Back to top
Home / Knox Platform for Enterprise / Knox Service Plugin / Configure advanced policies /

VPN policies

Last updated July 26th, 2023

Configuring and applying VPN policies with KSP is a two step process:

To use VPN features on Samsung One UI Core devices, you are required to add the KSP package name com.samsung.android.knox.kpu to the certificate allow list using the allow applications to read private keys without alerting user feature in the Certificate Management Policies section.

VPN policies require a free Knox Platform for Enterprise Premium license.

  1. Set up the VPN configuration profile — Choose the VPN settings and policies to suit your organization. These settings are saved as a profile you can reuse in later configurations, such as setting up a DO or PO profile.

  2. Create the VPN policy — The VPN Policy uses settings from the VPN configuration profile created in the previous step. This VPN policy allows you to specify other rules, such as which apps should use this VPN.

The following example shows you how to configure a per app VPN on a Device Owner (DO) device.

Configure VPN profile

  1. Under VPN profiles, VPN Profile, enter a profile name. For example, VPN_Knox.

  2. Under VPN profiles, Vendor, choose the type of VPN you want to use. For this example, we select Knox built-in, which uses the Android VPN Management for Knox VPN.

  3. Under Host, list your server host IP, for example, 52.3.256.0.

  4. Leave all other values as default.

  5. In your UEM, save the profile.

Configure VPN Vendor parameters

Now that you have created a VPN profile, you can set up the parameters such as the identifier and pre-shared key. Following the previous example, continue to configure Android VPN Management for Knox VPN.

  1. Under Parameters for Knox built-in VPN, Authentication type select ipsec_ike2_rsa.

  2. Under User certificate alias, enter your certificate name. For example: md_user.pfx.

  3. Under CA certificate alias, enter your certificate name. For example: vpn_cal.pfx.

  4. Leave all other values as default.

  5. In your UEM, save the profile.

If you are using a different VPN, such as Pulse Secure or Cisco AnyConnect, these values may differ. The mandatory parameters you need to set depend on your network configuration. Contact your Network Administrator to find out which fields to use and with what values.

Enable VPN policy

Now that you have created and configured a profile, configure a policy and push it to a target device.

  1. In your supported UEM, under the Device-wide policies (Device Owner) category, turn on Enable device policy controls.

  2. Under VPN policy, turn on Enable VPN controls.

  3. Under VPN type, choose Selected Apps (Per-App).

    Currently, KSP does not support per-app the VPN mode for Net Motion VPN.

  4. Under Manage list of apps that use VPN, add the package names of the apps you want to route through the VPN. For example, com.samsung.email.provider. If you do not enter any app packages, the VPN applies to all apps by default.

  5. Enter the Name of VPN profile to use, for this example we use our Android VPN Management for Knox profile VPN_Knox.

  6. Leave all the other VPN values as set by default.

  7. In your UEM, save the profile and push it to a device.

Within the VPN policy, optionally enable USB tethering over VPN so an allow listed USB device can access and share resources with a peer device. Admins can ensure there is security-based certification available so only a designated organization, or user, can use VPN tethering with allowed devices. However, VPN tethering will only work when the following conditions are met:

  • An IT admin must allow this feature from their UEM console for a target device to receive the tethering feature.

  • A user must enable VPN tethering on their device.

  • The laptop or tablet being connected must have been previously allow listed by the IT admin.

  • The maximum number of VPN connections does not exceed 2.

USB tethering over VPN is only supported on Knox 3.5 and above devices.

A wrong VPN configuration can disconnect your device or work profile from the network, and in some cases render it unrecoverable. To avoid this issue, Samsung recommends keeping the following applications out of the VPN configuration:

  • UEM Agent package — Check with your UEM for details.
  • KSP packagecom.samsung.android.knox.kpu
  • Google servicescom.android.vending, com.google.android.gms

Use the Manage list of apps that can bypass VPN setting to list theses packages.

On this page

Is this page helpful?