- *BASICS*
- The Knox Ecosystem
- Samsung Knox Portal
- Knox Cloud Services
- General Knox Support
- Knox Licenses
- *FOR IT ADMINS*
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- White paper
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Introduction
- Get started
- Features
- Register resellers
- Add an admin
- Create profiles
- Google device owner support
- MDM compatibility matrices
- Device users
- Activity log
- Enroll and unenroll devices
- Configure devices
- Provide KME feedback
- Use the Knox Deployment App (KDA)
- Recover Google FRP locked devices using KME
- Role-based access control (RBAC)
- Release notes
- FAQs
- Troubleshoot
- KBAs
- Knox Configure
- Mobile
- Wearables
- Shared Device
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQs
- Troubleshoot
- Knox Manage
- Introduction
- How-to videos
- Get started
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- FAQs
- KBAs
- Knox E-FOTA
- Introduction
- White paper
- Knox E-FOTA One
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQs
- Troubleshoot
- KBAs
- Migrate from Knox E-FOTA Advanced to Knox E-FOTA One
- Knox E-FOTA Advanced
- Knox E-FOTA on MDM
- Samsung Care+ for Business
- *FOR RESELLERS*
- Knox Deployment Program
- *FOR MANAGED SERVICE PROVIDERS*
- Knox MSP Program
The Knox Service Plugin (KSP) is a solution that enables Enterprise Customers to use Knox Platform for Enterprise features as soon as they are commercially available.
This automatic deployment method ensures that IT admins can use the latest Knox features on the day it is launched, instead of waiting for their UEM to specifically integrate the features.
Audience
This document is intended for:
- System Security Architects — Understand how KSP works, and how you can use it to customize your deployment of
- IT Admins — Configure the options available to KPE deployments using KSP.
Try the solution
Set up KSP with your compatible UEM, and create a profile to deploy Knox Platform for Enterprise features as soon as they're available. Use the latest Knox feature from day one without having to wait for UEM integration.
START TUTORIALBenefits
KSP enables IT admins to use Knox Platform for Enterprise (KPE) features as soon as they're available. KPE brings defense-grade security on the most popular consumer devices across all enterprises. It provides best-in-class hardware-based security, policy management, and compliance capabilities beyond the standard features in Android. Knox is the cornerstone of a strong mobile security strategy supporting a wide variety of Samsung devices.
KSP provides the following benefits:
- Help enterprise customers deploy existing and new Knox features to their devices almost instantly after features are commercially launched.
- Leverage the UEM’s framework and UI to offer enterprise customers better control over distribution and configuration of KPE features.
- Make sure all features of KPE are available for use, regardless of which UEM you choose.
- Minimize a UEM's development cost of supporting KPE features.
How KSP works
KSP is built on top of Android's new standard called OEMConfig. OEMConfig is a feature that allows you to create and remotely push configurations to apps through an XML schema file that is hosted in an app on Google Play. This architecture means that any UEM that complies with the OEMConfig standard can support KSP.
Here is an overview of how KSP works.
- App developers implement logic to support managed configurations in their apps. They use an XML schema file to define which app settings IT admins can remotely configure in their Android app. This schema is linked to the app’s manifest file. After each update, app developers push their app to Managed Google Play.
- UEM developers implement logic to pull the managed configurations schemas from apps on Managed Google Play. UEM consoles then use these XML schemas to allow IT admins to specify how they want to configure app settings. After the IT admin saves their configuration, the MDM pushes the configuration to Managed Google Play.
- Once an app configuration is updated and pushed to Managed Google Play, the app is updated on all applicable devices to reflect the new configuration.
The following is an example of a KSP policy in a UEM console.
Deployment process
The KSP deployment process is as follows:
- Samsung publishes the latest KSP Agent to the Google Play store.
- IT Admins use their compatible UEM console—that supports a managed Google Play store—to search for KSP. For a list of UEM partners that support KSP, see Supported UEMs.
- The UEM Console renders the applicable Knox features and policies using OEM Config.
- IT Admins use the UEM console to set up policies in the form of Managed Configurations. These policies are then saved and published to any managed enterprise devices.
- When a user's device is being provisioned, the UEM invokes the managed Google Play Store, which in turn installs KSP and pushes the managed configuration to the device.
- After installation is complete, KSP runs in the background on the device. KSP applies the relevant Knox policies and returns the result of the configuration process using Google's Feedback SDK.
- IT Admins can view any configuration failures and associated error messages on the UEM Console, provided the UEM is equipped to handle the result that KSP generates and sends back using the feedback SDK.