- Basics
- About Knox
- Knox licenses
- Knox white paper
- Sign up for Samsung Knox
- Latest release notes
- General Knox FAQ
- General Knox KBAs
- Submit a support ticket
- User Acceptance Testing
- For IT admins
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Create a new profile
- Assign profiles to groups and organizations
- Enroll devices
- Shared Android device quickstart
- Non-shared Android device enrollment quickstart
- Android Management API device enrollment quickstart
- Apple User Enrollment quickstart
- View device information
- Apply profiles to organizations
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Device management
- Accept or reject devices
- Upload devices
- Delete devices
- Complete device management
- Send notifications
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQ
- KBAs
- Support
- Knox Guard REST API
- Samsung Care+ for Business
- For Knox Partners
- Knox Deployment Program
- Knox MSP Program
Prepare Knox for Android 11
Samsung Knox supports the new work profile on company-owned device introduced in Android 11.
Knox policies fall into two categories based on privacy guidelines:
- Policies that don't infringe on personal privacy and are available to the profile owner of the new work profile on company-owned device. For a complete list of these, see Knox policies in personal profile.
- Policies that may infringe on privacy and are not available to the profile owner of the new work profile on company-owned device.
During the Android 11 upgrade from the deprecated fully managed device with a work profile to the new work profile on company-owned device:
- Device owner is disabled.
- Knox policies available in the new work profile on company-owned device and called by UEMs are silently migrated to the profile owner. The profile owner retains existing Knox permissions granted through the Knox license, even though the device owner (from User 0) is disabled.
- Knox polices not available in the new work profile on company-owned devices will be unset.
If you are currently using the fully managed device with a work profile that's been deprecated in Android 11, review the Knox policies you are setting, ensure they are still supported in the personal profile on the new work profile on company-owned device.
Knox Audit Log
If a device owner has enabled the Knox Audit Log functionality in a fully managed device with a work profile deployment, log entries from the personal profile stored to the audit log buffer will remain as is after the Android 11 upgrade to the new work profile on company-owned device.
To protect the device user's privacy in the new work profile on company-owned device, some audit log messages generated in user0 that impact end user privacy will either not be visible or be redacted.
Knox Deployment App (KDA)
The KDA’s NFC enrollment option will no longer be available. It was built based on Android Beam which has been deprecated by Google.
Knox DualDAR
Existing DualDAR deployments on a fully managed device with a work profile will be auto migrated to the new work profile on company-owned device.
For new DualDAR deployments, the use case where the second-layer encryption is provided by a third-party ISV is impacted. Going forward, Samsung will install the second-layer app instead of the UEM provider. For details, see DualDAR with work profile on company-owned devices.
Knox E-FOTA
Samsung will install the E-FOTA client in the personal profile once enabled by the IT admin using the Knox Deployment Program or Knox Service Plugin.
This addresses the limitation that UEMs cannot directly push the E-FOTA client in the personal profile on a device.
Knox firewall and domain filter
The Knox firewall and domain filter APIs are permitted in the new work profile on company-owned device.
You need to ensure that you update your implementation to manage the Knox firewall and domain filter in the personal profile, by calling APIs using a parent instance, as described in Knox SDK.
Knox global proxy
In the new work profile on company-owned device, an IT admin is not permitted to configure and manage the Knox global proxy.
The Knox framework will unset the Knox global proxy policy after the Android 11 upgrade.
Knox Mobile Enrollment (KME)
If you have a fully managed device with a work profile enrolled via KME, we recommend that you update your KME profile with the option, Let MDM choose to enroll as a Device Owner or Profile Owner:
See the difference between Device Owner and Profile Owner.
What happens if I don't make this change?
If you do not update your KME profile, after the Android 11 update and a factory reset, the device will be enrolled automatically as a fully managed device (device owner) because a fully managed device with a work profile is no longer supported on Android 11.
Knox Manage
Devices enrolled as a fully managed device with a work profile are no longer supported on Android 11, and migrate to the new work profile on company-owned device.
For more information, see:
- Knox Manage release notes—November 5, 2020
- Knox Manage support for deprecated device modes in Android 11
Knox Network Platform Analytics (NPA)
In the new work profile on company-owned device, the IT admin is not permitted to collect netflow data via solutions such as Knox NPA.
As such UEMs must do the following prior to upgrade to Android 11:
- Uninstall the NPA agent in the personal profile.
- Configure NPA inside the work profile prior to the Android 11 upgrade.
What happens if I don't make this change?
The Knox framework will not remove the NPA agent or profile prior to the Android 11 upgrade because the UEM console, UEM agent, and NPA vendor will not be in sync. Thus, if you do not take any action device wide or in the personal profile, NPA will continue to work after Android 11 upgrade, however you will not be able to manage Knox NPA in the personal profile.
Knox SDK
UEM vendors using the Knox SDK to apply Knox policies to the new work profile on company-owned device should review Prepare Knox for Android 11 in the Developer Guide.
Knox Sensitive Data Protection (SDP) and Samsung Email
In the fully managed device with a work profile deployment, if Samsung Email is installed in the personal profile then the Samsung Email app will no longer work after the auto upgrade to the new work profile on company-owned device in Android 11.
Samsung Email leverages the Knox Sensitive Data Protection (SDP) feature. SDP in the personal profile does not operate as soon as the device owner is disabled.
You need to ensure the following:
- Uninstall the Samsung Email app from the personal profile and install it in the work profile prior to the Android 11 upgrade.
- Do the same for any other SDP-enabled application.
What happens if I don't make this change?
If you do not uninstall Samsung Email from the personal profile, the email will not show the body of emails. The customer will need to uninstall the Samsung Email app in the personal profile.
Knox Service Plugin (KSP)
UEM vendors need to ensure the following before the upgrade to Android 11:
- Do not uninstall the KSP app in a personal profile.
- Update the KSP app to the latest version 1.2.45 or higher.
After upgrading to Android 11, the Knox framework uninstalls the KSP app from the personal profile.
Note also that the following Knox features are not supported by KSP in the new work profile on company-owned device:
- Enterprise billing
- Certificate management
- Client Certificate management (CCM)
- Universal Credential Manager (UCM)
- Network Platform Analytics (NPA)
What happens if I don't make this change?
If you do not update to the latest version of the KSP app, policies applied by KSP will remain unless they violate privacy. KSP cannot apply policies for the device owner after the Android 11 upgrade and will result in some exceptions and unexpected behavior. The device might go into a bad state and the device will need to be factory reset.
Knox VPNs
In the new work profile on company-owned device, the IT admin is not permitted to configure and manage a VPN in the personal profile.
As such, UEMs must do the following prior to upgrade to Android 11:
- Uninstall the VPN agent in the personal profile.
- If using the Android Settings VPN, delete the VPN profile in the personal profile.
- Configure VPNs inside work profiles prior to the Android 11 upgrade.
What happens if I don't make this change?
The Knox framework will not remove the VPN agent or Settings VPN profile in the personal profile prior to Android 11 upgrade because the UEM console, UEM agent, and VPN vendor will not be in sync. Thus, if you do not take any action device wide or in the personal profile, the VPN will continue to work after the Android 11 upgrade, however you will not be able to manage the VPN in the personal profile.
Note: If the VPN agent is inside the work profile, you do not need to make any changes to the VPN configuration inside the work profile.
Universal Credential Manager (UCM)
UCM is not supported on the new work profile on company-owned device. Existing UCM deployments on a fully managed device with a work profile will not be migrated to the new work profile on company-owned device.
As such, you must do the following prior to upgrade to Android 11:
- In the case of UCM-ODE and UCM-Keyguard, the device must be factory reset before the Android 11 upgrade.
- In other cases, you must uninstall the UCM plugin client in the personal profile.
What happens if I don't make this change?
The Knox UCM framework will not remove the UCM plugin client and UCM policies in the personal profile prior to the Android 11 upgrade because the UEM console, UEM agent, and UCM plugin client will not be in sync. Thus, if you do not take any action, UCM will work after Android 11 upgrade, however you will not be able to configure or manage UCM in user 0. This could lead to unexpected behavior of the device.
