Knox Remote Support agent

This page describes how to set up Knox Remote Support for both the Knox Admin Portal and Knox Manage, and covers how to enable the Knox Remote Support agent with the required EMM policies for your devices.

Install and enable the Knox Remote Support agent

To use Knox Remote Support from the Knox Admin Portal

If you’re using Knox Remote Support from the Knox Admin Portal, you can:

• Ask the device user to install the Knox Remote Support agent from the Google Play Store, then directly share an access code with them. If you choose this method, you won’t be able to automatically start or ask users to start a remote session.
• Set up and deploy the Knox Remote Support agent to fully managed devices through an EMM, then Automatically start or Ask users to start a remote session. To do so, you need to set up managed configurations for the agent in your EMM. If you use this method for non-fully managed devices, those devices aren’t added to the Devices menu.

Set up managed configurations

Before you start, go to Knox Remote Support in the Knox Admin Portal navigation menu. Then, click your username in the top-right corner and copy the Secret Key. You’ll need to enter this key later.

Then, to configure these policies in your EMM:

1. In your EMM console, add Knox Remote Support to Managed Google Play.

2. Go to the managed app configuration for Knox Remote Support. Then, for Secret Key, paste the key you copied earlier.

3. Set the following policies for the device:

   • Automatically install the Knox Remote Support agent

   • Automatically run the agent after installation

   • (Optional) Prevent device users from deleting the agent

4. Save your policies and deploy them to the devices.

Once the agent is installed on the device, you can see it on the Knox Remote Support Device page.

To use Knox Remote Support from Knox Manage

If you’re using Knox Remote Support from the Knox Manage console, you have two options:

1. Ask the device user to install the Knox Remote Support agent from the Google Play Store.

2. Add the agent to Managed Google Play, then set the following policies on the Assign Application page before assigning it to the device.

   • Installation type — Automatic

   • Auto-run after installation — Yes

Fully enable Knox Remote Support for devices enrolled in an EMM

For devices enrolled in an EMM, you must also enable the appropriate Knox Service Plugin policy. Without this policy, basic Knox Remote Support functionality may be severely impacted. The remote device won’t stream its screen, resulting in a blank live view in the Viewer.

To fully enable the Knox Remote Support agent on devices enrolled in an EMM:

1. Go to your EMM console and edit the policies for your device.

   • If you’re a Knox Manage user, go to Profile, then click the name of the device’s profile. Then, click Modify Policy > Samsung Knox.

2. Set the following policies depending on the device’s platform and enrollment type:

   • Personally-owned Android Enterprise device:

     • Knox Service Plugin > Work Profile Policies (Profile Owner) > Enable work profile Policies — True

     • Knox Service Plugin > Work Profile Policies (Profile Owner) > Advanced Restriction Policies in work profile (Premium) > Allow remote control — True

   • Fully managed or company-owned Android Enterprise device:

     • Knox Service Plugin > Device-wide policies… > Enable device policy controls — True

     • Knox Service Plugin > Device-wide policies… > Advanced Restriction policies (Premium) > Allow remote control — True

Automatically grant app permissions to the Knox Remote Support agent

If you want to automatically start remote support sessions on your devices, you need to set certain policies to bypass the prompt asking device users to manually grant permissions.

If you’re a Knox Manage user:

1. In the Knox Manage console, begin modifying the policies in your profile.

2. Set the Android Enterprise > Application > App Permission policy to Grant, then click Add.

3. In the app dialog, search for and select Knox Remote Support ( com.sds.emm.sers ).

4. In the app permissions dialog, Grant the following:

   • read phone status and identity

   • android.permission.READ_PHONE_NUMBERS

   • post notifications (for Android 13 and higher)

5. Save your profile and deploy it to the devices.

If you’re an EMM user, grant the following app runtime permissions to the Knox Remote Support agent:

1. read phone status and identity

2. android.permission.READ_PHONE_NUMBERS

3. post notifications (for Android 13 and higher)

Resolve device admin errors with Android Enterprise

In some cases, Android Enterprise devices might display error notifications related to device admin notifications, and Knox Remote Support might fail to launch. If this behavior occurs after setting the Knox Service Plugin policies in the previous section, then you should enable the following additional Knox service Plugin policies to resolve the issue:

1. Go to your EMM console and edit the policies for your device.

   • If you’re a Knox Manage user, go to Profile, then click the name of the device’s profile. Then, click Modify Policy > Samsung Knox.

2. Under Knox Service Plugin > Device-wide policies… > Device Admin allowlisting, set the following policies:

   • Enable device admin controls — True

   • Allowlisted DAs — Add an admin named Knox Remote Support