- *BASICS*
- The Knox Ecosystem
- Samsung Knox Portal
- Knox Cloud Services
- General Knox Support
- Knox Licenses
- *FOR IT ADMINS*
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- White paper
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Introduction
- Get started
- Features
- Register resellers
- Add an admin
- Create profiles
- Google device owner support
- MDM compatibility matrices
- Device users
- Activity log
- Enroll and unenroll devices
- Configure devices
- Provide KME feedback
- Use the Knox Deployment App (KDA)
- Recover Google FRP locked devices using KME
- Role-based access control (RBAC)
- Release notes
- FAQs
- Troubleshoot
- KBAs
- Knox Configure
- Mobile
- Wearables
- Shared Device
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQs
- Troubleshoot
- Knox Manage
- Introduction
- How-to videos
- Get started
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- FAQs
- KBAs
- Knox E-FOTA
- Introduction
- White paper
- Knox E-FOTA One
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQs
- Troubleshoot
- KBAs
- Migrate from Knox E-FOTA Advanced to Knox E-FOTA One
- Knox E-FOTA Advanced
- Knox E-FOTA on MDM
- Samsung Care+ for Business
- *FOR RESELLERS*
- Knox Deployment Program
- *FOR MANAGED SERVICE PROVIDERS*
- Knox MSP Program
This section provides an overview of the Knox Service Plugin (KSP) schema structure and general best practices.
The following image shows the high level categories of policies and common configurations. It has four main components:
- Basic elements—General operational controls for KSP. For example, turn on debug mode or input a KPE license key.
- Device-wide policies section—Device Owner (DO) policy controls. These are of global scope.
- Work profile policies section—Profile Owner (PO) policy controls. These apply to only the Work container.
- Configurations—Specific configuration properties that are used in conjunction with policy controls. For example, VPN profile settings, APN settings, or DeX customization settings. These can be used on either device-wide policies or work profile policies.
Schema breakdown
Common configurations
Each version of KSP includes a few common options. The features available within these options depend upon your KSP deployment mode, KPE license status—whether you have a Standard or a Premium license—as well as the features available in your UEM console.
*For information on Knox Suite, go to: Knox Suite.
**KPC is a light version of KPE focusing on customization capabilities.
These common options are as follows:
- Profile name—A unique nickname you provide for a set of policy configurations. You can create many
different profile names for various sets of configurations. Later, you can use the name for tracking and
debugging purposes. We recommend using a name less than 50 characters in length, for example,
MyEnterprise Profile. - KPE Premium License key—This is useful for consoles that do not have Knox Premium License activation
built in as a native feature. When this field is used, KSP can activate the license for you when you push
the configuration. If your UEM console has already activated a Knox Premium License on your device, there is
no need to activate a license using this field. The following image is an example of this field.
- Debug modes—When you turn on debug mode, you can view policy results and errors on the device through an app menu. We recommend enabling this mode only during test phases and not during final deployment. If you run into any KSP deployment issues, check this box to enable debug mode and try to perform the action again. You can also export the message and reach out to Knox Support for help to diagnose and fix your issue.
Group policy control flag
Every group has a control that enables or disables that policy group. By default every policy group is disabled. You must enable this control before setting any policy in the group. For example, before using any policy in the device-wide policy section, turn on the Enable device-wide policies control first. Further more, to use any device restrictions within the device-wide policy section, turn on Enable device restriction controls and then activate individual policies, such as Allow microphone, Allow Wi-Fi and so on.
The following image illustrates a control group.
Profile Configurations
You can save a group of configurations using a Profile Name. Once you save a group of configurations, you can reuse these configurations for as many deployments as you need.
For example, in the following image, we have set the DeX profile name as DeX profile 1. Any
configurations set are saved under the name DeX profile 1. When setting policies later, you can
reference DeX profile 1 to quickly set up devices with your saved configurations.
Recommended practices
- Auto-install—Turn this feature on if your UEM supports it. This feature ensures all devices install KSP automatically when prompted.
- Auto-update—Turn this feature on if your UEM supports it. This feature ensures that the KSP app is up to date on deployed devices. KSP is designed to be backward compatible. For example, a newer version of the app can handle older schema data, but older app versions can't handle new schema data.
- Native console policies—Use your UEM console for any policy that is supported natively and use KSP to bridge any gaps.
- Test in small batches—Always test your KSP schema changes with a limited set of devices, debug the issues (if any) by enabling debug mode, then roll out to wider deployment.
Special cases
List applications
Some fields allow you to specify more than one app to target. For example: when you select apps to allowlist for
a proxy. To list out apps, use a comma-separated list of packages. For example
com.samsung.android.email.provider, com.sec.android.app.sbrowser. To find a package name, look at
the Google Play store URL or contact the app vendor.
Uploading files
Some Knox policies, such as DeX customization, require you to provide bulk data, such as an image file. However, OEMConfig specifications do not currently support file upload.
If you need to upload a file you can use one of the following two methods:
- Web URL—Upload the file to a cloud server and provide the web URL as an input string to KSP. Ensure that the URL is publicly accessible.
- Push the image file to the local storage—Use the UEM console to push the image file to the local storage on the device and provide the file path on the device as the input string to KSP. Contact your UEM vendor to find out if they support this feature.
