Back to top
Home / Knox Platform for Enterprise / Knox Service Plugin / Configure advanced policies /

Enabling Dual DAR with Knox Service Plugin

Last updated July 26th, 2023

Prerequisites

  • Enable DualDAR in KME or KME Direct profile configuration
  • MDM/UEM to deploy KSP
  • Knox DualDAR license Key
  • Device that has Dual DAR 1.1.0 or higher

Supported devices

Android version Samsung Exynos Qualcomm Snapdragon
Android 9 Galaxy S10e (Spring 2019) Galaxy S10+ (Spring 2019)
Android 10 Galaxy S20+ (Spring 2020)
Galaxy S10e (Spring 2020)		 Galaxy S20+ (Spring 2020)
Galaxy S10e (Spring 2020)
Android 11 Galaxy S21 Ultra (Spring 2021)
Galaxy S20+ (Spring 2021)
Galaxy S10e (Spring 2021)
Galaxy Tab Active3 (Spring 2021)		 Galaxy S21 Ultra (Spring 2021)
Galaxy S20+ (Spring 2021)
Galaxy S10+ (Spring 2021)
Android 12 Galaxy S22 (Spring 2022) DO and WP-C PO mode
Tab S8 (Spring 2022) DO and WP-C PO mode		 Galaxy S22 (Spring 2022) DO and WP-C PO mode
Tab S8 (Spring 2022) DO and WP-C PO mode

How to enable DualDAR for DO

Note

In order to successfully deploy and activate DualDAR through the Knox Service Plugin, you must enable DualDAR in the Knox Mobile Enrollment or Knox Mobile Enrollment Direct configuration.

  1. Through your EMM of choice, go to KSP Configuration.

  2. On the KPE configuration page:

    1. If your EMM uses profiles, enter the profile name.

    2. Enter the KPE Premium key.

      kpe key

  3. Click on Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company owned devices (WP-C) mode as noted) (which drops down additional configurations) under Enable device policy controls set to True.

    DO policies

  4. Set Enable password policy controls with KSP > Passcode Policy to True.

  5. Expand Dual Data-at-Rest (DAR) Encryption, then set the following:

    1. Enable Dual DAR Controlstrue.

    2. Data lock timeout type — Select a data lock type. This feature locks the credential encrypted (CE) storage and flushes the key from memory. Once locked, apps can’t use the CE until the device user provides the credential again.

    3. Data lock timeout value (in minutes) — Enter a lockout duration higher than 5.

    4. Restrict access to device encrypted (DE) storagefalse.

    5. List of apps approved to access DE storage — Enter one or more app package names For example, com.android.messages.

    6. Set password minimum length for inner layer — Enter a password minimum length for the inner layer password at DualDAR for fully managed devices.

    7. Set a new password for inner layer — Enter a new password for the inner layer at DualDAR for fully managed devices. The password must be stronger than the minimum quality. For example, if the minimum quality is numeric, then you must enter an alphanumeric password.

    DO config

How to enable DualDAR for work profiles

Note

Ensure you have enabled DualDAR in the Knox Mobile Enrollment or Knox Mobile Enrollment Direct configuration in order to successfully deploy and activate the DualDAR feature through Knox Service Plugin.

  1. Through your MDM/UEM of choice, go to the KSP Configuration.

  2. Under the initial KPE Screen.

    1. Enter profile name if applicable (some MDM/UEM don’t require this).

    2. Enter the KPE Premium key.

      kpe key

  3. Click on Work Profile Policies (which drops down additional configurations) under Enable Work Profiles set to True.

    work profile policies

  4. Set Enable password policy controls with KSP > Passcode Policy to True.

  5. Set Work Profile Configuration > Enable Work Profile Configuration Controls to True.

    work profile config

  6. Click on Dual Data-at-Rest (DAR) Encryption (which drops down additional configurations).

    1. Enable Dual DAR Controls set to True.

    2. Data lock timeout type set to any option in the drop down.

      • Use this control to set a data lock type. This locks the credential encrypted (CE) storage and flushes the key from memory. Once locked, apps can’t use the CE until user provides the credential again.

    3. Data lock timeout value (in minutes) set to any value above 1.

      • Use this control to specify the data lock timeout value in minutes. To use this feature, you must set the data lock timeout type to specified value.

    4. List of apps approved to access DE storage.

      • List application’s package name (example com.android.messages).

      dualdar

How to verify Dual DAR is enabled on a device

Verification method 1 via KSP application

  1. Go to your Work Profile and click on Knox Service Plugin.

  2. Click on Configuration on date & time.

  3. Configuration results should show Dual Data-at-rest(DAR) Encryption as successful.

Verification Method 2 via Settings and Work Profile

  1. Navigate to Settings (gear icon).

  2. Scroll down to Work Profile Settings.

  3. Scroll to the very bottom to About Work Profile.

  4. Under version number it will say DualDAR enabled (if successfully configured).

    dualdar screenshot

Is this page helpful?