Back to top

How Knox Service Plugin works

Last updated July 26th, 2023

This document is intended for:

  • System architects — Understand how Knox Service Plugin works, and how you can use it to customize your deployment of Knox Platform for Enterprise (KPE).

  • IT admins — Configure the options available to Knox Platform for Enterprise deployments using Knox Service Plugin.

How Knox Service Plugin works

Knox Service Plugin is built on top of Android’s standard called OEMConfig. OEMConfig is a feature that lets you create and remotely push configurations to apps through an XML schema file that is hosted in an app on Google Play. This architecture means that any UEM that complies with the OEMConfig standard can support Knox Service Plugin.

Here is an overview of how Knox Service Plugin works.

  1. App developers implement logic to support managed configurations in their apps. They use an XML schema file to define which app settings IT admins can remotely configure in their Android app. This schema is linked to the app’s manifest file. After each update, app developers push their app to Managed Google Play.

  2. UEM developers pull the managed configuration schemas from apps on Managed Google Play. UEM consoles then use these XML schemas to allow IT admins to specify how they want to configure app settings. After the IT admin saves their configuration, the UEM pushes the configuration to Managed Google Play.

  3. Once an app configuration is updated and pushed to Managed Google Play, the app is updated on all applicable devices to reflect the new configuration.

Image depicting how KSP works

The following image is an example of a Knox Service Plugin policy in a UEM console.

Image showing a sample KSP policy

The implementation, appearance, and menu structure of how these policies look varies depending upon your UEM and its console. For UEM-specific help, refer to your UEM vendor’s documentation.

Deployment process

The Knox Service Plugin deployment process is as follows:

  1. Samsung publishes the latest Knox Service Plugin app to Google Play.

  2. IT admins use their compatible UEM console — that supports a managed Google Play store — to search for Knox Service Plugin. For a list of UEM partners that support Knox Service Plugin, see Supported UEMs.

  3. The UEM Console renders the applicable Knox features and policies using OEMConfig.

  4. IT admins use the UEM console to set up policies in the form of managed configurations. These policies are then saved and published to any managed enterprise devices.

  5. When a user’s device is being provisioned, the UEM invokes the managed Google Play Store, which in turn installs Knox Service Plugin and pushes the managed configuration to the device.

  6. After installation is complete, Knox Service Plugin runs in the background on the device. Knox Service Plugin applies the relevant Knox policies and returns the result of the configuration process using Google’s Feedback SDK.

  7. IT admins can view any configuration failures and associated error messages on the UEM Console, provided the UEM is equipped to handle the result that KSP generates and sends back using the feedback SDK.

Image depicting the deployment process for KSP

Is this page helpful?