Menu

Prepare Knox for Android 11

Samsung Knox supports the new work profile on company-owned device introduced in Android 11.

Knox policies fall into two categories based on privacy guidelines:

  1. Policies that don't infringe on personal privacy and are available to the profile owner of the new work profile on company-owned device. For a complete list of these, see Knox policies in personal profile.
  2. Policies that may infringe on privacy and are not available to the profile owner of the new work profile on company-owned device.

During the Android 11 upgrade from the deprecated fully managed device with a work profile to the new work profile on company-owned device:

  • Device owner is disabled.
  • Knox policies available in the new work profile on company-owned device and called by UEMs are silently migrated to the profile owner. The profile owner retains existing Knox permissions granted through the Knox license, even though the device owner (from User 0) is disabled.
  • Knox polices not available in the new work profile on company-owned devices will be unset.

If you are currently using the fully managed device with a work profile that's been deprecated in Android 11, review the Knox policies you are setting, ensure they are still supported in the personal profile on the new work profile on company-owned device.

NOTE - The following Knox areas are impacted by Android 11 and can result in service disruptions if not prepared properly before the Android 11 upgrade. Please read carefully and follow the recommendations.

Knox Audit Log

If a device owner has enabled the Knox Audit Log functionality in a fully managed device with a work profile deployment, log entries from the personal profile stored to the audit log buffer will remain as is after the Android 11 upgrade to the new work profile on company-owned device.

To protect the device user's privacy in the new work profile on company-owned device, some audit log messages generated in user0 that impact end user privacy will either not be visible or be redacted.

Knox Configure (KC)

To protect the device user’s privacy in the new work profile on company-owned device, Knox Configure:

  • fails on new enrollment
  • is supported when the device is migrated from a fully managed device with a work profile. However, even in this case, KC does not work if the device is reset to factory defaults.

Knox Deployment App (KDA)

The KDA’s NFC enrollment option will no longer be available. It was built based on Android Beam which has been deprecated by Google.

Knox DualDAR

Existing DualDAR deployments on a fully managed device with a work profile will be auto migrated to the new work profile on company-owned device.

For new DualDAR deployments, the use case where the second-layer encryption is provided by a third-party ISV is impacted. Going forward, Samsung will install the second-layer app instead of the UEM provider. For details, see DualDAR with work profile on company-owned devices.

Knox E-FOTA

Samsung will install the E-FOTA client in the personal profile once enabled by the IT admin using the Knox Deployment Program or Knox Service Plugin.

This addresses the limitation that UEMs cannot directly push the E-FOTA client in the personal profile on a device.

Knox firewall and domain filter

The Knox firewall and domain filter APIs are permitted in the new work profile on company-owned device.

You need to ensure that you update your implementation to manage the Knox firewall and domain filter in the personal profile, by calling APIs using a parent instance, as described in Knox SDK.

Knox global proxy

In the new work profile on company-owned device, an IT admin is not permitted to configure and manage the Knox global proxy.

The Knox framework will unset the Knox global proxy policy after the Android 11 upgrade.

Knox Mobile Enrollment (KME)

If you have a fully managed device with a work profile enrolled via KME, we recommend that you update your KME profile with the option, Let MDM choose to enroll as a Device Owner or Profile Owner:

See the difference between Device Owner and Profile Owner.

NOTE - KME now blocks the deprecated device admin (DA) mode for new device enrollments.

What happens if I don't make this change?

If you do not update your KME profile, after the Android 11 update and a factory reset, the device will be enrolled automatically as a fully managed device (device owner) because a fully managed device with a work profile is no longer supported on Android 11.

Knox Manage

Devices enrolled as a fully managed device with a work profile are no longer supported on Android 11, and migrate to the new work profile on company-owned device.

NOTE - Knox Manage has deprecated the Android Legacy or device admin (DA) mode.

For more information, see:

Knox Network Platform Analytics (NPA)

In the new work profile on company-owned device, the IT admin is not permitted to collect netflow data via solutions such as Knox NPA.

As such UEMs must do the following prior to upgrade to Android 11:

  • Uninstall the NPA agent in the personal profile.
  • Configure NPA inside the work profile prior to the Android 11 upgrade.

What happens if I don't make this change?

The Knox framework will not remove the NPA agent or profile prior to the Android 11 upgrade because the UEM console, UEM agent, and NPA vendor will not be in sync. Thus, if you do not take any action device wide or in the personal profile, NPA will continue to work after Android 11 upgrade, however you will not be able to manage Knox NPA in the personal profile.

Knox SDK

UEM vendors using the Knox SDK to apply Knox policies to the new work profile on company-owned device should review Prepare Knox for Android 11 in the Developer Guide.

Knox Sensitive Data Protection (SDP) and Samsung Email

In the fully managed device with a work profile deployment, if Samsung Email is installed in the personal profile then the Samsung Email app will no longer work after the auto upgrade to the new work profile on company-owned device in Android 11.

Samsung Email leverages the Knox Sensitive Data Protection (SDP) feature. SDP in the personal profile does not operate as soon as the device owner is disabled.

You need to ensure the following:

  1. Uninstall the Samsung Email app from the personal profile and install it in the work profile prior to the Android 11 upgrade.
  2. Do the same for any other SDP-enabled application.

What happens if I don't make this change?

If you do not uninstall Samsung Email from the personal profile, the email will not show the body of emails. The customer will need to uninstall the Samsung Email app in the personal profile.

Knox Service Plugin (KSP)

UEM vendors need to ensure the following before the upgrade to Android 11:

  1. Do not uninstall the KSP app in a personal profile.
  2. Update the KSP app to the latest version 1.2.45 or higher.

After upgrading to Android 11, the Knox framework uninstalls the KSP app from the personal profile.

Note also that the following Knox features are not supported by KSP in the new work profile on company-owned device:

  • Enterprise billing
  • Certificate management
  • Client Certificate management (CCM)
  • Universal Credential Manager (UCM)
  • Network Platform Analytics (NPA)

What happens if I don't make this change?

If you do not update to the latest version of the KSP app, policies applied by KSP will remain unless they violate privacy. KSP cannot apply policies for the device owner after the Android 11 upgrade and will result in some exceptions and unexpected behavior. The device might go into a bad state and the device will need to be factory reset.

Knox VPNs

In the new work profile on company-owned device, the IT admin is not permitted to configure and manage a VPN in the personal profile.

As such, UEMs must do the following prior to upgrade to Android 11:

  • Uninstall the VPN agent in the personal profile.
    • If using the Android Settings VPN, delete the VPN profile in the personal profile.
  • Configure VPNs inside work profiles prior to the Android 11 upgrade.

What happens if I don't make this change?

The Knox framework will not remove the VPN agent or Settings VPN profile in the personal profile prior to Android 11 upgrade because the UEM console, UEM agent, and VPN vendor will not be in sync. Thus, if you do not take any action device wide or in the personal profile, the VPN will continue to work after the Android 11 upgrade, however you will not be able to manage the VPN in the personal profile.

Note: If the VPN agent is inside the work profile, you do not need to make any changes to the VPN configuration inside the work profile.

Universal Credential Manager (UCM)

UCM is not supported on the new work profile on company-owned device. Existing UCM deployments on a fully managed device with a work profile will not be migrated to the new work profile on company-owned device.

As such, you must do the following prior to upgrade to Android 11:

  • In the case of UCM-ODE and UCM-Keyguard, the device must be factory reset before the Android 11 upgrade.
  • In other cases, you must uninstall the UCM plugin client in the personal profile.

What happens if I don't make this change?

The Knox UCM framework will not remove the UCM plugin client and UCM policies in the personal profile prior to the Android 11 upgrade because the UEM console, UEM agent, and UCM plugin client will not be in sync. Thus, if you do not take any action, UCM will work after Android 11 upgrade, however you will not be able to configure or manage UCM in user 0. This could lead to unexpected behavior of the device.