Knox Service Plugin

The Knox Service Plugin (KSP) is a solution that enables Enterprise Customers to use Knox Platform for Enterprise features as soon as they are commercially available.

This automatic deployment method ensures that IT admins can use the latest Knox features on the day it is launched, instead of waiting for their UEM to specifically integrate the features.


This document is intended for:

  • System Security Architects — Understand how KSP works, and how you can use it to customize your deployment of Knox Platform for Enterprise (KPE).
  • IT Admins — Configure the options available to KPE deployments using KSP.

Try the solution

Set up KSP with your compatible UEM, and create a profile to deploy Knox Platform for Enterprise features as soon as they're available. Use the latest Knox feature from day one without having to wait for UEM integration.



KSP enables IT admins to use Knox Platform for Enterprise (KPE) features as soon as they're available. KPE brings defense-grade security on the most popular consumer devices across all enterprises. It provides best-in-class hardware-based security, policy management, and compliance capabilities beyond the standard features in Android. Knox is the cornerstone of a strong mobile security strategy supporting a wide variety of Samsung devices.

KSP provides the following benefits:

  • Help enterprise customers deploy existing and new Knox features to their devices almost instantly after features are commercially launched.
  • Leverage the UEM’s framework and UI to offer enterprise customers better control over distribution and configuration of KPE features.
  • Make sure all features of KPE are available for use, regardless of which UEM you choose.
  • Minimize a UEM's development cost of supporting KPE features.

How KSP works

KSP is built on top of Android's new standard called OEMConfig. OEMConfig is a feature that allows you to create and remotely push configurations to apps through an XML schema file that is hosted in an app on Google Play. This architecture means that any UEM that complies with the OEMConfig standard can support KSP.

Here is an overview of how KSP works.

  1. App developers implement logic to support managed configurations in their apps. They use an XML schema file to define which app settings IT admins can remotely configure in their Android app. This schema is linked to the app’s manifest file. After each update, app developers push their app to Managed Google Play.
  2. UEM developers implement logic to pull the managed configurations schemas from apps on Managed Google Play. UEM consoles then use these XML schemas to allow IT admins to specify how they want to configure app settings. After the IT admin saves their configuration, the MDM pushes the configuration to Managed Google Play.
  3. Once an app configuration is updated and pushed to Managed Google Play, the app is updated on all applicable devices to reflect the new configuration.

Image depicting how KSP works

The following is an example of a KSP policy in a UEM console.

NOTE—The implementation, appearance, and menu structure of how these policies look varies depending upon your UEM and its console. For UEM console specific help, refer to your UEM vendor's documentation.

Image showing a sample KSP policy

Deployment process

The KSP deployment process is as follows:

  1. Samsung publishes the latest KSP Agent to the Google Play store.
  2. IT Admins use their compatible UEM console—that supports a managed Google Play store—to search for KSP. For a list of UEM partners that support KSP, see Supported UEMs.
  3. The UEM Console renders the applicable Knox features and policies using OEM Config.
  4. IT Admins use the UEM console to set up policies in the form of Managed Configurations. These policies are then saved and published to any managed enterprise devices.
  5. When a user's device is being provisioned, the UEM invokes the managed Google Play Store, which in turn installs KSP and pushes the managed configuration to the device.
  6. After installation is complete, KSP runs in the background on the device. KSP applies the relevant Knox policies and returns the result of the configuration process using Google's Feedback SDK.
  7. IT Admins can view any configuration failures and associated error messages on the UEM Console, provided the UEM is equipped to handle the result that KSP generates and sends back using the feedback SDK.

Image depicting the deployment process for KSP