Basics
About Knox
Knox licenses
Knox white paper
- Introduction
  - The Samsung Knox Platform
  - Feature Summary
- Core Platform Security
- Network Security
  - Virtual Private Networks
  - Network Platform Analytics
- Certificate Management
- Device Management
- User Authentication
  - Biometric Authentication
- App and Data Protection
- Appendix
Sign up for Samsung Knox
- Samsung Account
- Single sign-on
Latest release notes
General Knox FAQ
General Knox KBAs
Submit a support ticket
User Acceptance Testing
- Introduction
- Get started with UAT
- Report issues
- UAT limitations
- FAQ
- UAT 23.03 release notes
For IT admins
Knox Admin Portal
- Overview
- What's new
- How-to videos
- Get started
- How-to guides
- Knox Remote Support
- Release notes
Knox Suite
- Introduction
- How-to videos
- Get started
- Learn more about Knox Suite
- Enterprise Edition devices
- FAQ
- KBAs
Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Knox Service Plugin
- Release notes
- Migrate to Android 11
  - Device management modes
  - Prepare Knox for Android 11
- FAQs
- Troubleshoot
  - Get device logs
- KBAs
Knox Mobile Enrollment
- Introduction
- Get started
  - Before you begin
  - Firewall exceptions
- Features
- Advanced profiles
- Release notes
- FAQ
- Troubleshoot
  - Get support
- KBAs
- On-Premise
Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
Knox Capture
- Welcome
- Overview
- How-to guides
- Get started
  - Get started as an IT admin
  - Get started as an end-user
- How-to videos
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox Capture: Scandit Edition
Knox Asset Intelligence
- Introduction
- Get started
- Set up reported device data
- Features
- Troubleshoot
  - Device-side errors
  - Portal-side errors
- Real-time location service
- Release notes
- FAQ
- KBAs
Knox Manage
- Introduction
- How-to videos
- Get started
- Configure
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
  - Install an app to devices through an EMM
  - EMM compatibility matrix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
  - Knox E-FOTA Advanced
  - Knox E-FOTA on MDM
Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Release notes
- FAQ
- KBAs
- Support
- Knox Guard REST API
Samsung Care+ for Business
- Introduction
- Get started
- Submit claim
- Features
- Release notes
- FAQ
- KBAs
For Knox Partners
Knox Deployment Program
Knox MSP Program

Enabling Dual DAR with Knox Service Plugin (KSP)

Prerequisites

Enable DualDAR in KME or KME Direct profile configuration
MDM/UEM to deploy KSP
Knox DualDAR license Key
Device that has Dual DAR 1.1.0 or higher

Supported devices

Android version	Samsung Exynos	Qualcomm Snapdragon
Android 9	Galaxy S10e (Spring 2019)	Galaxy S10+ (Spring 2019)
Android 10	Galaxy S20+ (Spring 2020) Galaxy S10e (Spring 2020)	Galaxy S20+ (Spring 2020) Galaxy S10e (Spring 2020)
Android 11	Galaxy S21 Ultra (Spring 2021) Galaxy S20+ (Spring 2021) Galaxy S10e (Spring 2021) Galaxy Tab Active3 (Spring 2021)	Galaxy S21 Ultra (Spring 2021) Galaxy S20+ (Spring 2021) Galaxy S10+ (Spring 2021)
Android 12	Galaxy S22 (Spring 2022) DO and WP-C PO mode Tab S8 (Spring 2022) DO and WP-C PO mode	Galaxy S22 (Spring 2022) DO and WP-C PO mode Tab S8 (Spring 2022) DO and WP-C PO mode

How to enable DualDAR for DO

NOTE — In order to successfully deploy and activate DualDAR through the Knox Service Plugin, you must enable DualDAR in the Knox Mobile Enrollment or Knox Mobile Enrollment Direct configuration.

Through your EMM of choice, go to KSP Configuration.
On the KPE configuration page:
1. If your EMM uses profiles, enter the profile name.
2. Enter the KPE Premium key.
Click on Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company owned devices (WP-C) mode as noted)(which drops down additional configurations) under Enable device policy controls set to True
Set Enable password policy controls with KSP > Passcode Policy to True.
Expand Dual Data-at-Rest (DAR) Encryption, then set the following:
1. Enable Dual DAR Controls — true
2. Data lock timeout type — Select a data lock type. This feature locks the credential encrypted (CE) storage and flushes the key from memory. Once locked, apps can't use the CE until the device user provides the credential again.
3. Data lock timeout value (in minutes) — Enter a lockout duration higher than 5.
4. Restrict access to device encrypted (DE) storage — false.
5. List of apps approved to access DE storage — Enter one or more app package names For example, com.android.messages.
6. Set password minimum length for inner layer — Enter a password minimum length for the inner layer password at DualDAR for fully managed devices.
7. Set a new password for inner layer — Enter a new password for the inner layer at DualDAR for fully managed devices. The password must be stronger than the minimum quality. For example, if the minimum quality is numeric, then you must enter an alphanumeric password.

How to enable DualDAR for work profiles

NOTE – Ensure you have enabled DualDAR in the Knox Mobile Enrollment or Knox Mobile Enrollment Direct configuration in order to successfully deploy and activate the DualDAR feature through Knox Service Plugin.

Through your MDM/UEM of choice, go to the KSP Configuration
Under the initial KPE Screen
1. Enter profile name if applicable (some MDM/UEM don’t require this)
2. Enter the KPE Premium key
Click on Work Profile Policies(which drops down additional configurations) under Enable Work Profiles set to True
Set Enable password policy controls with KSP > Passcode Policy to True
Set Work Profile Configuration > Enable Work Profile Configuration Controls to True.
Click on Dual Data-at-Rest (DAR) Encryption (which drops down additional configurations)
1. Enable Dual DAR Controls set to True
2. Data lock timoeout type set to any option in the drop down
  - Use this control to set a data lock type. This locks the credential encrypted (CE) storage and flushes the key from memory. Once locked, apps can’t use the CE until user provides the credential again
3. Data lock timeout value (in mimutes) set to any value above 1
  - Use this control to specify the data lock timeout value in minutes. To use this feature, you must set the data lock timeout type to specified value.
4. List of apps approved to access DE storage
  - List application’s package name (example com.android.messages)

How to verify Dual DAR is enabled on a device

Verification method 1 via KSP application

Go to your Work Profile and click on Knox Service Plugin
Click on Configuration on date & time
Configuration results should show Dual Data-at-rest(DAR) Encryption as successful

Verification Method 2 via Settings and Work Profile

Navigate to Settings (gear icon)
Scroll down to Work Profile Settings
Scroll to the very bottom to About Work Profile
Under version number it will say DualDAR enabled (if successfully configured)