Knox Remote Support agent

This page describes how to set up Knox Remote Support for both the Knox Admin Portal and Knox Manage. It also covers how to enable the Knox Remote Support agent with necessary UEM policies for your devices.

The device user must install the Knox Remote Support agent from Google Play Store in the device’s personal or work profile. Installing it in the work profile enables the device users to use Knox Remote Support within the work profile itself, without accessing any personal profile data. It can also be installed by you through app assignment.

Install and enable the Knox Remote Support agent

Use Knox Remote Support from the Knox Admin Portal

If you’re using Knox Remote Support from the Knox Admin Portal, you can:

• Ask the device user to install the Knox Remote Support agent from the Google Play Store, then directly share an access code with them. If you choose this method, you won’t be able to automatically start or ask users to start a remote session.

• Set up and deploy the Knox Remote Support agent to fully managed devices through a UEM, then Automatically start or Ask users to start a remote session. To do so, you need to set up managed configurations for the agent in your UEM. If you use this method for non-fully managed devices, those devices aren’t added to the Devices menu.

Set up managed configurations

Before you start, go to Knox Remote Support in the Knox Admin Portal navigation menu. Then, click your username in the top-right corner and copy the Secret Key. You’ll need to enter this key later.

Then, to configure these policies in your UEM:

1. In your UEM console, add Knox Remote Support to Managed Google Play.

2. Go to the managed app configuration for Knox Remote Support. Then, for Secret Key, paste the key you copied earlier.

3. Set the following policies for the device:

   Policy	Value	Required?
   Automatically install the Knox Remote Support agent	True	Required
   Automatically run the agent after installation	True	Required
   Prevent device users from deleting the agent	True	Optional

4. Save your policies and deploy them to the devices.

Once the agent is installed on the device, you can see it on the Knox Remote Support Device page.

Use Knox Remote Support from Knox Manage

If you’re using Knox Remote Support from the Knox Manage console, you have two options:

• Ask the device user to install the Knox Remote Support agent from the Google Play Store.

• Add the agent to Managed Google Play, then set the following policies on the Assign Application page before assigning it to the device.

  Policy	Value
  Installation type	Automatic
  Auto-run after installation	Yes

If a device user is enabling Knox Remote Support from the Knox Manage agent, they have the option to install, update and, run the agent in the kiosk mode of the device. For details on how, see Access Knox Remote Support from kiosk.

Fully enable Knox Remote Support for devices enrolled in an UEM

For devices enrolled in a UEM, you must also enable any required Knox Service Plugin policies, as explained in this section. Without these policies, basic Knox Remote Support functionality may be severely impacted. The remote device’s screen is not relayed and shown in the viewer, which displays a blank screen instead.

Set the Knox Service Plugin policy

1. Go to your UEM console and edit the policies for your device.

   • If you’re a Knox Manage user, go to Profile, then click the name of the device’s profile. Then, click Modify Policy > Samsung Knox.

2. Set the following policies depending on the device’s platform and enrollment type:

   • To view and control the work profile:

     Policy	Value
     Knox Service Plugin > Work Profile Policies (Profile Owner) > Enable work profile Policies	True
     Knox Service Plugin > Work Profile Policies (Profile Owner) > Advanced Restriction Policies in work profile (Premium) > Allow remote control	True

   • To view and control the personal profile:

     Policy	Value
     Knox Service Plugin > Device-wide policies… > Enable device policy controls	True
     Knox Service Plugin > Device-wide policies… > Advanced Restriction policies (Premium) > Allow remote control	True

Automatically grant app permissions to the Knox Remote Support agent

If you want to automatically start remote support sessions on your devices, you need to set certain policies to bypass the prompt asking device users to manually grant permissions.

If you’re a Knox Manage user:

1. In the Knox Manage console, begin modifying the policies in your profile.

2. Set the Android Enterprise > Application > App Permission policy to Prompt, then click Add.

3. In the app dialog, search for and select Knox Remote Support (com.sds.emm.sers).

4. In the app permissions dialog, Grant the following:

   • read phone status and identity
   • android.permission.READ_PHONE_NUMBERS
   • post notifications (for Android 13 and higher)

5. Save your profile and deploy it to the devices.

If you’re a UEM user, grant the following app runtime permissions to the Knox Remote Support agent:

• read phone status and identity
• android.permission.READ_PHONE_NUMBERS
• post notifications (for Android 13 and higher)

Resolve device admin errors with Android Enterprise

In some cases, Android Enterprise devices might display error notifications related to device admin notifications, and Knox Remote Support might fail to launch. If this behavior occurs after setting the Knox Service Plugin policies in the previous section, then you should enable the following additional Knox service Plugin policies to resolve the issue:

1. Go to your UEM console and edit the policies for your device.

   • If you’re a Knox Manage user, go to Profile, then click the name of the device’s profile. Then, click Modify Policy > Samsung Knox.

2. Under Knox Service Plugin > Device-wide policies… > Device Admin allowlisting, set the following policies:

   Policy	Value
   Enable device admin controls	True
   Allowlisted DAs	Add an admin named Knox Remote Support