- Basics
- About Knox
- Knox licenses
- Knox white paper
- Sign up for Samsung Knox
- Latest release notes
- General Knox FAQ
- General Knox KBAs
- Submit a support ticket
- User Acceptance Testing
- For IT admins
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Knox Mobile Enrollment
- Knox Configure
- Introduction
- Get started
- How to guides
- Manage licenses
- Release notes
- Provide feedback
- Troubleshoot
- Wearables
- FAQ
- KBAs
- Knox Capture
- Welcome
- Overview
- How-to guides
- Manage licenses
- Scanning profiles
- Apps and activities
- Scan engine settings
- Keystroke output and data formatting
- Export configuration and deploy through EMM
- Set the camera scan trigger
- Connect a hardware scanner
- Configure the output path
- Check a configuration in test mode
- Use intent output
- Knox Capture AR
- Get started
- How-to videos
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox Capture Scandit Edition
- Introduction
- How it works
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Create a new profile
- Assign profiles to groups and organizations
- Enroll devices
- Shared Android device quickstart
- Non-shared Android device enrollment quickstart
- Android Management API device enrollment quickstart
- Apple User Enrollment quickstart
- View device information
- Apply profiles to organizations
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Device management
- Accept or reject devices
- Upload devices
- Complete device management
- Delete devices
- Send notifications
- Enable or disable SIM control
- Download devices as CSV
- View device log
- Start and stop blinking reminder
- Lock and unlock devices
- Send relock timestamp
- Update or disable offline lock policy
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQ
- KBAs
- Support
- Knox Guard REST API
- Samsung Care+ for Business
- For Knox Partners
- Knox Deployment Program
- Knox MSP Program
Schema structure
This section provides an overview of the Knox Service Plugin (KSP) schema structure and general best practices.
The following image shows the high level categories of policies and common configurations. It has four main components:
- Basic elements—General operational controls for KSP. For example, turn on debug mode or input a KPE license key.
- Device-wide policies section—Device Owner (DO) policy controls. These are of global scope.
- Work profile policies section—Profile Owner (PO) policy controls. These apply to only the Work container.
- Configurations—Specific configuration properties that are used in conjunction with policy controls. For example, VPN profile settings, APN settings, or DeX customization settings. These can be used on either device-wide policies or work profile policies.

Schema breakdown
Common configurations
Each version of KSP includes a few common options. The features available within these options depend upon your KSP deployment mode, KPE license status—whether you have a Standard or a Premium license—as well as the features available in your UEM console.
*For information on Knox Suite, go to: Knox Suite.
**KPC is a light version of KPE focusing on customization capabilities.
These common options are as follows:
- Profile name—A unique nickname you provide for a set of policy configurations. You can create many
different profile names for various sets of configurations. Later, you can use the name for tracking and
debugging purposes. We recommend using a name less than 50 characters in length, for example,
MyEnterprise Profile
. - KPE Premium License key—This is useful for consoles that do not have Knox Premium License activation
built in as a native feature. When this field is used, KSP can activate the license for you when you push
the configuration. If your UEM console has already activated a Knox Premium License on your device, there is
no need to activate a license using this field. The following image is an example of this field.
- Debug modes—When you turn on debug mode, you can view policy results and errors on the device through an app menu. We recommend enabling this mode only during test phases and not during final deployment. If you run into any KSP deployment issues, check this box to enable debug mode and try to perform the action again. You can also export the message and reach out to Knox Support for help to diagnose and fix your issue.
Group policy control flag
Every group has a control that enables or disables that policy group. By default every policy group is disabled. You must enable this control before setting any policy in the group. For example, before using any policy in the device-wide policy section, turn on the Enable device-wide policies control first. Further more, to use any device restrictions within the device-wide policy section, turn on Enable device restriction controls and then activate individual policies, such as Allow microphone, Allow Wi-Fi and so on.
The following image illustrates a control group.

Profile Configurations
You can save a group of configurations using a Profile Name. Once you save a group of configurations, you can reuse these configurations for as many deployments as you need.
For example, in the following image, we have set the DeX profile name as DeX profile 1
. Any
configurations set are saved under the name DeX profile 1
. When setting policies later, you can
reference DeX profile 1
to quickly set up devices with your saved configurations.

Recommended practices
- Auto-install—Turn this feature on if your UEM supports it. This feature ensures all devices install KSP automatically when prompted.
- Auto-update—Turn this feature on if your UEM supports it. This feature ensures that the KSP app is up to date on deployed devices. KSP is designed to be backward compatible. For example, a newer version of the app can handle older schema data, but older app versions can't handle new schema data.
- Native console policies—Use your UEM console for any policy that is supported natively and use KSP to bridge any gaps.
- Test in small batches—Always test your KSP schema changes with a limited set of devices, debug the issues (if any) by enabling debug mode, then roll out to wider deployment.
Special cases
List applications
Some fields allow you to specify more than one app to target. For example: when you select apps to allowlist for
a proxy. To list out apps, use a comma-separated list of packages. For example
com.samsung.android.email.provider, com.sec.android.app.sbrowser
. To find a package name, look at
the Google Play store URL or contact the app vendor.
Uploading files
Some Knox policies, such as DeX customization, require you to provide bulk data, such as an image file. However, OEMConfig specifications do not currently support file upload.
If you need to upload a file you can use one of the following two methods:
- Web URL—Upload the file to a cloud server and provide the web URL as an input string to KSP. Ensure that the URL is publicly accessible.
- Push the image file to the local storage—Use the UEM console to push the image file to the local storage on the device and provide the file path on the device as the input string to KSP. Contact your UEM vendor to find out if they support this feature.