How Knox Service Plugin works
Last updated June 1st, 2026
This document is intended for:
-
System architects — Understand how Knox Service Plugin works, and how you can use it to customize your deployment of Knox Platform for Enterprise (KPE).
-
IT admins — Configure the options available to Knox Platform for Enterprise deployments using Knox Service Plugin.
Knox Service Plugin allows you to configure and control device behavior from your UEM console, and is built on top of Android’s OEMConfig standard. You can remotely create and push Knox Service Plugin managed configurations that define device control policies and settings. These configurations are pushed to your devices over Managed Google Play, which means any UEM that complies with the OEMConfig standard can support Knox Service Plugin.
Here is an overview of how you can configure device behavior with Knox Service Plugin.
-
On your UEM console, add the Knox Service Plugin app from Managed Google Play. UEMs that support OEMConfig should allow you to modify the Knox Service Plugin managed configuration.
-
Configure Knox Service Plugin policies to control device behavior and save your settings. The UEM pushes the configuration to Managed Google Play.
-
When your devices are enrolled to your UEM, it installs and runs Knox Service Plugin, which applies your device control policies.
-
You can modify the Knox Service Plugin configuration and push it through your UEM. The updated policies are sent to your devices and are applied accordingly.
-
Samsung publishes updates to the Knox Service Plugin app on Managed Google Play. Your UEM will automatically retrieve the latest Knox Service Plugin app from Managed Google Play and push it to your devices. You can use your UEM’s policies to control Knox Service Plugin app version as needed.
Here is an example of a Knox Service Plugin policy in a UEM console.

The implementation, appearance, and menu structure of these policies vary depending upon your UEM vendor. For specific instructions on how to add an app and configure its managed configuration, refer to your UEM vendor’s documentation.

Is this page helpful?