- *BASICS*
- The Knox Ecosystem
- Samsung Knox Portal
- Knox Licenses
- *FOR IT ADMINS*
- Knox Suite
- Knox Platform for Enterprise
- White paper
- Get started with UEMs
- Introduction
- Blackberry UEM
- Samsung Knox Manage
- Admin Guide
- Knox Service Plugin
- Knox Mobile Enrollment
- Knox Configure
- Mobile
- Wearables
- Shared Device
- Knox Manage
- Introduction
- Release Notes
- How-to videos
- Getting Started
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Knox E-FOTA
- Introduction
- White paper
- Knox E-FOTA One Admin Guide
- Knox E-FOTA Migration Guide
- Knox E-FOTA Advanced Admin Guide
- *FOR RESELLERS*
- Knox Deployment Program
- *FOR MANAGED SERVICE PROVIDERS*
- Knox MSP Program
You must meet the following requirements to use the Knox Service Plugin (KSP) with your managed devices.
What you need
- Samsung devices that support Knox and run Android 9.0 (Knox 3.2.1) or higher.
- A Unified Endpoint Management (UEM) solution that supports Android Enterprise deployments and is compatible with KSP.
- A valid Knox Platform for Enterprise (KPE) license for each of the devices managed with KSP. For more information about Knox licenses, see KPE Admin Guide - About licenses.
- You must set up your devices in one of the supported Android Enterprise deployments, as described in Supported deployments.
Supported deployments
The first step to deploy a KSP policy is to create a DO or PO profile on your device. Without choosing one or the other, policies do not work and an error message is thrown.
In an enterprise deployment, Google provides three modes of Android Enterprise, Managed Device (DO), Work Profile (PO), and fully managed a with work profile.
- Work Profile—Helps admins manage the BYOD (Bring Your Own Device) use-case, where a device user owns the device and uses it both personally and for work. The agent sits inside the container area as Profile Owner (PO) to separate work apps from personal apps. IT admins can control the work area only, and have visibility over the personal area.
- Managed Device—Also known as Company Owned, Business Only (COBO); helps admins manage devices that are owned by the enterprise. When a device is enrolled as a Managed Device, IT admins have full control over the device. The agent sits as Device Owner (DO) of the device.
- Fully managed device with a work profile—Also known as Corporate Owned, Managed Profile (COMP) devices are company-owned devices that are completely managed by DO, with a container that is managed by PO. This deployment type targets enterprise-owned devices that require a separation of work and personal data. Employees can use these devices for either work or personal purposes. Enterprises have full control of the device, including the PO-managed personal container.
KSP works with the following Android Enterprise deployment modes:
- Android 8.0—Fully managed device deployments only—Device Owner (DO).
- Android 9.0 or higher—All deployment modes, the Device Owner (DO) and Profile Owner (PO) modes, as well as the fully managed device with a work profile mode.
Supported features
Your deployment must use policy configurations that KSP supports. KSP inherits its policies from the KPE framework. These policies can be either standard (free) or premium feature (paid). Paid features require a KPE Premium license. You can see the supported features and their classification on the feature overview page.
Supported UEMs
You need a UEM that supports Android Enterprise based deployments, device management APIs, and complies with the OEMConfig specification. Check with your UEM to confirm which version of their UEM console you need to use with KSP. Some UEMs offer more than one console. Some consoles may not support KSP.
| UEM | Schema | Feedback Channel | KSP COMP Mode Support |
| BlackBerry | Supported | Supported | Supported |
| Citrix | Supported | To be supported | Not supported |
| IBM MaaS360 | Supported | Supported | Not supported |
| Knox Manage | Supported | Supported | Not supported |
| Microsoft Intune | Supported |
To be supported | Not supported |
| MobileIron | Supported | Supported | Not supported |
| SOTI MobiControl | Supported | Supported | Not supported |
| VMware Workspace ONE UEM | Supported | Supported | Supported |
UEM prerequisites for compatibility with KSP
In addition to previously noted compatibility considerations, UEMs must also:
- Support advanced app restrictions, including multilevel nested schema to show KSP's managed configuration options.
- Support a feedback channel, based on the appropriate Google SDK, for fetching results back from the KSP Agent and showing these results on the IT admin console.
- Customize OEMConfig apps for the UEM console, as compared to normal applications that support managed configurations. This distinction is necessary as some steps and options typically supported for normal apps—such as enforce VPN— may not apply for this OEMConfig app.
- Enable the auto update setting for the OEMConfig apps to reduce policy setup issues. For example, when different managed devices run different versions of KSP, and if the IT admin uses a newer version of KSP to set a policy on the admin console, devices running an older version of KSP cannot apply the policies.
- Restrict users from deleting individual policies or policy groups on the console. This restriction is necessary as it reduces chances of issues in subsequent policy updates if a user wants to add back a deleted policy.
- Include all the elements in the managed configuration data pushed to KSP, even if the IT admin did not modify some policies while editing the configurations. If all elements are included for each push, KSP correctly identifies all changes and interdependencies for deployment.
- Hide restriction types on the UI. Such restricted fields are reserved for the UEM backend and KSP only.
- Support KPE Premium License activation.
