Knox Service Plugin 24.03 release notes

New

Data processing policy for Galaxy AI features

One UI 6.1 introduced several exciting features to the Galaxy S24 series, collectively named Galaxy AI, that increase productivity and ease of use with machine learning technology. Galaxy S24 users can choose whether to process data in the cloud for best results, or to constrain all data and processing to the device itself.

The Samsung Knox team is committed to helping enterprises with PII and data governance policies that don’t permit user data to be processed in the cloud. If you require all user data to be processed on-device, Knox Service Plugin 1.4.59 provides you with the new Allow process data only on device policy.

For help with managing Galaxy AI through this policy, and information on how Galaxy AI operates in different device management modes, see Data processing for Galaxy AI.

Support for Zero Trust Network Access

As part of Samsung’s enhanced security initiatives, Knox Service Plugin now lets you manage Zero Trust Network Access (ZTNA) on devices through a new ZTNA policy. This initial release of this feature is compatible with Cisco Secure Access (com.cisco.secureclient.zta).

For details about the policy, see Zero Trust Network Access in the Knox Service Plugin guide.

Certificates for apps that handle Universal Credential Management

In enterprise device management, apps that handle sensitive information, such as user credentials, should be subject to verification. Otherwise, an app that’s compromised or tampered with by an attacker could pass itself off as legitimate, and steal all the credentials that the OS passes to it. Since all public Android apps are signed with a private key during publication, a simple preventative measure is to vet them against their matching public certificates.

When setting up Universal Credential Management (UCM) with Knox Service Plugin, you can now upload the certificate fingerprint of apps that need access to credentials on the device. The plugin then matches this fingerprint to the apps’ private keys to ensure their validity.

For information on adding a certificate fingerprint, see Create a UCM configuration.

EAP-TLS authentication protocol for Strong Swan

If you deploy client certificates to endpoints in your security strategy, you can now choose EAP-TLS as an encryption protocol for Strong Swan in your Knox Service Plugin profile. To use it, in the Parameters for Knox built-in VPN (Strong Swan) policy, set Authentication type to ipsec_eap_tls.

Updates

Renamed Set System Language & Country policy

To more accurately represent the geographic and regional boundaries of customers around the world, the Set System Language & Country policy is renamed to Set System Language & Location, and its description and sub-policies also change the word country to location.

Deprecations

Deprecation of dual SIM policy

Starting with Android 13, the Android Open Source Project (AOSP) began adding a capability called Multiple Enabled Profiles, which allows devices to support two simultaneous SIMs on one eSIM chip. As implemented, SIMs now have unique identifiers, and device management apps like Knox Service Plugin can no longer distinguish between a primary and secondary SIM.

To ensure that your devices remain reliably connected to mobile services, Knox Service Plugin can no longer disable the second SIM on devices running Samsung One UI 6.1 and higher, and the Allow dual SIM operation policy is now deprecated. If a device is running One UI 6.0 or lower, the policy can still be applied. After a device updates to One UI 6.1, any SIM that was previously disabled by the policy will reactivate.