Knox Platform for Enterprise frequently asked questions
Last updated April 6th, 2026
Before purchase FAQ
To find out what version of Knox Platform for Enterprise your device is running, go to: Settings > About Phone > Software Information > Knox Version.
This is a screenshot of the device menu containing the Knox version. Here, we see that Knox 3.1 is listed under Knox version.

Looking for more information?
- See Knox on Android for a list of features available in each release of Knox.
Please visit the Knox Supported Devices page to see a list of currently supported devices.
Attestation is a process that verifies the integrity of a device. It can check if a device has been rooted or is running unauthorized firmware. You might use this feature to ensure you are not handling private or confidential data on a device that might be compromised and be vulnerable to malware.
All Knox devices, beginning with the Galaxy Note 3, support attestation. Devices older than Galaxy Note 3 do not support attestation.
For more information, see:
- Enhanced Attestation: Enhanced Attestation (v3)
- How attestation works: Knox White Paper
- How the Knox platform works: Knox White Paper
The Samsung Knox platform has out-of-the-box Single Sign On support. You need to sign on only once to authenticate yourself on a device.
App developers can use Samsung’s SSO API to authenticate their app users. Knox 2.0 introduces support for a Kerberos-based SSO API in addition to Samsung’s original SSO API.
Samsung Knox Platform for Enterprise extends the core functions embedded in the Android operating system, protecting Samsung devices with advanced security and management features. A license is needed to activate Knox Platform for Enterprise on a device.
Starting July 1, 2021, Samsung provides you with Knox Platform for Enterprise Premium (Commercial) licenses at no cost. All Premium Knox Platform for Enterprise licenses (Knox Platform for Enterprise Premium and Knox Platform for Enterprise Customization, both Cloud and On-Premise) are affected by this new Knox Platform for Enterprise policy. Knox Dual Data-At-Rest (DualDAR) and Knox Universal Credential Management (UCM) capabilities aren’t included in this policy change. These solutions remain separate, paid licenses for customers that require them.
For more information about Knox Platform for Enterprise licenses, see Knox Platform for Enterprise licenses.
To activate and run Knox Platform for Enterprise, the device communicates with Knox servers — ELM and KLM — and collects minimal device information for verification. Please refer to the table below for information collected by the Knox servers:

*ELM: Enterprise License Management, KLM: Knox License Management
Knox Platform for Enterprise is not something that each employee can install and activate by themselves, and it needs to be activated and managed by an EMM solution. And so your EMM solution needs to support Knox Platform for Enterprise and its features so that IT admins can install Knox Platform for Enterprise on employees’ devices using the EMM commands.
Most major EMMs support Knox Platform for Enterprise. The process works like this: Samsung distributes the Knox Premium SDK to EMM vendors, who then implements the functions that activate and manage Knox Platform for Enterprise to their EMM server and client using the APIs described in the SDK. When implementation is done, the IT admin will see a menu and options on the console to activate and control the Knox Workspace container.
Knox Workspace leverages and extends the security features of the underlying Knox platform, which is built into Samsung smartphones, tablets, and other devices.
The Knox platform leverages a “completely isolated” hardware region called TrustZone where cryptographic keys are stored, and this area is completely impervious to attack and inaccessible. That’s what Samsung means by “hardware-based” security.
If the device is ever compromised, Knox Workspace is permanently locked because the encryption key for Workspace will never be retrievable from the HW chipset where the key has been stored. Data inside Knox Workspace becomes completely inaccessible, and enterprises keep their important data from being lost or stolen.
No, only Samsung Android smartphones and tablets support Knox Workspace. Because Knox Workspace is a HW-based security solution that has been built on the Knox Platform using ARM TrustZone, it only works on Samsung devices.
Yes. Knox 3.x currently has five US government certifications:
-
FIPS 140-2: Issued by the National Institute of Standards and Technology (NIST), the Federal Information Processing Standard (FIPS) is a US security standard that helps ensure companies that collect, store, transfer, share, and disseminate sensitive but unclassified (SBU) information and controlled unclassified information (CUI) can make informed purchasing decisions when choosing devices to use in their workplace. Samsung Knox meets the requirements for FIPS 140-2 Level 1 certification for both data-at-rest (DAR) and data-in-transit (DIT).
-
DISA Approved STIG: The Defense Information Systems Agency (DISA) is an agency within the US DoD that publishes Security Technical Implementation Guides (STIGs) which document security policies, requirements, and implementation details for compliance with DoD policy.
-
DISA Approved Product List: DISA has approved select Knox-enabled devices to the US DoD Approved Products List (APL).
Select Samsung Knox-enabled devices and tablets are certified under the National Information Assurance Partnership (NIAP) Common Criteria (CC) Mobile Device Fundamental Protection Profile (MDFPP).
-
Common Criteria Certification: The Common Criteria for Information Technology Security Evaluation, commonly referred to as Common Criteria, is an internationally-recognized standard for defining security objectives of information technology products and for evaluating vendor compliance with these objectives. A number of Governments use Common Criteria as the basis for their own certification schemes.
Select Galaxy devices with Knox embedded received Common Criteria (CC) certification. The current CC certification targets the new Mobile Device Fundamentals Protection Profile (MDFPP) of the National Information Assurance Partnership (NIAP), which addresses the security requirements of mobile devices for use in enterprise. Samsung Knox is approved by the United States government as the first NIAP-validated consumer mobile devices to handle the full range of classified information.
-
CSfC: Fifteen Samsung devices have been listed in the NSA/CSS’s Commercial Solutions for Classified Program (CSfC) for approved security components.
For more information see Knox Certifications.
If you root your device, you trip the Knox Warranty bit. Knox services do not run on devices that have tripped the Warranty bit, because this indicates a device is rooted and flashed with an unofficial Android build. This security risk means that Knox can no longer ensure your data is protected.
The following Knox services are affected if a Warranty bit is tripped.
Knox Platform for Enterprise
-
Existing Workspaces are permanently locked and the data is no longer accessible.
-
New Workspaces can’t be created.
Knox cloud services
- All Knox cloud services stop working because they rely on a Knox license key to operate — For example, Knox Mobile Enrollment, Knox Configure, and Knox Manage.
Other secure Samsung services
-
Samsung E-FOTA stops working.
-
Unique Knox security features stop working, such as Real Time Kernel Protection (RKP), or Device Attestation.
-
Other Samsung services that require Knox stop working — for example, Samsung Pay and Secure Folder.
For more information
- How the Knox platform works: Knox Whitepaper
Technical FAQ
By design, licenses are periodically and automatically revalidated. However, in certain cases (for example, if a device is offline for an extended period of time), automatic revalidation can’t occur. If a previously activated license is not validated for 180 days, the license assignment will be automatically released. This is called automatic license assignment release.
Exceptions to automatic license assignment do not apply to Knox Platform for Enterprise Standard and Knox Platform for Enterprise Premium licenses.
If you factory reset a device without first unenrolling it from your EMM, that Knox Platform for Enterprise license remains consumed. By design, the assignment isn’t automatically freed.
If you have already wiped a device without unenrolling it from an EMM and want to restore its Knox license seat, use the device deactivation tool. For details, see How to disassociate a device from a Knox Platform for Enterprise license key.
The Knox Platform for Enterprise Premium license is free and includes 10,000,000 seats. It expires 2 years from the date of activation.
If you need more than 10,000,000 assignments, contact your Knox Reseller or your Samsung account representative. You do not need to obtain and activate another Knox Platform for Enterprise license.
If your enterprise is highly regulated and does not allow communication with external servers, you can request the on-premises Knox server, which handles license verification within your firewall. Samsung charges an extra fee for this service. For more information, contact your Samsung representative or reseller, or use our Contact Us form.
For Firebase Cloud Messaging, please refer to the Google Firebase documentation.
Services
| TERM | DESCRIPTION |
|---|---|
| Samsung Account | Samsung Account authentication for Knox services. |
| Region | Region in this contexts refers to the region of origination for the devices. This region is typically, in majority of cases, the region of purchase. |
| GSLB | Samsung Global Load Balancers for High availability and redundancy. |
| ELM/KLM | Enterprise License Management services for License Activation and Tracking |
| UMC | Universal EMM Client is the agent that resides on the device image that launches the KNOX cloud configurator (KCC) and manages policies provisioned to it from the KCC portal |
| CDN | Storage for apps, wallpapers and other potentially sizable data. |
| API Gateway | API Gateway for Samsung Knox E-FOTA service API calls. |
| Analytics | Analytics services for Knox services. |
Firewall requirements for Knox license servers
See License servers for Knox products for more information on how you can configure your firewall for servers that require an active license.
See App Security.
See App Security.
Knox Quick Access is only available on Knox 2.9 and below.
Knox Quick Access allows enterprise users to access the Knox Workspace container without re-authentication when paired to a Samsung Gear device. Once connected to a Gear device, the Knox Workspace stays unlocked for a pre-determined time when it is in Bluetooth range with the Gear device.
What is the difference between Knox Quick Access and Google Smart Lock?
- Google Smart Lock is used to quickly unlock your Android device’s lock screen.
- Knox Quick Access quickly unlocks the Samsung Knox Workspace container.
Which wearables are compatible With Knox Quick access?
At the moment, only Samsung Gear can be used with Knox Quick Access.
How long does a container stay unlocked when using Knox Quick access?
The default unlock time while using Knox Quick Access is 2 hours. However, this can be adjusted by your IT admin.
New versions of Knox are tied to a specific Android Operating System. Each time you upgrade your OS, Knox is also upgraded — you can’t “download” or “install” a newer version of Knox on its own.
For example, if you recently upgraded your device to Android 11, your Knox version is also automatically upgraded to Knox 3.x.
To check if your device is capable of a Knox upgrade.
-
Check the Android version that you need for your device to run Knox. Before installing this Android version, do some research on the changes that come with the new version.
-
Check the Android version currently on your device: Settings > General > About device > Android version.
-
Check the software updates that are currently available: Settings > General > About device > Software update > Update.
-
Install the Android update. (Availability depends on your carrier and country. If you are unable to upgrade your Android OS, then you can’t upgrade to a newer version of Knox.)
Looking for more information?
- Visit Knox on Android for more details on the latest version of Knox Platform for Enterprise.
This FAQ references the Knox Workspace, which is a feature of Knox Platform for Enterprise. This feature also depends on what version of the Knox framework is installed on your device.
Technically, there is no limitation to the third-party containers you can install on a Knox device. However, please note that we can’t guarantee that multiple containers will properly coexist.
Knox 3.0 and above
Note that only one (Samsung) enterprise container and one (Samsung) personal container can be created on the device at one time — it is not possible to have two (Samsung) Workspaces exist simultaneously. For example:
-
A device can have one Knox Workspace (enterprise) and one Secure Folder (personal).
-
A device can’t have both Workspace (enterprise) and Android Work Profile (personal).
Knox 2.9 and below
You can have two enterprise containers and one personal container on a single device.
You may need to combine Knox license keys if your enterprise has purchased two Knox license keys for 2 different Knox products, but your MDM console only allows you to enter a single Knox license key.
For example: You bought a Knox Premium and Knox Workspace license key to access required features. You cannot enter both keys in your MDM. By consolidating the Knox license keys together, you can enter the one license key on your MDM to access all the Knox Premium and Knox Workspace features.
If you already have two Knox license keys and want to consolidate the seats into one license key that can be entered on an MDM console, contact Knox support.
The Samsung Knox warranty bit is a security feature that detects if unofficial software has been installed on your phone. This helps prevent malicious attempts from accessing your data.
The Knox Warranty Bit detects if a non-Knox kernel has been loaded on the device. It is a one-time programmable bit e-fuse, which can only be turned from 0X0 to 0X1 (i.e. tripped). If a non-Knox boot loader or kernel has been installed on the device, Knox can no longer guarantee the security of the Knox container. As a result, the Warranty Bit is tripped to 0X1, indicating that this device can no longer use the Knox Workspace (container).
If the Knox bit has tripped:
-
A new Workspace can no longer be created on such a device.
-
The data encrypted and stored in an existing Workspace can no longer be retrieved.
-
Other Samsung services that utilize Knox security stop working (Samsung Pay, Secure Folder.)
Everything else outside the Workspace should be the same as before.
To check whether the Warranty Bit has tripped for new Samsung models:
-
Connect a compatible USB cable to a powered-on PC.
-
Power off the device.
-
Once off, simultaneously press and hold the volume up and volume down buttons.
-
While holding the buttons, connect the USB cable to the device.
-
When a warning screen shows, release the buttons and press the volume up button.
-
The Warranty Bit status (warranty void) is displayed on a screen among other parameters.
-
Disconnect the USB cable, then simultaneously press and hold the volume up and power buttons for more than 7 seconds to exit and reboot the device.

Method for older devices with a home button
To check whether the Warranty Bit has tripped for older devices:
-
Power off the device.
-
Once off, simultaneously press the volume down, home, and power button.
-
When warning screen is displayed, press the volume up button.
-
The Warranty Bit status is displayed in upper-left corner.
If the Warranty Bit is tripped, the device displays Knox WARRANTY VOID: 0x01.
If that is the case, there is no way to revert the Warranty Bit and Knox won’t work on this device. The only way to get the device back to its original settings is to replace the PBA (Printed Board Assembly) on the device; hardware replacement will be required.
Additional information
Security Enhancements for Android (SE for Android) prevents apps or processes from accessing data and resources that they are not allowed to. For example, apps outside the Knox container are not allowed to access app data inside the container.
SE for Android provides a Mandatory Access Control (MAC) over traditional Discretionary Access Control (DAC) environments. SE for Android can grant special privileges based specific EMM policies. In DAC environments, since SE for Android controls access of kernel resources, certain apps may not run as intended. Samsung’s MAC feature allows your apps to run properly alongside SE for Android.
SE for Android secures the operating system as follows:
-
Partitions the operating system into security domains. Within each domain, apps are given the minimal permissions they need to function. This contains the damage that might be caused by malicious or flawed apps, as problems in one domain do not spread to another.
-
Uses a policy file to define which users and apps can access which files and resources. You cannot override this policy file and, for example, grant yourself access to files or resources that would otherwise be restricted. To ensure that your device uses the latest policies defined for the latest apps, enable the policy file to be updated automatically.
When SE for Android detects an unauthorized access, it displays a notification message.
- For instructions on how to access SE for Android settings, see the Knox Workspace documentation.
On this page
Is this page helpful?