original email message.
- Update delink popup text and email body—Once the customer accepts the delink request sent out by an MSP admin, the MSP admin loses all access rights to the customer’s configuration data and all related licenses are transferred back to the customer.
Visual indicator for managed customer
For Full Access customers that can co-manage their service with MSP admins, the customer can now see a visual indicator of being an MSP managed account on top left corner of their portal.
Prevent MSP from changing customer access from "full access" to "no access"
For Full Access customers, MSP admins can no longer change their access level to No Access. For Full Access customers, the access level option button is disabled and a new tooltip explaining this change shows within MSP.
Tooltips shown when changing the customer’s access level
When MSP admins try to change the customer’s access level from No Access to Full Access, they see a tooltip explaining the different access levels and warning them that this change is permanent.
