Back to top
Home / Knox Platform for Enterprise / Knox Service Plugin / Configure advanced policies /

Zero Trust Network Access

Last updated April 21st, 2025

Zero Trust Network Access (ZTNA) is a security framework that operates on the principle of “never trust, always verify”. Unlike traditional security models that grant broad network access, ZTNA continuously validates network requests and grants granular access to enterprise resources depending on the requesting user, endpoint, and app.

In collaboration with Samsung’s partners, the Knox platform provides native capabilities for ZTNA solutions. These features are currently available to Cisco Secure Access customers. For more information about ZTNA, please see Cisco Zero Trust Access.

Samsung Knox’s ZTNA framework is supported on both managed and unmanaged devices.

Device Type Deployment modes Scope ZTNA Scope Android version Activated by
Corporate owned device Fully managed (DO) Device-wide Yes 14 IT Admin
Work Profile - Corporate (WP-C) Work profile Yes 14 IT Admin
Personal profile N/A N/A N/A
Personal device (BYOD) Work Profile - Personal (WP-P) Work profile Yes 14 IT Admin
Personal profile Yes 15 Device user
Unmanaged/MAM Device-wide Yes 15 Device user

ZTNA on managed devices

Managed devices are managed by a UEM and deployed as a fully-managed device or with a work profile. ZTNA on managed devices is only available on devices running Android 14 and higher, and requires a free Knox Platform for Enterprise Premium license.

Enable ZTNA

Enabling ZTNA on managed devices is similar to configuring other package-based solutions in Knox Service Plugin.

  1. On your EMM console, add the following apps:

    1. Knox Service Plugin (if you haven’t already added it).
    2. Cisco Zero Trust Access

  2. Assign the Knox Service Plugin app to your target devices. Edit its managed configuration to enable device-wide policy controls or work profile policy controls, depending on how your devices are deployed.

    Base setting in managed configuration Value
    Debug Mode True
    Device-wide policies > Enable device policy controls To configure for fully-managed or WP-C devices, set to True.
    Work profile policies > Enable work profile policies To configure for personal devices with a work profile, set to True.

  3. Go to the ZTNA policy section and configure the following:

    ZTNA setting in managed configuration Value
    ZTNA policy > Enable ZTNA controls True
    ZTNA policy > Package Name com.cisco.secureclient.zta
    ZTNA policy > Package Signature (Optional) For increased security, you can enter the certificate fingerprint of the ZTNA client’s signature in MD5, SHA-1, or SHA-256 format. For more details about app signing and how to obtain the fingerprint, see Use Play App Signing > Set up and manage Play App Signing in Play Console Help.

  4. Assign the ZTNA client to your target devices.

  5. Push the apps to your devices with your UEM.

Disable ZTNA

  1. On your EMM console, edit the existing app assignment for the Knox Service Plugin app.
  2. In the managed configuration of the assignment, locate the scope of the ZTNA policy you previously configured, and set Enable ZTNA controls to False.
  3. Save the assignment and push it to your devices.

ZTNA on unmanaged devices

Unmanaged devices are personal devices or devices with a personal profile that aren’t managed by a UEM. ZTNA on unmanaged devices is only available for devices running Android 15 and higher, and doesn’t require a Knox Platform for Enterprise license.

To enable ZTNA on unmanaged devices, provide instructions to your device users to download and install the ZTNA client. You can get the ZTNA client from the Google Play store.

To disable ZTNA, you must provide instructions to your device users to uninstall or unenroll the ZTNA client from their devices.

For details, see Cisco’s topic How to set up Zero Trust Access App on Samsung devices.

On this page

Is this page helpful?