Knox Service Plugin 25.09 release notes

New

Disable Wi-Fi sharing

You can now disable Wi-Fi sharing for devices acting as a mobile hotspot. This feature prevents the device’s current Wi-Fi network from being shared to tethering devices, and prevents the device user from manually enabling Wi-Fi sharing.

You can configure this policy in Device-wide policies > Device Controls > Wi-Fi Policy > Allow Wi-Fi sharing via mobile hotspot.

Only supported on devices running Knox 3.12 and higher.

For details, see Wi-Fi policies.

Control Private DNS settings

You can now prevent device users from modifying the Private DNS setting by greying it out or hiding it from the device settings menu. Configuring a specific value for this setting is not supported at this time.

For details, see Deep Settings Customization.

Updates

Apply VPN policies to only the fully managed profile

You can now apply VPN policies to the fully managed profile on the device and Separated Apps space individually. You can configure this by setting Device-wide policies > VPN policy (Premium) > VPN type to Main User Wide. You can also set a list of apps in the fully managed profile that bypass the VPN, while also setting a list of apps in Separated Apps that use the VPN.

For details, see VPN policies.

Update to minimum Wi-Fi security requirement policy

The minimum Wi-Fi security requirement policies now are grouped by Wi-Fi security level on devices running Knox 3.9 and higher, classified into Personal and Enterprise levels. Selecting an Enterprise security level for this policy allows network connections using Enterprise level protocols and above, while blocking network connections below that security level. For example, selecting PEAP (Enterprise, introduced in Knox 3.9) as the minimum security requirement blocks open networks and networks using Personal security level protocols (WEP, WPA), while allowing network connections that use Enterprise level protocols such as PEAP, PWD, and TLS.

On devices below Knox 3.9, this policy continues to block networks based on the specific protocol selected, so selecting PEAP would block open networks, and networks using WEP, WPA, or PWD.

You can configure this policy in Device-wide policies > Device Controls > Wi-Fi Policy > Allow Minimum Wi-Fi Security Requirement.

For details, see Wi-Fi policies and the related KBA.

Improvement to Wi-Fi band configuration

For specific Wi-Fi networks, you can now select a combination of Wi-Fi bands that your devices can connect to.

To use this feature, first enable Device-wide policies > Device Controls > Advanced Wi-Fi Policy (Premium) > Enable Advanced Wi-Fi Policy Controls. Then, add a new configuration under Advanced Wi-Fi Configurations (Premium) with a Wi-Fi Network Name and specify a Wi-Fi Roam Band.

Only supported on Galaxy S24 FE, Galaxy S25 FE, and Xcover7 pro devices running Knox 3.11 and higher.

For details, see Advanced Wi-Fi policy.

Send app intent when side key is pressed and held

You can now configure the side key to send an app intent only when it is pressed and held. Previously, side key intents were sent the moment the side key is pressed. This update also applies to the XCover key and Top key on rugged devices.

This behavior only applies to devices running Android 14 and higher. Devices below Android 14 continue to send intents the moment the side key is pressed.

For details, see Device key mapping.

Improved tooltip for policy to grant apps access to Knox features

The tooltip for Add applications for accessing the Knox SDK has been improved to indicate that the app signature is optional, and now also includes the signature format.

For details, see Allow apps to access Knox SDK.

Configure specific cipher algorithms for Knox built-in VPN

You can now set your Knox built-in VPN to only use specified ciphers for IKE and IPsec, to ensure that old or deprecated ciphers aren’t used to secure your network.

Configure this in VPN profiles (Premium) > Parameters for Knox build-in VPN (for Strong Swan).

For details, see Create a VPN profile configuration.

Improvement to firewall configurations

Instead of having to create a new firewall rule for each app, you can now specify a list of apps for each of your Allow rules, Deny rules, and Redirect rules.

You can configure this under the Firewall configuration profile.

For details, see Firewall configurations.

Add a device account allowlist

You can now add an allowlist of accounts that can be added to your devices. Accounts outside of this allowlist can’t be added to the device.

For details, see Device Account Policy.

Disable the Interpreter Galaxy AI feature in a work profile

You can now disable the Interpreter Galaxy AI feature for personal devices deployed with a work profile.

This policy is under Work profile policies (Profile Owner) > Advanced restrictions in work profile (Premium) > Block individual galaxy AI operations.

For details, see Advanced Restriction policies.

Deprecations

Reduced support for certificate revocation checks

The Enable for all apps option for Certificate management policies > Certificate revocation > Enable revocation check is no longer supported on Knox 3.12 and higher.

For details, see Certificate management policies.

DeX policy deprecations

With Knox 3.12, the following Knox Service Plugin DeX policies aren’t supported anymore:

• Set loading logo
• Enforce the use of virtual MAC address
• App allowlist to auto-launch on DeX connection
• Set Home alignment
• Enforce the use of Ethernet connection
• Enable mouse cursor flow
• Skip DeX welcome screen
• Skip overscan detection screen
• Disable buttons on the DeX panel
• Control file copy from PC to DeX
• Control file copy from DeX to PC