Back to top

Zero Trust Network Access

Last updated March 7th, 2024

Zero Trust Network Access (ZTNA) is a security plan where endpoints and users are given access to network apps and services on a granular basis according to current policies and roles, instead of receiving access to the entire network in one stroke.

In collaboration with Samsung’s partners, the Knox platform provides native capabilities for ZTNA solutions. These features are currently available to customers of Cisco Secure Access. For more information, see Cisco Secure Access Extends SSE Innovation with Mobile Zero Trust and Flexible Resource Connectors on the Cisco blog.

Note

As of Knox Service Plugin 24.03, end-to-end integration of ZTNA is under development. These policies won’t take effect until the rest of development is complete, but you can safely configure and deploy these in the meantime.

Requirements

ZTNA is only available on devices running Android 14 and higher, and requires a Knox Platform for Enterprise Premium license. You can manage ZTNA for the primary profile level (DO) and the work profile (PO).

Manage ZTNA

Enabling ZTNA is similar to configuring other package-based solutions in Knox Service Plugin. However, the procedure for disabling ZTNA isn’t the reverse of how you enable it, so please carefully consult the following procedures to successfully perform either task.

To enable ZTNA for all management modes:

  1. On your EMM console, add the following apps:

    • Knox Service Plugin (if you haven’t already added it)

    • Cisco Secure Access

  2. Begin assigning the Knox Service Plugin app to your target devices. Give it a managed configuration with the following settings:

    Base setting in managed configuration Value
    Debug Mode True
    Device-wide policies > Enable device policy controls To configure for the primary profile (DO), set to True.
    Work profile policies > Enable work profile policies To configure for the work profile (PO), set to True.

    Depending on whether you enabled Device-wide policies or Work profile policies, go to that section’s ZTNA policy and give it these settings, too:

    ZTNA setting in managed configuration Value
    ZTNA policy > Enable ZTNA controls True
    ZTNA policy > Package Name com.cisco.secureclient.zta
    ZTNA policy > Package Signature (Optional) For increased security, you can enter the certificate fingerprint of the ZTNA client's signature in MD5, SHA-1, or SHA-256 format. For more details about app signing and how to obtain the fingerprint, see Use Play App Signing § Set up and manage Play App Signing in Play Console Help.
  3. Assign the ZTNA client to your target devices.

  4. Push the apps to the devices.

To disable ZTNA:

  1. On your EMM console, begin editing the existing app assignment for the Knox Service Plugin app.
  2. In the managed configuration of the assignment, locate the scope of the ZTNA policy you previously set (either as part of the Device-wide policies or Work profile policies), and set Enable ZTNA controls to False. You can leave the other ZTNA settings as-is.
  3. Save the assignment and push it to your devices.

On this page

Is this page helpful?