- Welcome
- Basics
- Device apps
- Overview
- SDK Licenses
- Knox SDK
- Overview
- About the SDK
- What's new
- Get started
- Tutorials
- API Reference
- Package / class overview
- Full API Reference
- Deprecated API methods
- Features
- Sample Apps
- Overview
- Get started with the Knox SDK
- Get started with KPE Premium licenses
- Knox and Android Work Profiles
- Knox Attestation
- Kiosk Mode
- Samsung DeX Mode
- Knox Container
- Knox SDK Backwards Compatibility
- Application Management
- Microsoft Exchange Accounts
- VPN Configuration
- Client Certificate Manager (CCM)
- Tools
- FAQs
- FAQ Index
- General
- What is the Samsung Knox SDK?
- Where can I obtain a white paper for Samsung Knox?
- What versions of Android support the Knox SDK?
- How can I check if my device firmware is an engineering or commercial build?
- How can I access the binaries before they are released?
- What is a deprecated API method?
- What are the features by default set to hidden/disabled in ProKiosk mode?
- What are credentials?
- What is Knox TIMA CCM?
- Is Knox supported on other platforms, such as windows?
- Which hardware control features can be managed inside Knox Workspace, using the Knox SDK?
- Why do a few Knox SDK APIs not work on some devices?
- Can Google Play used to deploy Knox apps?
- Can I use managed configurations for Samsung Knox features?
- Can a third-party app use the Knox SDK to get LDAP information?
- How do I enable users to select a 3rd party keyboard?
- How does my device's serial number change with Knox 3.2.1?
- If I don’t use the UCM APIs of the Knox SDK, what are my options for credential storage?
- Installation
- How do I use an SDK packaged as an Eclipse IDE add-on with the Android Studio IDE?
- Is it possible to install an app silently on a device using Knox SDK?
- Why am I still able to download an app even though I have added it to blacklist with the method addAppPackageNameToBlackList(), from the Knox SDK?
- How can an app find out which apps are installed in and outside a container, using the Knox SDK?
- How can an app block the installation of a non-trusted app, using the Knox SDK?
- What does "Security policy prevents installation of this application" mean?
- Can I prevent an end user from installing certificates, with the Knox SDK?
- Does API method installApplication(String packageName) download apps from the play store and install them silently?
- Does the API method setApplicationUninstallationDisabled disable the uninstallation of apps inside the container, when using the Knox SDK?
- Why is the installCertificate API method not successfully installing a certificate on my device?
- Licensing
- How do I use license keys?
- What is the KPE Premium license key and why should I use it?
- What is the backwards compatible key?
- When do I need to use the backwards compatible key?
- Do I need to associate my app with a backwards compatible key?
- How have license key names changed?
- When is the ELM key service terminated?
- What will happen to existing commercial KLM license keys?
- What will happen to existing commercial ELM license keys?
- What should I do if I want to service my app which uses ELM?
- Would the legacy ELM and KLM keys still work with the Knox Platform for Enterprise (KPE) key?
- Which keys can be used in combination with each other?
- What is automatic license seat release?
- What are license permissions?
- What is the difference between Standard and Premium permissions?
- How do I declare permissions?
- Customization
- SDP
- UCM
- Samsung DeX
- Containers
- How does an app detect if a container was created using the Knox SDK?
- How do I install the MDM agent inside the Knox container?
- I have created a "container only mode" container and I am locked inside, using the Knox SDK. How do I exit?
- Why do I get error KnoxContainerManager.ERROR_INTERNAL_ERROR(-1014) while creating a container?
- ELM end of service
- KBAs
- Deprecations
- DA Deprecation
- DA deprecation
- DA deprecation and Samsung
- DA deprecation and VMware
- FAQs
- FAQ Index
- What is DA Deprecation?
- What is being deprecated with device admin?
- What is API level 29, as it relates to DA deprecation?
- What is the impact of DA deprecation to Knox?
- As a Knox partner, what do I need to do?
- What happens to DA apps when upgraded to Android Q?
- When can I safely upgrade to Android Q?
- What if a device already has Android Q?
- Can my DA app coexist with a UEM app running as DO?
- Are there changes to Knox Configure due to DA deprecation?
- Can I use my DA app alongside Knox Configure?
- Does KME still support device enrollment using DA?
- As DA is not in Android Q, can I enroll via KME to Work Profile?
- DA Deprecation
- Knox Tizen SDK
- Overview
- About the SDK
- What's new
- Get started
- Tutorials
- API Reference
- Sample Apps
- FAQs
- FAQ Index
- General
- How is Tizen related to Knox?
- Which devices support the Knox Tizen SDK for Wearables?
- What version of the Tizen SDK should I install before installing the Samsung Knox Tizen SDK for Wearables?
- Should I install any extension SDK before installing the Samsung Knox Tizen SDK for Wearables?
- What are the modes in which you can use the Samsung wearable device?
- What are the supported Wi-Fi security types?
- How do I get the attestation blob?
- What is a nonce and why is it valid for a short time period?
- What is ProKiosk mode?
- Licensing
- Samsung EDU SDK
- Overview
- About the SDK
- What's new
- Get started
- Tutorial
- Features
- API Reference
- Sample App
- FAQs
- FAQ Index
- General
- What is Samsung EDU SDK ?
- Which devices support the Samsung EDU SDK?
- Who does Samsung EDU SDK benefit?
- How does Samsung EDU SDK benefit 3rd party developers?
- What features can I implement with Samsung EDU SDK?
- How many students can EDU SDK support in a single session?
- What agents are supported in EDU SDK?
- What is a Custom agent?
- Can a teacher lock a student's device?
- Licensing
- Usage
- Can the EDU SDK be used with non-Samsung devices?
- Can Samsung EDU SDK be used in both tablets and smartphones?
- Does EDU SDK work with AllShare cast?
- Does the Samsung EDU SDK have any limitations when used remotely?
- How do I capture logs from a device to submit to technical Q&A?
- What is BaseAgent?
- What is the Smart graph feature? How can it be used?
- Samsung India Identity SDK
- Overview
- About the SDK
- What's new
- Get started
- Features
- API Reference
- Sample Apps
- FAQs
- FAQ Index
- General
- Installation
- Licensing
- Usage
- How do I verify if my device supports Samsung India Identity SDK?
- Should I capture the IRIS image of one or both eyes?
- When do I use the UIDAI Staging server and UIDAI Production server?
- What are the URLs that need to be whitelisted for enterprise-managed devices using the Samsung India Identity SDK APIs?
- Who is impacted by the upgrade of the biometric public devices to registered devices?
- Is there any hardware change required to upgrade the public devices to registered devices?
- What are the application (APK) changes required to upgrade the public devices to registered devices?
- Web services
- Overview
- Cloud Authentication
- Knox Deployment Program
- Knox Mobile Enrollment
- Knox Configure
- Knox Attestation
- Knox E-FOTA
- Overview
- About Knox E-FOTA
- What's new
- Get started
- Tutorial
- API Reference
- FAQs
- FAQ Index
- General
- What is Knox Enterprise FOTA (E-FOTA)?
- What are the main features of Knox E-FOTA?
- What industries benefit from Knox E-FOTA?
- Why do enterprise customers need Knox E-FOTA?
- What benefits do MDM developers get from Knox E-FOTA?
- What Samsung devices support Knox E-FOTA?
- Is there a server dedicated to Knox E-FOTA?
- If I sent a request in JSON for Knox E-FOTA, will I receive a JSON return instead of XML?
- Can I use Knox E-FOTA v1 APIs in combination with Knox E-FOTA v2 APIs?
- What is the main difference between FOTA and Knox E-FOTA?
- What types of firmware updates does Knox E-FOTA manage?
- With FOTA, can you skip a firmware version and upgrade to the subsequent version?
- Can I use Knox E-FOTA to set the highest firmware version allowed on multiple devices?
- Does Knox E-FOTA support firmware downgrades?
- Do customers need to have a contract with Samsung to use a site license for Knox E-FOTA?
- How can the FOTA server identify devices that use Knox E-FOTA?
- What are the device requirements for a Knox E-FOTA update?
- Are there any restrictions on what firmware can be downloaded using Knox E-FOTA?
- How can I get release notes for Samsung firmware releases?
- What if a firmware update is performed on a device that has a higher firmware version than the update?
- Is there a way to avoid incurring mobile charges when using Knox E-FOTA?
- What licenses are required to use Knox E-FOTA?
- Can carrier devices use Knox E-FOTA?
- Installation
- Usage
- If I don’t use Knox E-FOTA, what are my options for managing firmware?
- When using Knox E-FOTA, what if a device already has a firmware version higher than the version that we need to update to?
- When using Knox E-FOTA, does a forced firmware update still ask the device user to agree to the update?
- Where can I get release notes for each Samsung firmware version?
- Appendix
- Managed configurations
- Introduction
- Deploy managed configurations
- FAQs
- FAQ Index
- What are managed configurations?
- Why should I use managed configurations?
- How do managed configurations work?
- Can I use managed configurations for Samsung Knox features?
- What is a managed configurations XML schema file?
- Which Samsung apps support managed configurations?
- How do I deploy managed configurations on an MDM console?
- Where can I get the XML schemas for Samsung apps that support managed configurations?
- Is there sample code showing how an MDM web console can deploy an iframe that renders a managed configurations XML schema?
- What email app is preloaded on Samsung devices?
- Knox Service Plugin
- Samsung Email
About containers
This topic describes different Knox Workspace container types and shows different ways to create a container on a device.
About Knox container types
There are several types of Knox containers:
knox-b2b: Choose this container type to create a Knox Workspace container that you experience as a completely separate launcher, home screen, and apps folder. This is known as a Launcher layout, which you can view inside the Knox container under Knox settings > Knox Layout. Pressing the home button returns you to the Knox Workspace home screen, not the device (personal) home screen. To return to personal mode, you must either tap the Personal home icon, or swipe down on the status bar and tap the Knox card in the notification area. This container type can also be presented as a Folder layout using Knox settings > Knox Layout > Folder, which gives a layout similar to knox-b2b-lwc.knox-b2b-com: Choose this container type to create a Knox Workspace container-only mode (COM) container. This COM is a special use case for enterprise-owned devices, where you want to restrict access to the personal mode of the device. For example, a company purchases a Samsung Knox device specifically for business use and does not want users to have access to the personal side. Normally when you install a Knox container on a device, you get two spaces: a secure Knox container space with enterprise apps and a personal mode, which is the original device launcher where your personal apps and data reside. When you install a COM container on a device, the knox-b2b-com container is the only launcher, home screen, and apps folder that the user can access. The COM container looks the same as the knox-b2b container, but the user cannot switch to a personal mode, as access to the personal mode home screen, launcher, and apps is completely disabled, although the user does have access to the Phone and Messages apps.knox-b2b-lwc: The original Knox container was designed for flagship devices with significant processing power and memory. That container provides a separate and secure environment on the device, complete with its own home screen, launcher, apps, and widgets. The launcher consumes resources that may be scarce on lower spec devices, so the lightweight container was created to give enterprises a secure Knox container on those resource-constrained devices. Choose the knox-b2b-lwc container type to create a Knox lightweight container (LWC.) This container presents itself as a folder on your personal home screen. There is no separate launcher or home screen, and apps inside the container appear as part of your personal home screen. This configuration is similar to the Folder layout of knox-b2b, but without the option to switch to a launcher layout. Apps in the container are presented as shortcut icons in the Knox folder in the personal mode, denoted by the yellow and black lock badge in the bottom-right of the app icon. You don’t need to enter a separate Knox Workspace to access apps. The lightweight container is a great choice when you want to provide users with a unified experience, or for devices that have limited resources.
How containers work
Containers use Intents that are filtered within the Knox and help prevent communication between apps inside the Workspace to those outside it and the other way around. In addition, intents to certain trusted components are allowed to pass outside of a Knox Workspace. System components, like Location, Bluetooth, and so on, are examples of trusted components. These components are not containerized; however, the apps within a Workspace have permissions to use them. In all other cases, if a particular intent is not handled inside the Workspace, then it is ignored and no action is taken by any component in the Android framework that is outside the Workspace.
Container data encryption
All data from the apps in the Knox Workspace are protected at-rest by applying encryption on both internal and external data paths of the container apps.
Creating a container
- Create a container type knox-b2b:
try {
mRequestid = KnoxContainerManager.createContainer("knox-b2b");
if(mRequestid < 0) {
switch(mRequestid) {
case KnoxContainerManager.ERROR_INTERNAL_ERROR:
... (More cases)
}
} else {
Log.d(TAG, "Container creation in progress with id:" + mRequestid);
}
} catch (SecurityException e) {
...
}
- This initiates a UI flow, which the user has to complete before they can create the actual Workspace container. The status of container creation is then notified through an intent
INTENT_CONTAINER_CREATION_STATUS. If the return ID ofcreateContainermatches to that ofCONTAINER_CREATION_STATUS_CODEof intentINTENT_CONTAINER_CREATION_STATUS, only then can the intent be trusted. To listen to the Workspace container creation intent:
IntentFilter filter = new IntentFilter(); filter.addAction(KnoxContainerManager.INTENT_CONTAINER_CREATION_STATUS; registerReceiver(mCreationStatusReceiver, filter);
- Always check if the intent received is the one you are interested in, by comparing the request ID, that you received during the
createContainer()API call.
private BroadcastReceiver mCreationStatusReceiver = new BroadcastReceiver() {
public void onReceive(Context context, Intent intent) {
int requestid = -1;
int statusCode = ERROR_INTERNAL_ERROR;
Bundle extras = intent.getExtras();
if (extras != null) {
requestid = extras.getInt(CONTAINER_CREATION_REQUEST_ID);
statusCode = extras.getInt(CONTAINER_CREATION_STATUS_CODE);
}
if (mRequestid != requestId) {
return; //Intent belongs to another MDM or a fake Intent.
}
if (statusCode >= 0) {
showNoteWithToast("container created successfully.");
} else {
displayCreationErrorString(statusCode);
}
try {
unregisterReceiver(mCreationStatusReceiver);
} catch (IllegalArgumentException e) {
e.printStackTrace();
}
}
}
Choosing the UI style
You can customize how the Knox Workspace container appears, as either a folder containing apps or as a desktop with app launcher icons. You can also disallow end users from changing this UI style through the Knox Settings menu.
To select the Knox Workspace appearance, call the API method setContainerLayout(int layoutType), which accepts the options CONTAINER_LAYOUT_TYPE_FOLDER or CONTAINER_LAYOUT_TYPE_CLASSIC. This API method works only when you clone the container type knox-b2b.
To disallow Knox Workspace container switching, call the API method allowLayoutSwitching(boolean allow).
Creating a container with apps
Here is a sample use case:
- Create a Knox Workspace container
- Set up email
- Install three apps for enterprise use
To create the container and set up email:
KnoxContainerManager.createContainer("knox-b2b");
// When you create a container successfully, containerID is returned using intent.
// Use this containerID in below API.
KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance();
getKnoxContainerManager(Context, containerID);
EmailAccountPolicy eap = kcm.getEmailAccountPolicy();
ApplicationPolicy appPolicy = kcm.getApplicationPolicy();
To set up an email account and install three apps
eap.addNewAccount(new EmailAccount("testemail@gmail.com", "pop3", "pop.gmail.com", 995,"testemail@gmail.com", null, "smtp", "smtp.gmail.com",465,"testemail@gmail.com", null));
appPolicy.installApplication("/mnt/sdcard/testapp1.apk");
appPolicy.installApplication("/mnt/sdcard/testapp2.apk");
appPolicy.installApplication("/mnt/sdcard/testapp3.apk");
Removing a container
To remove a Knox Workspace container:
boolean status = EnterpriseContainerManager.removeContainer(containerId, new RemoteStatusCallback()); // RemoteStatusCallback extends EnterpriseContainerCallback
