Enabling DualDAR with Knox Service Plugin
Last updated October 25th, 2024
Prerequisites
- Enable DualDAR in Knox Mobile Enrollment or Knox Mobile Enrollment Direct profile configuration
- UEM to deploy Knox Service Plugin
- Knox DualDAR license Key
- Device with DualDAR 1.1.0 or higher
Supported devices
Android 9
| Device Name | Chipset series | DualDAR Version | DualDAR support |
|---|---|---|---|
| Galaxy S10e | Samsung Exynos | 1.1.0 | Work profile only |
| Galaxy S10+ | Qualcomm Snapdragon | 1.1.0 | Work profile only |
*Enabling DualDAR 1.0.2 and 1.0.3 with Knox Service Plugin is not supported.
For more information on equivalent devices, see the NIAP evaluation.
Android 10
| Device Name | Chipset series | DualDAR Version | DualDAR support |
|---|---|---|---|
| Galaxy S20+ | Samsung Exynos/Qualcomm Snapdragon | 1.2.0 | Work profile only |
| Galaxy S10e | Samsung Exynos/Qualcomm Snapdragon | 1.2.0 | Work profile only |
For more information on equivalent devices, see the NIAP evaluation.
Android 11
| Device Name | Chipset series | DualDAR Version | DualDAR support |
|---|---|---|---|
| Galaxy S21 Ultra 5G | Samsung Exynos/Qualcomm Snapdragon | 1.3.0 | Work profile only |
| Galaxy S20+ 5G | Samsung Exynos/Qualcomm Snapdragon | 1.3.0 | Work profile only |
| Galaxy S10e | Samsung Exynos | 1.3.0 | Work profile only |
| Galaxy S10+ | Qualcomm Snapdragon | 1.3.0 | Work profile only |
| Galaxy Tab Active3 | Samsung Exynos | 1.3.0 | Work profile only |
For more information on equivalent devices, see the NIAP evaluation.
Android 12
| Device Name | Chipset series | DualDAR Version | DualDAR support |
|---|---|---|---|
| Galaxy S22 Ultra 5G | Samsung Exynos | 1.4.1 | Work profile and Fully managed mode |
| Galaxy S22 5G | Qualcomm Snapdragon | 1.4.1 | Work profile and Fully managed mode |
| Galaxy S21 Ultra 5G | Samsung Exynos/Qualcomm Snapdragon | 1.4.0 | Work profile only |
| Galaxy S20+ 5G | Samsung Exynos/Qualcomm Snapdragon | 1.4.0 | Work profile only |
| Galaxy S10e | Samsung Exynos | 1.4.0 | Work profile only |
| Galaxy S10+ | Qualcomm Snapdragon | 1.4.0 | Work profile only |
| Galaxy Tab Active3 | Samsung Exynos | 1.4.0 | Work profile only |
| Galaxy XCover 6 | Qualcomm Snapdragon | 1.4.0 | Work profile only |
| Galaxy Tab Active4 Pro | Qualcomm Snapdragon | 1.4.0 | Work profile only |
For more information on equivalent devices, see the Spring NIAP evaluation and Fall NIAP evaluation.
Android 13
| Device Name | Chipset series | DualDAR Version | DualDAR support |
|---|---|---|---|
| Galaxy S23 Ultra 5G | Qualcomm Snapdragon | 1.5.1 | Work profile and Fully managed mode |
| Galaxy S22 Ultra 5G | Samsung Exynos/Qualcomm Snapdragon | 1.5.1 | Work profile and Fully managed mode |
| Galaxy S21 Ultra 5G | Samsung Exynos/Qualcomm Snapdragon | 1.5.1 | Work profile and Fully managed mode |
| Galaxy S20+ 5G | Samsung Exynos | 1.5.0 | Work profile only |
| Galaxy S20+ 5G | Qualcomm Snapdragon | 1.5.0 | Work profile only |
| Galaxy Z Flip5 5G | Qualcomm Snapdragon | 1.5.1 | Work profile and Fully managed mode |
| Galaxy XCover6 Pro | Qualcomm Snapdragon | 1.5.1 | Work profile and Fully managed mode |
| Galaxy Tab Active3 | Samsung Exynos | 1.5.0 | Work profile only |
| Galaxy S23 FE | Samsung Exynos/Qualcomm Snapdragon | 1.5.1 | Work profile and Fully managed mode |
For more information on equivalent devices, see the Spring NIAP evaluation and Fall NIAP evaluation.
Android 14
| Device Name | Chipset Vendor | DualDAR Version | DualDAR support |
|---|---|---|---|
| Galaxy S24 Ultra 5G | Qualcomm Snapdragon | 1.6.0 | Work profile and Fully managed mode |
| Galaxy S24 5G | Samsung Exynos | 1.6.0 | Work profile and Fully managed mode |
| Galaxy S23 Ultra 5G | Qualcomm Snapdragon | 1.6.0 | Work profile and Fully managed mode |
| Galaxy S22 Ultra 5G | Samsung Exynos | 1.6.0 | Work profile and Fully managed mode |
| Galaxy S22 5G | Qualcomm Snapdragon | 1.6.0 | Work profile and Fully managed mode |
| Galaxy S21 Ultra 5G | Samsung Exynos/Qualcomm Snapdragon | 1.6.0 | Work profile and Fully managed mode |
| Galaxy XCover6 Pro | Qualcomm Snapdragon | 1.6.0 | Work profile and Fully managed mode |
For more information on equivalent devices, see the NIAP evaluation.
How to enable DualDAR for Fully managed or WP-C devices
In order to successfully deploy and activate DualDAR through the Knox Service Plugin, you must enable DualDAR in the Knox Mobile Enrollment or Knox Mobile Enrollment Direct configuration.
-
On your UEM portal, go to KSP Configuration.
-
On the KPE configuration page:
-
If your UEM uses profiles, enter the profile name.
-
Enter the KPE Premium key.
-
-
Under Device-wide policies, set Enable device policy controls to True.
-
Set Enable password policy controls with KSP > Passcode Policy to True.
-
Expand Dual Data-at-Rest (DAR) Encryption, then set the following:
-
Enable Dual DAR Controls — true.
-
Data lock timeout type — Select a data lock type. This feature locks the credential encrypted (CE) storage and flushes the key from memory. Once locked, apps can’t use the CE until the device user provides the credential again.
-
Data lock timeout value (in minutes) — Enter a lockout duration higher than 5.
-
Restrict access to device encrypted (DE) storage — false.
-
List of apps approved to access DE storage — Enter one or more app package names For example, com.android.messages.
-
Set password minimum length for inner layer — Enter a password minimum length for the inner layer password at DualDAR for fully managed devices.
-
Set a new password for inner layer — Enter a new password for the inner layer at DualDAR for fully managed devices. The password must be stronger than the minimum quality. For example, if the minimum quality is numeric, then you must enter an alphanumeric password.
-
How to enable DualDAR for work profiles
Ensure you have enabled DualDAR in the Knox Mobile Enrollment or Knox Mobile Enrollment Direct configuration in order to successfully deploy and activate the DualDAR feature through Knox Service Plugin.
-
On your UEM portal, go to the KSP Configuration.
-
Under the initial KPE Screen.
-
Enter profile name if applicable (some UEMs don’t require this).
-
Enter the KPE Premium key.
-
-
Click on Work Profile Policies (which drops down additional configurations) under Enable Work Profiles set to True.
-
Set Enable password policy controls with KSP > Passcode Policy to True.
-
Set Work Profile Configuration > Enable Work Profile Configuration Controls to True.
-
Click on Dual Data-at-Rest (DAR) Encryption (which drops down additional configurations).
-
Enable Dual DAR Controls set to True.
-
Data lock timeout type set to any option in the drop down.
- Use this control to set a data lock type. This locks the credential encrypted (CE) storage and flushes the key from memory. Once locked, apps can’t use the CE until user provides the credential again.
-
Data lock timeout value (in minutes) set to any value above 1.
- Use this control to specify the data lock timeout value in minutes. To use this feature, you must set the data lock timeout type to specified value.
-
List of apps approved to access DE storage.
- List application’s package name (example com.android.messages).
-
How to verify if DualDAR is enabled on a device
Verify through Knox Service Plugin
-
Go to your Work Profile and click on Knox Service Plugin.
-
Click on Configuration on date & time.
-
Configuration results show Dual Data-at-rest(DAR) Encryption as successful.
Verify through device settings
-
Go to Settings (gear icon).
-
Navigate to About phone > Software information.
-
Under the Knox version section, check the DualDAR version.
If DualDAR is enabled, it’s indicated next to the DualDAR version. If not, only the DualDAR version number is shown.
On this page
Is this page helpful?