Last updated July 26th, 2023
You must meet the following requirements to use the Knox Service Plugin (KSP) with your managed devices.
What you need
Samsung devices that support Knox and run Android 9 or higher.
A Unified Endpoint Management (UEM) solution that supports Android Enterprise deployments and is compatible with KSP.
You must set up your devices in one of the supported Android Enterprise deployments, as described in the following section.
The first step to deploy a KSP policy is to create a DO or PO profile on your device. Without choosing one or the other, policies do not work and an error message is thrown.
In an enterprise deployment, Google provides three modes of Android Enterprise, fully managed (DO), work profile (PO), and fully managed with a work profile.
Work Profile — Helps admins manage the BYOD (Bring Your Own Device) use case, where a device user owns the device and uses it both personally and for work. The agent sits inside the container area as Profile Owner (PO) to separate work apps from personal apps. IT admins can control the work area only, and have no visibility over or access to the personal area.
Managed Device — Also known as Company Owned, Business Only (COBO); helps admins manage devices that are owned by the enterprise. When a device is enrolled as a Managed Device, IT admins have full control over the device. The agent sits as Device Owner (DO) of the device.
Work Profile on Company Owned Devices — Also known as Corporate Owned, Managed Profile (COMP) on Android 10, and WP-C (starting Android 11+) are company-owned devices that are personally enabled, with a container that is managed by PO. This deployment type targets enterprise-owned devices that require a separation of work and personal data. Employees can use these devices for either work or personal purposes. For more information, refer to Work profile enhancements for company-owned devices.
KSP works with the following Android Enterprise deployment modes:
Android 9.0, 10.0 — Fully managed device — Device Owner (DO), Work Profile — Profile Owner (PO), fully managed device with a Work Profile, and Android dedicated devices (COSU) (Corporate-Owned Single Use) mode.
Android 11 and higher — Fully managed device — Device Owner (DO), Work Profile on personally owned devices (PO), Work Profile on company-owned devices (WP-C), and Android dedicated devices (COSU).
Refer to your respective EMM configuration guide for information on provisioning dedicated devices (COSU).
Your deployment must use policy configurations that Knox Service Plugin supports. Knox Service Plugin inherits its policies from the Knox Platform for Enterprise framework. These policies can be either standard or premium features. Premium features require a free Knox Platform for Enterprise Premium license.
You need a UEM that supports Android Enterprise based deployments, device management APIs, and complies with the OEMConfig specification. Check with your UEM vendor to confirm which version of the UEM console you need to use with Knox Service Plugin. Some UEMs offer more than one console, and some consoles may not support Knox Service Plugin.
For information about configuring UEMs, see Set up with a UEM.
All UEM partners continue to support KPE through their console. Customers need to use KSP only if their UEM solution provider does not support a Knox feature they plan to use. For more information, see Which policy should I use if duplicate policies exist?.
Is this page helpful?
Thank you for your feedback!