- Basics
- About Knox
- Knox licenses
- Knox white paper
- Sign up for Samsung Knox
- Latest release notes
- General Knox FAQ
- General Knox KBAs
- Submit a support ticket
- User Acceptance Testing
- For IT admins
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Create a new profile
- Assign profiles to groups and organizations
- Enroll devices
- Shared Android device quickstart
- Non-shared Android device enrollment quickstart
- Android Management API device enrollment quickstart
- Apple User Enrollment quickstart
- View device information
- Apply profiles to organizations
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Device management
- Accept or reject devices
- Upload devices
- Delete devices
- Complete device management
- Send notifications
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQ
- KBAs
- Support
- Open API reference
- Samsung Care+ for Business
- For Knox Partners
- Knox Deployment Program
- Knox MSP Program

Knox White Paper
Certificate Enrollment Protocols (CEP)
The Certificate Enrollment Protocols (CEP) provision and support digital certificates for apps within Samsung devices. This feature is of great assistance to MDMs and third-party vendors. Why? Because the CEP helps complete certificate enrollment without device user intervention, further solidifying the claim that Samsung Knox devices provide both world-class security as well as industry-leading manageability.
Enterprises can use CEP to:
- Enroll, renew, or delete certificates
- Check your deployment's certificate enrollment or renewal status
The CEP service is very robust, and supports the following enrollment protocols and standards:
- Simple Certificate Enrollment Protocol (SCEP)
- Certificate Management Protocol (CMP)
- Certificate Management over Cryptographic Message Syntax, Enrollment Over Secure Transport (CMC-EST)
SCEP, CMP, and CMC are frequently used certificate enrollment protocols for provisioning digital certificates. For more information on these protocols, see Internet Engineering Task Force (IETF).
CEP asymmetric key acquisition
Apps use CEP to acquire the public part of an asymmetric key. Asymmetric keys have a public part and a private part. The private part never leaves the Keystore, but the public part is freely distributed. The key owner can use the Keystore to apply the private part of the asymmetric key to an encrypted message to decrypt it.
CEP operational environment
CEP functions within the scope of either the Work container or personal space, depending on where it is installed. If the deployment objective is to provision and manage certificates for apps inside the Work container only, then you must refer to your chosen MDM's documentation for instructions.
If the objective is to provision and manage certificates for apps in the personal space, then you can install the CEP services in the personal space to provision and manage certificates.
MDM agents can call the CEP services in either the personal space or Work container. MDM agents don't have access to a service created outside their scope.