Knox Platform for Enterprise frequently asked questions

Last updated April 6th, 2026

Before purchase FAQ

To find out what version of Knox Platform for Enterprise your device is running, go to: Settings > About Phone > Software Information > Knox Version.

This is a screenshot of the device menu containing the Knox version. Here, we see that Knox 3.1 is listed under Knox version.

knox-version.png

Looking for more information?

  • See Knox on Android for a list of features available in each release of Knox.

Please visit the Knox Supported Devices page to see a list of currently supported devices.

Attestation is a process that verifies the integrity of a device. It can check if a device has been rooted or is running unauthorized firmware. You might use this feature to ensure you are not handling private or confidential data on a device that might be compromised and be vulnerable to malware.

All Knox devices, beginning with the Galaxy Note 3, support attestation. Devices older than Galaxy Note 3 do not support attestation.

For more information, see:

The Samsung Knox platform has out-of-the-box Single Sign On support. You need to sign on only once to authenticate yourself on a device.

App developers can use Samsung’s SSO API to authenticate their app users. Knox 2.0 introduces support for a Kerberos-based SSO API in addition to Samsung’s original SSO API.

Samsung Knox Platform for Enterprise extends the core functions embedded in the Android operating system, protecting Samsung devices with advanced security and management features. A license is needed to activate Knox Platform for Enterprise on a device.

Starting July 1, 2021, Samsung provides you with Knox Platform for Enterprise Premium (Commercial) licenses at no cost. All Premium Knox Platform for Enterprise licenses (Knox Platform for Enterprise Premium and Knox Platform for Enterprise Customization, both Cloud and On-Premise) are affected by this new Knox Platform for Enterprise policy. Knox Dual Data-At-Rest (DualDAR) and Knox Universal Credential Management (UCM) capabilities aren’t included in this policy change. These solutions remain separate, paid licenses for customers that require them.

For more information about Knox Platform for Enterprise licenses, see Knox Platform for Enterprise licenses.

As of July 1st 2021, Samsung provides Knox Platform for Enterprise Premium licenses at no cost. Samsung’s Knox Platform for Enterprise extends beyond the core security and management functions embedded in the Android operating system. Knox Platform for Enterprise protects Samsung devices with advanced security and management features that are more granular than standard Android features. Knox Platform for Enterprise licenses are designed to be activated and managed from within your existing unified endpoint management (UEM) solution, and are also included as part of Samsung Knox Suite. The Knox Platform for Enterprise Premium license includes 10,000,000 seats which expire two years from date of activation.

For more information about Knox Platform for Enterprise licenses, see Knox Platform for Enterprise licenses.

  1. Which Knox Platform for Enterprise licenses are affected by this policy change?

    All paid Knox Platform for Enterprise licenses (Knox Platform for Enterprise Premium and Knox Platform for Enterprise Customization, both Cloud and On-Premise) are affected by this new Knox Platform for Enterprise policy. Knox Dual Data-At-Rest (DualDAR) and Knox Universal Credential Management (UCM) capabilities are not included in this policy change. These solutions remain separate, paid licenses for those customers that require them.

  2. Are other Knox products affected by this pricing change?

    Only Knox Platform for Enterprise (Knox Platform for Enterprise Premium and Knox Platform for Enterprise Customization, both Cloud and On-Premise) is affected by this policy change.

  3. Does this policy change impact other Knox products?

    No, Knox Platform for Enterprise pricing policy change doesn’t apply to Knox Platform for Enterprise DualDAR, Knox Platform for Enterprise UCM, Knox Suite, Knox E-FOTA, Knox Manage, Knox Configure, and Knox Capture.

  4. I have license keys that expire after July 1, 2021. Do I need to take any action?

    Existing Knox Platform for Enterprise Cloud licenses are updated automatically after July 1, 2021. No action is needed from customers or Knox resellers to extend existing cloud keys. Customers will receive notifications regarding automatic renewal of existing Knox Platform for Enterprise Cloud license keys. Knox Platform for Enterprise On-Premise license key extensions can be extended as needed by customer request. Please contact your Samsung representative to get assistance with Knox Platform for Enterprise On-Premise license needs.

  5. Will Samsung issue refunds for Knox Platform for Enterprise licenses purchased prior to this announcement?

    Samsung will fulfill contractual obligations such as warranty and tech support until the end of the existing Knox Platform for Enterprise license, no refunds will be issued.

  6. What happens to existing license keys? Do they need to be removed or updated within any IT infrastructure?

    Samsung provides any necessary licensing updates (2 years and 10,000,000 copies) to eligible Knox Platform for Enterprise Cloud customers so that they can continue to use their existing licenses beyond July 1, 2021. No action is required for Knox Platform for Enterprise Cloud customers. Knox Platform for Enterprise On-Premise license keys can be extended as needed. Customers should contact their Samsung representative to get assistance with Knox Platform for Enterprise On-Premise licenses.

  7. How will Samsung support existing Knox Platform for Enterprise customers once it is free?

    Samsung will continue to carry contractual obligations such as warranty and tech support until the end of existing Knox Platform for Enterprise licenses. Customers experiencing issues with their Knox Platform for Enterprise deployment or with any Knox product, may submit a ticket with Samsung Knox Support. Customers that need dedicated support can purchase Samsung’s Enterprise Technical Support offering.

  8. I do not use my Samsung devices with a UEM (they are unmanaged). How can I take advantage of Knox Platform for Enterprise?

    Knox Platform for Enterprise capabilities can be embedded directly within mobile apps to create unique solutions on Samsung devices. Customers can gain access to these unique capabilities through our Knox partner solutions. Customers may also embed Knox Platform for Enterprise features within their own in-house apps to leverage the power of our platform for their deployments. Starting on July 1, 2021, customers can request a free Knox Platform for Enterprise key at samsungknox.com.

To activate and run Knox Platform for Enterprise, the device communicates with Knox servers — ELM and KLM — and collects minimal device information for verification. Please refer to the table below for information collected by the Knox servers:

*ELM: Enterprise License Management, KLM: Knox License Management

Knox Platform for Enterprise is not something that each employee can install and activate by themselves, and it needs to be activated and managed by an EMM solution. And so your EMM solution needs to support Knox Platform for Enterprise and its features so that IT admins can install Knox Platform for Enterprise on employees’ devices using the EMM commands.

Most major EMMs support Knox Platform for Enterprise. The process works like this: Samsung distributes the Knox Premium SDK to EMM vendors, who then implements the functions that activate and manage Knox Platform for Enterprise to their EMM server and client using the APIs described in the SDK. When implementation is done, the IT admin will see a menu and options on the console to activate and control the Knox Workspace container.

Knox Workspace leverages and extends the security features of the underlying Knox platform, which is built into Samsung smartphones, tablets, and other devices.

The Knox platform leverages a “completely isolated” hardware region called TrustZone where cryptographic keys are stored, and this area is completely impervious to attack and inaccessible. That’s what Samsung means by “hardware-based” security.

If the device is ever compromised, Knox Workspace is permanently locked because the encryption key for Workspace will never be retrievable from the HW chipset where the key has been stored. Data inside Knox Workspace becomes completely inaccessible, and enterprises keep their important data from being lost or stolen.

No, only Samsung Android smartphones and tablets support Knox Workspace. Because Knox Workspace is a HW-based security solution that has been built on the Knox Platform using ARM TrustZone, it only works on Samsung devices.

Yes. Knox 3.x currently has five US government certifications:

  1. FIPS 140-2: Issued by the National Institute of Standards and Technology (NIST), the Federal Information Processing Standard (FIPS) is a US security standard that helps ensure companies that collect, store, transfer, share, and disseminate sensitive but unclassified (SBU) information and controlled unclassified information (CUI) can make informed purchasing decisions when choosing devices to use in their workplace. Samsung Knox meets the requirements for FIPS 140-2 Level 1 certification for both data-at-rest (DAR) and data-in-transit (DIT).

  2. DISA Approved STIG: The Defense Information Systems Agency (DISA) is an agency within the US DoD that publishes Security Technical Implementation Guides (STIGs) which document security policies, requirements, and implementation details for compliance with DoD policy.

  3. DISA Approved Product List: DISA has approved select Knox-enabled devices to the US DoD Approved Products List (APL).

    Select Samsung Knox-enabled devices and tablets are certified under the National Information Assurance Partnership (NIAP) Common Criteria (CC) Mobile Device Fundamental Protection Profile (MDFPP).

  4. Common Criteria Certification: The Common Criteria for Information Technology Security Evaluation, commonly referred to as Common Criteria, is an internationally-recognized standard for defining security objectives of information technology products and for evaluating vendor compliance with these objectives. A number of Governments use Common Criteria as the basis for their own certification schemes.

    Select Galaxy devices with Knox embedded received Common Criteria (CC) certification. The current CC certification targets the new Mobile Device Fundamentals Protection Profile (MDFPP) of the National Information Assurance Partnership (NIAP), which addresses the security requirements of mobile devices for use in enterprise. Samsung Knox is approved by the United States government as the first NIAP-validated consumer mobile devices to handle the full range of classified information.

  5. CSfC: Fifteen Samsung devices have been listed in the NSA/CSS’s Commercial Solutions for Classified Program (CSfC) for approved security components.

For more information see Knox Certifications.

If you root your device, you trip the Knox Warranty bit. Knox services do not run on devices that have tripped the Warranty bit, because this indicates a device is rooted and flashed with an unofficial Android build. This security risk means that Knox can no longer ensure your data is protected.

The following Knox services are affected if a Warranty bit is tripped.

Knox Platform for Enterprise

  • Existing Workspaces are permanently locked and the data is no longer accessible.

  • New Workspaces can’t be created.

Knox cloud services

Other secure Samsung services

For more information

Technical FAQ

By design, licenses are periodically and automatically revalidated. However, in certain cases (for example, if a device is offline for an extended period of time), automatic revalidation can’t occur. If a previously activated license is not validated for 180 days, the license assignment will be automatically released. This is called automatic license assignment release.

Exceptions to automatic license assignment do not apply to Knox Platform for Enterprise Standard and Knox Platform for Enterprise Premium licenses.

If you factory reset a device without first unenrolling it from your EMM, that Knox Platform for Enterprise license remains consumed. By design, the assignment isn’t automatically freed.

If you have already wiped a device without unenrolling it from an EMM and want to restore its Knox license seat, use the device deactivation tool. For details, see How to disassociate a device from a Knox Platform for Enterprise license key.

The Knox Platform for Enterprise Premium license is free and includes 10,000,000 seats. It expires 2 years from the date of activation.

If you need more than 10,000,000 assignments, contact your Knox Reseller or your Samsung account representative. You do not need to obtain and activate another Knox Platform for Enterprise license.

If your enterprise is highly regulated and does not allow communication with external servers, you can request the on-premises Knox server, which handles license verification within your firewall. Samsung charges an extra fee for this service. For more information, contact your Samsung representative or reseller, or use our Contact Us form.

For Firebase Cloud Messaging, please refer to the Google Firebase documentation.

Services

TERM DESCRIPTION
Samsung Account Samsung Account authentication for Knox services.
Region Region in this contexts refers to the region of origination for the devices. This region is typically, in majority of cases, the region of purchase.
GSLB Samsung Global Load Balancers for High availability and redundancy.
ELM/KLM Enterprise License Management services for License Activation and Tracking
UMC Universal EMM Client is the agent that resides on the device image that launches the KNOX cloud configurator (KCC) and manages policies provisioned to it from the KCC portal
CDN Storage for apps, wallpapers and other potentially sizable data.
API Gateway API Gateway for Samsung Knox E-FOTA service API calls.
Analytics Analytics services for Knox services.

Firewall requirements for Knox license servers

See License servers for Knox products for more information on how you can configure your firewall for servers that require an active license.

Knox Quick Access is only available on Knox 2.9 and below.

Knox Quick Access allows enterprise users to access the Knox Workspace container without re-authentication when paired to a Samsung Gear device. Once connected to a Gear device, the Knox Workspace stays unlocked for a pre-determined time when it is in Bluetooth range with the Gear device.

What is the difference between Knox Quick Access and Google Smart Lock?

  • Google Smart Lock is used to quickly unlock your Android device’s lock screen.
  • Knox Quick Access quickly unlocks the Samsung Knox Workspace container.

Which wearables are compatible With Knox Quick access?

At the moment, only Samsung Gear can be used with Knox Quick Access.

How long does a container stay unlocked when using Knox Quick access?

The default unlock time while using Knox Quick Access is 2 hours. However, this can be adjusted by your IT admin.

New versions of Knox are tied to a specific Android Operating System. Each time you upgrade your OS, Knox is also upgraded — you can’t “download” or “install” a newer version of Knox on its own.

For example, if you recently upgraded your device to Android 11, your Knox version is also automatically upgraded to Knox 3.x.

To check if your device is capable of a Knox upgrade.

  1. Check the Android version that you need for your device to run Knox. Before installing this Android version, do some research on the changes that come with the new version.

  2. Check the Android version currently on your device: Settings > General > About device > Android version.

  3. Check the software updates that are currently available: Settings > General > About device > Software update > Update.

  4. Install the Android update. (Availability depends on your carrier and country. If you are unable to upgrade your Android OS, then you can’t upgrade to a newer version of Knox.)

Looking for more information?

  • Visit Knox on Android for more details on the latest version of Knox Platform for Enterprise.

This FAQ references the Knox Workspace, which is a feature of Knox Platform for Enterprise. This feature also depends on what version of the Knox framework is installed on your device.

Technically, there is no limitation to the third-party containers you can install on a Knox device. However, please note that we can’t guarantee that multiple containers will properly coexist.

Knox 3.0 and above

Note that only one (Samsung) enterprise container and one (Samsung) personal container can be created on the device at one time — it is not possible to have two (Samsung) Workspaces exist simultaneously. For example:

  • A device can have one Knox Workspace (enterprise) and one Secure Folder (personal).

  • A device can’t have both Workspace (enterprise) and Android Work Profile (personal).

Knox 2.9 and below

You can have two enterprise containers and one personal container on a single device.

You may need to combine Knox license keys if your enterprise has purchased two Knox license keys for 2 different Knox products, but your MDM console only allows you to enter a single Knox license key.

For example: You bought a Knox Premium and Knox Workspace license key to access required features. You cannot enter both keys in your MDM. By consolidating the Knox license keys together, you can enter the one license key on your MDM to access all the Knox Premium and Knox Workspace features.

If you already have two Knox license keys and want to consolidate the seats into one license key that can be entered on an MDM console, contact Knox support.

The Samsung Knox warranty bit is a security feature that detects if unofficial software has been installed on your phone. This helps prevent malicious attempts from accessing your data.

The Knox Warranty Bit detects if a non-Knox kernel has been loaded on the device. It is a one-time programmable bit e-fuse, which can only be turned from 0X0 to 0X1 (i.e. tripped). If a non-Knox boot loader or kernel has been installed on the device, Knox can no longer guarantee the security of the Knox container. As a result, the Warranty Bit is tripped to 0X1, indicating that this device can no longer use the Knox Workspace (container).

If the Knox bit has tripped:

  • A new Workspace can no longer be created on such a device.

  • The data encrypted and stored in an existing Workspace can no longer be retrieved.

  • Other Samsung services that utilize Knox security stop working (Samsung Pay, Secure Folder.)

Everything else outside the Workspace should be the same as before.

To check whether the Warranty Bit has tripped for new Samsung models:

  1. Connect a compatible USB cable to a powered-on PC.

  2. Power off the device.

  3. Once off, simultaneously press and hold the volume up and volume down buttons.

  4. While holding the buttons, connect the USB cable to the device.

  5. When a warning screen shows, release the buttons and press the volume up button.

  6. The Warranty Bit status (warranty void) is displayed on a screen among other parameters.

  7. Disconnect the USB cable, then simultaneously press and hold the volume up and power buttons for more than 7 seconds to exit and reboot the device.

The image displays the warning screen that appears for users

Method for older devices with a home button

To check whether the Warranty Bit has tripped for older devices:

  1. Power off the device.

  2. Once off, simultaneously press the volume down, home, and power button.

  3. When warning screen is displayed, press the volume up button.

  4. The Warranty Bit status is displayed in upper-left corner.

If the Warranty Bit is tripped, the device displays Knox WARRANTY VOID: 0x01.

If that is the case, there is no way to revert the Warranty Bit and Knox won’t work on this device. The only way to get the device back to its original settings is to replace the PBA (Printed Board Assembly) on the device; hardware replacement will be required.

Additional information

Security Enhancements for Android (SE for Android) prevents apps or processes from accessing data and resources that they are not allowed to. For example, apps outside the Knox container are not allowed to access app data inside the container.

SE for Android provides a Mandatory Access Control (MAC) over traditional Discretionary Access Control (DAC) environments. SE for Android can grant special privileges based specific EMM policies. In DAC environments, since SE for Android controls access of kernel resources, certain apps may not run as intended. Samsung’s MAC feature allows your apps to run properly alongside SE for Android.

SE for Android secures the operating system as follows:

  • Partitions the operating system into security domains. Within each domain, apps are given the minimal permissions they need to function. This contains the damage that might be caused by malicious or flawed apps, as problems in one domain do not spread to another.

  • Uses a policy file to define which users and apps can access which files and resources. You cannot override this policy file and, for example, grant yourself access to files or resources that would otherwise be restricted. To ensure that your device uses the latest policies defined for the latest apps, enable the policy file to be updated automatically.

When SE for Android detects an unauthorized access, it displays a notification message.

Is this page helpful?