You must meet the following requirements to use the Knox Service Plugin (KSP) with your managed devices.
What you need
- Samsung devices that support Knox and run Android 9.0 (Knox 3.2.1) or higher.
- A Unified Endpoint Management (UEM) solution that supports Android Enterprise deployments and is compatible with KSP.
- A valid Knox Platform for Enterprise (KPE) license for each of the devices managed with KSP. For more information about Knox licenses, see KPE Admin Guide - About licenses.
- You must set up your devices in one of the supported Android Enterprise deployments, as described in Supported deployments.
The first step to deploy a KSP policy is to create a DO or PO profile on your device. Without choosing one or the other, policies do not work and an error message is thrown.
In an enterprise deployment, Google provides three modes of Android Enterprise, Managed Device (DO), Work Profile (PO), and fully managed a with work profile.
- Work Profile—Helps admins manage the BYOD (Bring Your Own Device) use-case, where a device user owns the device and uses it both personally and for work. The agent sits inside the container area as Profile Owner (PO) to separate work apps from personal apps. IT admins can control the work area only, and have visibility over the personal area.
- Managed Device—Also known as Company Owned, Business Only (COBO); helps admins manage devices that are owned by the enterprise. When a device is enrolled as a Managed Device, IT admins have full control over the device. The agent sits as Device Owner (DO) of the device.
- Fully managed device with a work profile—Also known as Corporate Owned, Managed Profile (COMP) devices are company-owned devices that are completely managed by DO, with a container that is managed by PO. This deployment type targets enterprise-owned devices that require a separation of work and personal data. Employees can use these devices for either work or personal purposes. Enterprises have full control of the device, including the PO-managed personal container.
KSP works with the following Android Enterprise deployment modes:
- Android 8.0—Fully managed device deployments only—Device Owner (DO).
- Android 9.0 or higher—All deployment modes, the Device Owner (DO) and Profile Owner (PO) modes, as well as the fully managed device with a work profile mode.
Your deployment must use policy configurations that KSP supports. KSP inherits its policies from the KPE framework. These policies can be either standard (free) or premium feature (paid). Paid features require a KPE Premium license. You can see the supported features and their classification on the feature overview page.
You need a UEM that supports Android Enterprise based deployments, device management APIs, and complies with the OEMConfig specification. Check with your UEM to confirm which version of their UEM console you need to use with KSP. Some UEMs offer more than one console. Some consoles may not support KSP.
|UEM||Schema||Feedback Channel||KSP COMP Mode Support|
|BlackBerry||Coming soon||To be supported||Not supported|
|Citrix||Supported||To be supported||Not supported|
|IBM MaaS360||Supported||To be supported||Not supported|
|Knox Manage||Coming soon||To be supported||Not supported|
||To be supported||Not supported|
|MobileIron||Supported||To be supported||Not supported|
|SOTI MobiControl||Supported||To be supported||Not supported|
|VMware Workspace ONE UEM||Supported||To be supported||Supported|
In addition to previously noted compatibility considerations, UEMs must also:
- Support advanced app restrictions, including multilevel nested schema to show KSP's managed configuration options.
- Support a feedback channel, based on the appropriate Google SDK, for fetching results back from the KSP Agent and showing these results on the IT admin console.
- Customize OEMConfig apps for the UEM console, as compared to normal applications that support managed configurations. This distinction is necessary as some steps and options typically supported for normal apps—such as enforce VPN— may not apply for this OEMConfig app.
- Enable the auto update setting for the OEMConfig apps to reduce policy setup issues. For example, when different managed devices run different versions of KSP, and if the IT admin uses a newer version of KSP to set a policy on the admin console, devices running an older version of KSP cannot apply the policies.
- Restrict users from deleting individual policies or policy groups on the console. This restriction is necessary as it reduces chances of issues in subsequent policy updates if a user wants to add back a deleted policy.
- Include all the elements in the managed configuration data pushed to KSP, even if the IT admin did not modify some policies while editing the configurations. If all elements are included for each push, KSP correctly identifies all changes and interdependencies for deployment.
- Hide restriction types on the UI. Such restricted fields are reserved for the UEM backend and KSP only.
- Support KPE Premium License activation.