VPN policies
Last updated February 26th, 2025
- VPN policies require a free Knox Platform for Enterprise Premium license.
- To use VPN features on Samsung One UI Core devices, you are required to add the Knox Service Plugin package name
com.samsung.android.knox.kpu
to the certificate allowlist using the allow applications to read private keys without alerting user feature under Certificate Management Policies.
Configuring and applying VPN policies with Knox Service Plugin is a two step process:
-
Create a VPN profile configuration — Configure a VPN profile to suit your organization.
-
Set VPN policies — These VPN policies govern how the VPN profile configured previously is used. This includes rules such as which managed workspaces and apps should use this VPN.
Create a VPN profile configuration
Under VPN profiles (Premium) create a new configuration, or modify an existing one. Then, configure the following fields:
-
Profile name — Specify a unique name for this VPN profile. This name is used to identify the profile when you set your VPN policies.
-
Vendor — Select the VPN vendor of your VPN client. To use the Strong Swan VPN that’s built into the Knox framework, select Knox built-in. If you’re using any other VPN client, ensure that that VPN client is installed before Knox Service Plugin launches.
-
Host — Enter the server host as an IP or domain name. Refer to your VPN provider’s documentation for address formats applicable to your VPN.
-
VPN connection type – Select the security protocol used by the VPN to connect to the server. Support for different connection types may vary based on your VPN provider.
-
Include UID/PID meta data — Include meta data about the unique identifier for the device user and the processes running on the device.
-
Proxy — Configure the proxy server for this VPN profile:
- Enable Proxy with VPN — Use proxy servers with your VPN connection.
- Server — Enter proxy server information. Contact your Network or IT Administrator for this information.
- Port — Enter the port number on the device that the proxy uses for communication. Contact your Network or IT Administrator for this information.
- PAC (Proxy auto config) — Specify the URL for your proxy’s automatic configuration file that determines the appropriate proxy server to use for each URL accessed. Contact your Network or IT Administrator for this information.
- Proxy authentication type — Proxy use is possible without authentication or with basic or NTLM authentication using admin provided credential or user credentials. Contact your Network or IT Administrator for more information.
- Username — If you want to use admin provided credentials, enter the username for use with the proxy server. Leave this field empty to let the device user use their own credentials for the device.
- Password — For proxies that use the IT admin provided credentials, enter the password used with the proxy username. Leave this field empty if you didn’t provide a proxy username earlier and to let the device user use their own credentials for the device.
-
Parameters for Knox built-in VPN (for Strong Swan) — Use these controls to specify vendor-specific attributes for your Knox built-in VPN client.
- Authentication type — Select the type of authentication that your Knox built-in VPN client uses. Note: Due to changes made by Google, the following are not be supported on Android 12 and higher: ipsec_xauth_rsa, ipsec_xauth_psk, ipsec_hybrid_rsa. Also, ipsec_ike2_eap_tls type is supported from Android 14.
- Auto retry in minutes — When the VPN client is unable to connect or drops an active connection to the server, it automatically tries to reconnect. Enter the time interval, in minutes, after which- the VPN client tries to reconnect. Default interval is two minutes
- Identifier — Enter the built-in unique VPN identifier that applies to your VPN provider. This information applies to the ipsec_ike2_psk authentication type. Your IT admin provides this- information when setting up the VPN client profile.
- Remote Identifier — Configure a Remote Identifier for strongSwan VPN clients. A Remote Identifier is used for authentication during the VPN connection process, ensuring the security and privacy of the user connected to the VPN. Only supported on devices running Knox 3.11 and higher.
- Pre-shared key — Enter your VPN client’s pre-shared key, that is a form of password, that applies to your VPN client profile. This information applies to the ipsec_ike2_psk authentication- type. Your IT admin provides this information when setting up the VPN client profile.
- User certificate alias — Enter the alias that identifies the user certificate used for the your VPN client. Your IT admin provides this information when setting up the VPN client profile.
- CA certificate alias — Enter the alias that identifies the CA certificate used in your VPN client for ipsec_hybrid_rsa and ipsec_ike2_rsa authentication types. Your IT admin provides this- information when setting up the VPN client profile.
- Server certificate alias — If your client uses ipsec_hybrid_rsa and ipsec_ike2_rsa, enter the name of the server certificate to use for authenticating connections. Your IT admin provides this- information when setting up the VPN client profile.
- OCSP URL — If your client uses ocsp_url for ipsec_ike2_rsa, enter the URL to use for connections. Your IT admin provides this information when setting up the VPN client profile.
-
Cisco AnyConnect VPN client settings — Use these controls to specify values for the vendor-specific attributes for your Cisco AnyConnect VPN client. Contact your Network or IT Administrator for more information.
-
Pulse Secure VPN client settings — Use these controls to specify the vendor-specific attributes for your Pulse Secure VPN client. Refer to your VPN provider’s documentation for this information.
-
Net Motion VPN client settings — Use these controls to specify the vendor-specific attributes for your NetMotion Mobility client. Refer to your VPN provider’s documentation for this information.
-
Sectra Mobile VPN Settings — Use these controls to specify the vendor-specific attributes for your Sectra Mobile VPN client. Refer to your VPN provider’s documentation for this information.
-
USB Tethering — Group of policies to control USB tethering over VPN. You can enable USB tethering over VPN, which allows a list of USB devices to access and share resources with a peer device. Admins can ensure there is security-based certification available so only a designated organization, or user, can use VPN tethering with allowed devices. However, VPN tethering will only work when the following conditions are met:
-
An IT admin must allow this feature from their UEM console for a target device to receive the tethering feature.
-
A user must enable VPN tethering on their device.
-
The laptop or tablet being connected must have been previously allow listed by the IT admin.
-
The maximum number of VPN connections does not exceed 2.
USB tethering over VPN is only supported on devices running Knox 3.5 and higher.
-
Set VPN policies
Now that you have created a VPN profile, set policies that govern how the VPN is used. To do this, go to VPN policy (Premium), and set Enable VPN controls to True. Then, configure the following policies:
-
VPN type — Choose where the VPN is applicable on the device. The VPN can be applied Device-wide, in Work-profile/Separated Apps only, or on Selected Apps(Per-app).
-
Manage list of apps that use VPN — Specify a list of apps that use the VPN. This setting is applicable if you set VPN type to Selected Apps(Per-app).
-
Select apps in the device, in the main user — Specify apps on a fully-managed device that use the VPN. If you’re deploying devices with a work profile, this setting configures the personal profile apps that use the VPN. If no apps are specified, then all apps must use the VPN to connect by default.
-
Select apps in the Work profile/Separated Apps — Specify apps on WP-C or Separated apps devices that use the VPN. If no apps are specified, then all apps must use the VPN to connect by default.
-
-
Manage list of apps that can bypass VPN — Specify a list of apps that can bypass the VPN and connect to the network directly.
-
Apps in main user — Specify apps on a fully-managed device that can bypass the VPN. If no apps are specified, then all apps must use the VPN.
-
Apps in work profile/Separated Apps — Specify apps on a WP-C or Separated apps device that can bypass the VPN. If no apps are specified, then all apps must use the VPN.
-
-
Show persistent VPN notification — By default, devices display a persistent notification to indicate that it’s connected to a VPN. Disable this setting to remove the persistent notification from your devices. Only supported on devices running Knox 3.11 and higher.
-
Name of VPN profile to use — Specify which VPN configuration profile to use. Must match the name of an existing VPN profile configuration. You can create and configure VPN profiles under VPN profiles (Premium).
-
Enable VPN chaining — Enable this setting to use two VPNs to double encrypt traffic.
-
Name of secondary VPN profile to use — For devices with multiple VPN profiles, specify the name of the outer VPN profile. This VPN decrypts all data before passing it to the VPN client. Must match the name of an existing VPN profile configuration. You can create and configure VPN profiles under VPN profiles (Premium).
A wrong VPN configuration can disconnect your device or work profile from the network, and in some cases render it unrecoverable. To avoid this issue, Samsung recommends keeping the following applications out of the VPN configuration:
- UEM Agent package — Check with your UEM for details.
- KSP package —
com.samsung.android.knox.kpu
- Google services —
com.android.vending, com.google.android.gms
Use the Manage list of apps that can bypass VPN setting to list theses packages.
On this page
Is this page helpful?