Knox Remote Support agent
Last updated September 25th, 2024
This page describes how to set up Knox Remote Support for both the Knox Admin Portal and Knox Manage. It also covers how to enable the Knox Remote Support agent with necessary UEM policies for your devices.
The device user must install the Knox Remote Support agent from Google Play Store in the device’s personal or work profile. Installing it in the work profile enables the device users to use Knox Remote Support within the work profile itself, without accessing any personal profile data. It can also be installed by you through app assignment.
If you install the Knox Remote Support agent in the work profile, the following restrictions apply:
- On Samsung devices, when the remote session starts, a black screen appears in the Knox Remote Support viewer. Furthermore, you can’t control the device until the device user launches a work profile app.
- On Samsung devices in DeX mode, starting the remote session requires the device user’s consent. You can only view the device screen. You can’t control the device until the device user launches a work profile app.
- On non-Samsung devices, starting the remote session requires the device user’s consent. You can’t control the device and can only view the device screen.
If you want to use Knox Remote Support without any of the above restrictions, then install the agent in the device’s personal profile. Ensure to keep the agent up-to-date so your support sessions work as expected.
Install and enable the Knox Remote Support agent
Use Knox Remote Support from the Knox Admin Portal
If you’re using Knox Remote Support from the Knox Admin Portal, you can:
-
Ask the device user to install the Knox Remote Support agent from the Google Play Store, then directly share an access code with them. If you choose this method, you won’t be able to automatically start or ask users to start a remote session.
-
Set up and deploy the Knox Remote Support agent to fully managed devices through a UEM, then Automatically start or Ask users to start a remote session. To do so, you need to set up managed configurations for the agent in your UEM. If you use this method for non-fully managed devices, those devices aren’t added to the Devices menu.
Only fully managed Samsung devices running the Knox platform support the Automatically start option.
Set up managed configurations
Before you start, go to Knox Remote Support in the Knox Admin Portal navigation menu. Then, click your username in the top-right corner and copy the Secret Key. You’ll need to enter this key later.
Then, to configure these policies in your UEM:
-
In your UEM console, add Knox Remote Support to Managed Google Play.
-
Go to the managed app configuration for Knox Remote Support. Then, for Secret Key, paste the key you copied earlier.
-
Set the following policies for the device:
Policy Value Required? Automatically install the Knox Remote Support agent True Required Automatically run the agent after installation True Required Prevent device users from deleting the agent True Optional -
Save your policies and deploy them to the devices.
Once the agent is installed on the device, you can see it on the Knox Remote Support Device page.
After the Knox Remote Support agent is installed, the device user is prompted to grant it access permissions on the device. The device user must provide consent to these permissions to use Knox Remote Support, including for use of Automatically start option for starting remote sessions.
On Samsung devices, device users are prompted only once to grant permissions to the Knox Remote Support agent after it’s installed.
On non-Samsung and DeX mode devices, device users are prompted to grant permissions to the Knox Remote Support agent at the start of each Knox Remote Support session.
Use Knox Remote Support from Knox Manage
If you’re using Knox Remote Support from the Knox Manage console, you have two options:
-
Ask the device user to install the Knox Remote Support agent from the Google Play Store.
-
Add the agent to Managed Google Play, then set the following policies on the Assign Application page before assigning it to the device.
Policy Value Installation type Automatic Auto-run after installation Yes
In the device’s profile, under Android Enterprise > Application > App Uninstallation Prevention List Setting, add the agent to prevent the device user from deleting it.
If a device user is enabling Knox Remote Support from the Knox Manage agent, they have the option to install, update and, run the agent in the kiosk mode of the device. For details on how, see Access Knox Remote Support from kiosk.
After the Knox Remote Support agent is installed, the device user is prompted to grant it access permissions on the device. The device user must provide consent to these permissions to use Knox Remote Support, including for use of Automatically start option for starting remote sessions.
On Samsung devices, device users are prompted only once to grant permissions to the Knox Remote Support agent after it’s installed.
On non-Samsung and DeX mode devices, device users are prompted to grant permissions to the Knox Remote Support agent at the start of each Knox Remote Support session.
Fully enable Knox Remote Support for devices enrolled in an UEM
For devices enrolled in a UEM, you must also enable the appropriate Knox Service Plugin policy as explained in this section. Without this policy, basic Knox Remote Support functionality may be severely impacted. The remote device’s screen is not relayed and shown in the Viewer, which displays a blank screen instead.
To fully enable the Knox Remote Support agent on devices enrolled in a UEM:
-
Go to your UEM console and edit the policies for your device.
- If you’re a Knox Manage user, go to Profile, then click the name of the device’s profile. Then, click Modify Policy > Samsung Knox.
-
Set the following policies depending on the device’s platform and enrollment type:
-
To view and control the work profile:
Policy Value Knox Service Plugin > Work Profile Policies (Profile Owner) > Enable work profile Policies True Knox Service Plugin > Work Profile Policies (Profile Owner) > Advanced Restriction Policies in work profile (Premium) > Allow remote control True -
To view and control the personal profile:
Policy Value Knox Service Plugin > Device-wide policies… > Enable device policy controls True Knox Service Plugin > Device-wide policies… > Advanced Restriction policies (Premium) > Allow remote control True
-
If you are using the new Knox Manage console, go to the original console to set policies in Knox Service Plugin.
Automatically grant app permissions to the Knox Remote Support agent
If you want to automatically start remote support sessions on your devices, you need to set certain policies to bypass the prompt asking device users to manually grant permissions.
If you’re a Knox Manage user:
-
In the Knox Manage console, begin modifying the policies in your profile.
-
Set the Android Enterprise > Application > App Permission policy to Prompt, then click Add.
-
In the app dialog, search for and select Knox Remote Support (com.sds.emm.sers).
-
In the app permissions dialog, Grant the following:
- read phone status and identity
- android.permission.READ_PHONE_NUMBERS
- post notifications (for Android 13 and higher)
-
Save your profile and deploy it to the devices.
If you’re a UEM user, grant the following app runtime permissions to the Knox Remote Support agent:
- read phone status and identity
- android.permission.READ_PHONE_NUMBERS
- post notifications (for Android 13 and higher)
Resolve device admin errors with Android Enterprise
In some cases, Android Enterprise devices might display error notifications related to device admin notifications, and Knox Remote Support might fail to launch. If this behavior occurs after setting the Knox Service Plugin policies in the previous section, then you should enable the following additional Knox service Plugin policies to resolve the issue:
-
Go to your UEM console and edit the policies for your device.
- If you’re a Knox Manage user, go to Profile, then click the name of the device’s profile. Then, click Modify Policy > Samsung Knox.
-
Under Knox Service Plugin > Device-wide policies… > Device Admin allowlisting, set the following policies:
Policy Value Enable device admin controls True Allowlisted DAs Add an admin named Knox Remote Support
On this page
Is this page helpful?