- Welcome
- Basics
- Device apps
- Overview
- SDK Licenses
- Knox SDK
- Overview
- About the SDK
- What's new
- What's new
- Migrations
- Android 11
- Android Enterprise
- Device admin deprecation
- DA deprecation and Samsung
- DA deprecation and VMware
- FAQs
- FAQ Index
- What is DA Deprecation?
- What is being deprecated with device admin?
- What is API level 29, as it relates to DA deprecation?
- What is the impact of DA deprecation to Knox?
- As a Knox partner, what do I need to do?
- What happens to DA apps when upgraded to Android Q?
- When can I safely upgrade to Android Q?
- What if a device already has Android Q?
- Can my DA app coexist with a UEM app running as DO?
- Are there changes to Knox Configure due to DA deprecation?
- Can I use my DA app alongside Knox Configure?
- Does KME still support device enrollment using DA?
- As DA is not in Android Q, can I enroll via KME to Work Profile?
- Get started
- Sample app tutorials
- Features
- API Reference
- Tools
- FAQs
- FAQ Index
- General
- What is the Samsung Knox SDK?
- Where can I obtain a white paper for Samsung Knox?
- What versions of Android support the Knox SDK?
- How can I check if my device firmware is an engineering or commercial build?
- How can I access the binaries before they are released?
- What is a deprecated API method?
- What are the features by default set to hidden/disabled in ProKiosk mode?
- What are credentials?
- What is Knox TIMA CCM?
- Is Knox supported on other platforms, such as windows?
- Which hardware control features can be managed inside Knox Workspace, using the Knox SDK?
- Why do a few Knox SDK APIs not work on some devices?
- Can Google Play used to deploy Knox apps?
- Can I use managed configurations for Samsung Knox features?
- Can a third-party app use the Knox SDK to get LDAP information?
- How do I enable users to select a 3rd party keyboard?
- How does my device's serial number change with Knox 3.2.1?
- If I don’t use the UCM APIs of the Knox SDK, what are my options for credential storage?
- Installation
- How do I use an SDK packaged as an Eclipse IDE add-on with the Android Studio IDE?
- Is it possible to install an app silently on a device using Knox SDK?
- Why am I still able to download an app even though I have added it to blacklist with the method addAppPackageNameToBlackList(), from the Knox SDK?
- How can an app find out which apps are installed in and outside a container, using the Knox SDK?
- How can an app block the installation of a non-trusted app, using the Knox SDK?
- What does "Security policy prevents installation of this application" mean?
- Can I prevent an end user from installing certificates, with the Knox SDK?
- Does API method installApplication(String packageName) download apps from the play store and install them silently?
- Does the API method setApplicationUninstallationDisabled disable the uninstallation of apps inside the container, when using the Knox SDK?
- Why is the installCertificate API method not successfully installing a certificate on my device?
- Licensing
- How do I use license keys?
- What is the KPE Premium license key and why should I use it?
- What is the backwards compatible key?
- When do I need to use the backwards compatible key?
- Do I need to associate my app with a backwards compatible key?
- How have license key names changed?
- Which keys can be used in combination with each other?
- What is automatic license seat release?
- What are license permissions?
- What is the difference between Standard and Premium permissions?
- How do I declare permissions?
- Deprecated licenses
- Operations
- Are the Knox SDK browser policies applicable to Chrome as well?
- How can an enterprise disable roaming access over an enterprise APN, using the Knox SDK?
- Can an app using the Knox SDK clear an email signature?
- Can I add system or pre-installed app packages, using the Knox SDK, to the notification blacklist?
- Can I use Google push notifications inside a Knox Workspace container?
- Can I use SDP for an app that is outside the Knox container?
- Can multi-window mode be disabled through blocklisting, using the Knox SDK?
- Does my launcher app need a special intent to work in Kiosk mode?
- Does the API method enforceMultifactorAuthentication(), in the Knox SDK, come into effect immediately?
- How can I disable GPS on the device using the Knox SDK?
- How can I move an app from the user's personal mode to the Knox container using an API in the Knox SDK?
- How does the Knox API method EmailPolicy.setAllowEmailForwarding work?
- How does the Knox SDK method, setAllowChangeDataSyncPolicy(), sync contacts with the container so they are visible on the personal side?
- How do I disable the USB port except for charging, using the Knox SDK?
- How do I use the Knox SDK to allow or block phone numbers?
- How do I use the SDK to prevent launching the screen saver when an app is running?
- Is an APN validated when I use the Knox SDK to add it to a device?
- Is it possible to block application access to data while roaming, using the Knox SDK?
- Is there a limit to the number of applications that can be blocked or allowed using the Knox SDK?
- Is there any way to create IMAP, POP, or Exchange accounts in the emulator?
- What does the RCPPolicy.NOTIFICATIONS argument do in the API method setAllowChangeDataSyncPolicy?
- What Keystores can I use?
- What kind of phone numbers are allowed after setting setEmergencyCallOnly(true) in the Knox SDK?
- What secure hardware can I use with the UCM APIs to store credentials?
- What should I do if I find API errors?
- Why are app shortcuts not showing up in Kiosk mode for the Knox SDK?
- Why are Knox Customization policies still active on my device even after my app is uninstalled?
- Why can't you enable the camera inside a container when it is blocked in the personal space?
- Why does the allowOTAUpgrade API method, in the Knox SDK, have no effect when allowFirmwareRecovery() is set to false?
- Why does the API method call setEnableApplication(), using the Knox SDK, disable the app?
- Why does the createVpnProfile method, in the Knox SDK, fail when a Profile name has whitespace?
- Why does the SDK return a NullPointerException when I access the SMS/MMS content URI?
- Why is video recording also blocked when I use the Knox SDK to block audio recording?
- Standard features
- Can I force a device to update to the latest firmware?
- Can multi-window mode be disabled through blacklisting, using the Knox SDK?
- Does the API method setApplicationUninstallationDisabled disable the uninstallation of apps inside the container, when using the Knox SDK?
- What is the difference between hideStatusBar() and hideSystemBar() in the Knox SDK?
- What Knox SDK API methods are available to manage device firmware?
- Why do a few Knox SDK APIs not work on some devices?
- Will the legacy ELM and KLM keys still work with the Knox Platform for Enterprise (KPE) key?
- Premium features
- Customization
- Security
- As a developer, how can I access the device root key?
- Can an app prevent access to specific networks, using the Knox SDK?
- Can fingerprint be used as a substitute for other forms of screen unlock methods, when using the Knox SDK?
- Can I use the Knox SDK to disable the "Unlock Via Google" password unlock option?
- Can I use the Knox SDK to encrypt the SD card?
- Can I use the Knox SDK to modify the fingerprint passcode requirements?
- Does a Knox container enforce authentication by default?
- Do the SDP APIs support a security standard?
- How can I ensure that certificates are stored in the TIMA KeyStore, using the Knox SDK?
- How does SDP secure the cryptographic keys used for data encryption?
- How do you programmatically unlock the container after the maximum amount of failed attempts, using the Knox SDK?
- What does "Security policy prevents installation of this application" mean?
- What is the maximum length allowed for a Wi-Fi SSID, when using the Knox SDK?
- What is the scope of the setPasswordVisibilityEnabled() API method, in the Knox SDK?
- When I call the Knox SDK API method setExternalStorageEncryption, why doesn't the device prompt the user to encrypt?
- Why are HTTPS requests bypassing global proxy settings in the Knox SDK?
- Why doesn't the Knox method "isActivePasswordSufficient" check for forbidden strings?
- Why do I see "Cannot safely connect to server" when I create an email account using SSL??
- Why is my timeout of 15 minutes not working for the resetContainerPassword() method, using the Knox SDK?
- Why is the Knox API method setMaximumTimeToLock() not showing the time I configured?
- SDP
- UCM
- VPN
- VPN Provider
- Does the Knox framework store any type of data passed during profile creation?
- Do I need a license to use the Knox VPN SDK?
- How can I verify if the VPN connection that is starting belongs to the Knox profile or the default Android VPN profile?
- How do I add all apps inside AND outside the container to a VPN profile?
- How is the Knox container affected by VPN On-Premise Bypass?
- How should the network state change be handled by the VPN Client Integration?
- If the framework takes the responsibility of starting the VPN connection, and since it is MDM-controlled, how will the user be able to connect to the VPN if a time-out or networking error occurs?
- Under what circumstances does the framework trigger the start connection?
- What API do I use to create a On-Premise Bypass VPN profile?
- What is VPN On-Premise Bypass?
- When should the various Android VPN service APIs be called?
- Workspace
- Samsung DeX
- Containers
- How does an app detect if a container was created using the Knox SDK?
- How do I install the MDM agent inside the Knox container?
- I have created a "container only mode" container and I am locked inside, using the Knox SDK. How do I exit?
- Why do I get error KnoxContainerManager.ERROR_INTERNAL_ERROR(-1014) while creating a container?
- KBAs
- Knox Tizen SDK
- Overview
- About the SDK
- What's new
- Get started
- Tutorials
- API Reference
- Sample Apps
- FAQs
- FAQ Index
- General
- How is Tizen related to Knox?
- Which devices support the Knox Tizen SDK for Wearables?
- What version of the Tizen SDK should I install before installing the Samsung Knox Tizen SDK for Wearables?
- Should I install any extension SDK before installing the Samsung Knox Tizen SDK for Wearables?
- What are the modes in which you can use the Samsung wearable device?
- What are the supported Wi-Fi security types?
- How do I get the attestation blob?
- What is a nonce and why is it valid for a short time period?
- What is ProKiosk mode?
- Licensing
- Samsung India Identity SDK
- Overview
- About the SDK
- What's new
- Get started
- Features
- API Reference
- Sample Apps
- FAQs
- FAQ Index
- General
- Installation
- Licensing
- Usage
- How do I verify if my device supports Samsung India Identity SDK?
- Should I capture the IRIS image of one or both eyes?
- When do I use the UIDAI Staging server and UIDAI Production server?
- What are the URLs that need to be whitelisted for enterprise-managed devices using the Samsung India Identity SDK APIs?
- Who is impacted by the upgrade of the biometric public devices to registered devices?
- Is there any hardware change required to upgrade the public devices to registered devices?
- What are the application (APK) changes required to upgrade the public devices to registered devices?
- Web services
- Overview
- Cloud Authentication
- Knox Deployment Program
- Knox Mobile Enrollment
- Knox Configure
- Knox Attestation
- Knox E-FOTA
- Overview
- About Knox E-FOTA
- What's new
- Get started
- Tutorial
- API Reference
- FAQs
- FAQ Index
- General
- What is Knox Enterprise FOTA (E-FOTA)?
- What are the main features of Knox E-FOTA?
- What industries benefit from Knox E-FOTA?
- Why do enterprise customers need Knox E-FOTA?
- What benefits do MDM developers get from Knox E-FOTA?
- What Samsung devices support Knox E-FOTA?
- Is there a server dedicated to Knox E-FOTA?
- If I sent a request in JSON for Knox E-FOTA, will I receive a JSON return instead of XML?
- Can I use Knox E-FOTA v1 APIs in combination with Knox E-FOTA v2 APIs?
- What is the main difference between FOTA and Knox E-FOTA?
- What types of firmware updates does Knox E-FOTA manage?
- With FOTA, can you skip a firmware version and upgrade to the subsequent version?
- Can I use Knox E-FOTA to set the highest firmware version allowed on multiple devices?
- Does Knox E-FOTA support firmware downgrades?
- Do customers need to have a contract with Samsung to use a site license for Knox E-FOTA?
- How can the FOTA server identify devices that use Knox E-FOTA?
- What are the device requirements for a Knox E-FOTA update?
- Are there any restrictions on what firmware can be downloaded using Knox E-FOTA?
- How can I get release notes for Samsung firmware releases?
- What if a firmware update is performed on a device that has a higher firmware version than the update?
- Is there a way to avoid incurring mobile charges when using Knox E-FOTA?
- What licenses are required to use Knox E-FOTA?
- Can carrier devices use Knox E-FOTA?
- Installation
- Usage
- If I don’t use Knox E-FOTA, what are my options for managing firmware?
- When using Knox E-FOTA, what if a device already has a firmware version higher than the version that we need to update to?
- When using Knox E-FOTA, does a forced firmware update still ask the device user to agree to the update?
- Where can I get release notes for each Samsung firmware version?
- Appendix
- Managed configurations
- Introduction
- Deploy managed configurations
- FAQs
- FAQ Index
- What are managed configurations?
- Why should I use managed configurations?
- How do managed configurations work?
- Can I use managed configurations for Samsung Knox features?
- What is a managed configurations XML schema file?
- Which Samsung apps support managed configurations?
- How do I deploy managed configurations on an MDM console?
- Where can I get the XML schemas for Samsung apps that support managed configurations?
- Is there sample code showing how an MDM web console can deploy an iframe that renders a managed configurations XML schema?
- What email app is preloaded on Samsung devices?
- Knox Service Plugin
- Samsung Email
Before you begin
This section provides a set of instructions to follow if you're a new developer who wants to use the Knox E-FOTA service. If you're new to developing for Knox E-FOTA, read through this section to set up before you begin.
Terms
- Corp ID—This identifies MDM customers for Knox E-FOTA and their enterprise devices. A corp ID follows the following format: "mdmId/customerId/groupId", and is provided by Software license management (SLM).
- MDM ID—This identifies your company among other partners in our Knox Partner Program. The mdmId is a 10-character alphanumeric string. For example, "d1e2f3g4h5" which represents your vendor ID in Knox Partner Program.
- Customer ID—This identifies one of your enterprise customers registered to use the Knox E-FOTA service and is provided by Software license management (SLM). The
customerId
is a hyphen-separated 32-character hexadecimal string. For example, "EEEE4444-FF55-AA66-BB77-CCCCCC888888". - License—This identifies the Knox E-FOTA license purchase order and tracks customer usage of the Knox E-FOTA service for billing purposes. During development, you use a Knox E-FOTA trial license (valid for 3 months, maximum 100 devices). During commercial deployment this license is purchased. Format is: "EFOTA1-fff555-ggg666-hh77".
- Client ID—Used to generate an OAuth 2.0 access token to authenticate your identity in REST API calls. A hyphen-separated 32-character hexadecimal string, for example, "aaaa1111-bb22-cc33-dd44-eeeeee555555". Go to view your license keys to obtain your license key number, and use the license key number as your client ID.
- Client secret—Used to generate an OAuth 2.0 access token to authenticate your identity in REST API calls. A hyphen-separated 32-character hexadecimal string, for example, "bbbb2222-cc33-dd44-ee55-ffffff666666".Go to view your license keys to obtain your client secret.
- Sales code—The consumer software customization code for the device carrier. Previously called
carrierCode
in Knox E-FOTA version 1. Format example: "ABC".
Requirements
- Knox Partner Program account—After creating a Samsung Account, you will have a Knox Partner Program developer account. After, you must apply to upgrade to a Knox Partner Program account.
- Knox E-FOTA REST API Key—Before using Knox E-FOTA APIs, you must first request credentials for Knox E-FOTA to obtain the REST API key, which expires after 1 year during trial. Note that you will need to be a partner before being able to do this. After your request is confirmed, you will obtain a
client_id
andclient_secret
. - Corp ID Knox E-FOTA license—After requesting credentials, you must then contact us to request a Corp ID and Knox E-FOTA license. During commercial deployment, this license is purchased, but while trying Knox E-FOTA you will receive a development trial license through an email sent by Software license management (SLM), which expires after 3 months. The email will have the following information:
license
,CorpId
,mdmId
, andcustomerId
. - Obtain enterprise device information—When registering enterprise devices to Knox E-FOTA, you first need to obtain the
salesCode
andserialNumber
.
Create a Samsung Account
If you haven't already created a Samsung Account on the Knox Partner Program portal, follow the steps below:
- Go to the Knox Partner Program portal and click BECOME A PARTNER.
- Enter your work email address.
- In the login page, click Sign up here.
- Click the links available and read them carefully. Check the boxes and click Agree to acknowledge you have read and agree to the following terms.
- Provide the necessary information for the required fields and click NEXT to register for the Samsung Account.
- In your email inbox, open the confirmation email for the Samsung Account and click the verification link.
You have now successfully created a developer account on Knox Partner Program. Proceed to sending a request to become a Knox Partner Program partner.
Request to upgrade to Knox Partner Program partner
To become a Knox Partner Program partner, follow the steps below:
- Log into the Knox Partner Program portal with your developer account.
- Submit a Knox Partner Program upgrade form to upgrade from developer to partner status.
Once you've created a partner account, you're ready to request a Knox E-FOTA key.
Request credentials for Knox E-FOTA
A REST API key is required to generate an OAuth 2.0 access token to authenticate your identity in REST API calls. Once you're a Knox Partner Program partner, you can obtain a development test REST API key after requesting credentials through Knox Partner Program. During commercial deployment, you can obtain a commercial REST API key after purchasing a Knox E-FOTA license.
Send a request for credentials
- Log into your Knox Partner Program partner account.
- Go to your dashboard and click License Keys > My License Keys.
- Click Add License Key > Get a License Key.
- Click the Knox E-FOTA REST API Key tab.
NOTE— If you don't see this tab, your approval to upgrade may still be pending.
- Fill out the request form.
- Key request title—For example "Knox E-FOTA REST API key request".
- Customer name—Enter the company's name.
- Customer location—Enter the company's country.
- Customer website—Enter the enterprise website.
- Key alias—If your company has multiple licenses, it's helpful to enter a key alias to differentiate between multiple keys. This assigns a name label to the REST API key to help you identify a specific key when your enterprise possesses multiple keys.
- Customer industry (optional)—Enter the enterprise industry category.
- Comments (optional)—Enter any additional comments here.
- Click Request Key.
View your Knox E-FOTA REST API keys
Once you are approved to use the Knox E-FOTA service, you will receive an email. Click RETRIEVE Knox E-FOTA KEY to view your licenses.
Alternatively, follow the steps below:
- Log into your Knox Partner Program partner account.
- Go to your dashboard and click License Keys > My license keys.
- Click on your license key alias to view the license details and get:
- license key number—A hyphen-separated 32-character hexadecimal string, for example,bbbb2222-cc33-dd44-ee55-ffffff666666.
- client secret—A hyphen-separated 32-character hexadecimal string, for example,bbbb2222-cc33-dd44-ee55-ffffff666666.
You will use your license key number as your client_id
with your client_secret
to generate OAuth 2.0 access tokens, which are used to authenticate your identity in REST API calls.
Request a Corp ID and Trial Knox E-FOTA license
Prior to your Knox E-FOTA solution going live, enterprises must first purchase a license. While you are still developing your Knox E-FOTA solution however, you use a development license to simulate enterprise customers with paid licenses.
To Request a Corp ID and trial Knox E-FOTA license, you will need to submit a ticket through Salesforce by following the steps below:
- Log into your Knox Partner Program partner account.
- Go to your dashboard.
- Click Support > Technical Support.
- In the topic drop-down menu, select Knox E-FOTA inquiry.
- Fill out the mandatory fields. In the Message field, ensure that you include a request for the following information in the description:
- Corp ID—This identifies MDM customers for Knox E-FOTA and their enterprise devices. A corp ID follows the following format: "mdmId/customerId/GroupId", and is provided by Software license management (SLM).
- Development test key for Knox E-FOTA—This identifies the Knox E-FOTA license purchase order and tracks customer usage of the Knox E-FOTA service for billing purposes. During development, you use a Knox E-FOTA trial license (valid for 3 months, maximum 100 devices).
- Click Finish.
After your request has been reviewed and approved by SLM, you will receive an email with your Corp ID, customer ID, MDM ID and Knox E-FOTA development key in the following email:
After obtaining the required information, you'll be ready to begin developing your web server code in the tutorials section of this guide.
Purchase a Knox E-FOTA license
Once you're ready to purchase a license, there are two ways to purchase a license:
- You can purchase a 1 year license.
- Contact your local reseller to purchase your Knox E-FOTA license.
You encode this info into REST API calls to the Knox E-FOTA server, and also in the Android API call used to set the allowed firmware version on a device.