- Basics
- About Knox
- Knox licenses
- Knox white paper
- Sign up for Samsung Knox
- Latest release notes
- General Knox FAQ
- General Knox KBAs
- Submit a support ticket
- User Acceptance Testing
- For IT admins
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Create a new profile
- Assign profiles to groups and organizations
- Enroll devices
- Shared Android device quickstart
- Non-shared Android device enrollment quickstart
- Android Management API device enrollment quickstart
- Apple User Enrollment quickstart
- View device information
- Apply profiles to organizations
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Device management
- Accept or reject devices
- Upload devices
- Delete devices
- Complete device management
- Send notifications
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQ
- KBAs
- Support
- Open API reference
- Samsung Care+ for Business
- For Knox Partners
- Knox Deployment Program
- Knox MSP Program
Configuring and applying VPN policies with KSP is a two step process:
NOTE—To use VPN features on Samsung One UI Core devices, you are
required to add the KSP package name
com.samsung.android.knox.kpu to the certificate allow list
using the
allow applications to read private keys without alerting user
feature in the
Certificate Management Policies section.
NOTE—VPN policies require a KPE Premium license.
- Set up the VPN configuration profile—Choose the VPN settings and policies to suit your organization. These settings are saved as a profile you can reuse in later configurations, such as setting up a DO or PO profile.
- Create the VPN policy—The VPN Policy uses settings from the VPN configuration profile created in the previous step. This VPN policy allows you to specify other rules, such as which apps should use this VPN.
The following example shows you how to configure a per app VPN on a Device Owner (DO) device.
Configure VPN profile
-
Under VPN profiles, VPN Profile, enter a profile name. For
example,
VPN_Knox. - Under VPN profiles, Vendor, choose the type of VPN you want to use. For this example, we select Knox built-in, which uses the Android VPN Management for Knox VPN.
-
Under Host, list your server host IP, for example,
52.3.256.0. - Leave all other values as default.
- In your UEM, save the profile.
Configure VPN Vendor parameters
Now that you have created a VPN profile, you can set up the parameters such as the identifier and pre-shared key. Following the previous example, continue to configure out Android VPN Management for Knox VPN.
-
Under Parameters for Knox built-in VPN,
Authentication type select
ipsec_ike2_rsa. -
Under User certificate alias, enter your certificate name. For
example:
md_user.pfx. -
Under CA certificate alias, enter your certificate name. For
example:
vpn_cal.pfx. - Leave all other values as default.
- In your UEM, save the profile.
If you are using a different VPN, such as Pulse Secure or Cisco AnyConnect, these values may differ. The mandatory parameters you need to set depend on your network configuration. Contact your Network Administrator to find out which fields to use and with what values.
Enable VPN policy
Now that you have created and configured a profile, configure a policy and push it to a target device.
- In your supported UEM, under the Device-wide policies (Device Owner) category, turn on Enable device policy controls.
- Under VPN policy, turn on Enable VPN controls.
- Under VPN type, choose Selected Apps (Per-App).
-
Under Manage list of apps that use VPN, add the package names of
the apps you want to route through the VPN. For example,
com.samsung.email.provider. If you do not enter any app packages, the VPN applies to all apps by default. -
Enter the Name of VPN profile to use, for this example we use our
Android VPN Management for Knox profile
VPN_Knox. - Leave all the other VPN values as set by default.
- In your UEM, save the profile and push it to a device.
NOTE—Currently, KSP does not support per-app the VPN mode for Net
Motion VPN.
NOTE—Within the VPN policy, optionally
enable USB tethering over VPN so an allow listed USB device
can access and share resources with a peer device. Admins can ensure there
is security-based certification available so only a designated
organization, or user, can use VPN tethering with allowed devices.
However, VPN tethering will only work when the following conditions are
met:
- An IT admin must allow this feature from their UEM console for a target device to receive the tethering feature.
- A user must enable VPN tethering on their device.
- The laptop or tablet being connected must have been previously allow listed by the IT admin.
- The maximum number of VPN connections does not exceed 2.
USB tethering over VPN is only supported on Knox 3.5 and above devices.
NOTE—A wrong VPN configuration can disconnect your device or work
profile from the network, and in some cases render it unrecoverable. To
avoid this issue, Samsung recommends keeping the following applications
out of the VPN configuration:
- UEM Agent package—Check with your UEM for details.
- KSP package—
com.samsung.android.knox.kpu - Google services—
com.android.vending, com.google.android.gms
Use the Manage list of apps that can bypass VPN setting to list theses packages.
