Menu

What happens to existing Knox 2.x Workspace?

Knox Workspace Corporate Liable (CL/B2B) and Container Only Mode (COM) modes will continue to work in Knox 3.0 so enterprises can create new CL/B2B and COM containers in Knox 3.0. Additionally, existing Knox Workspace CL/B2B and COM containers will continue to function after upgrading from Knox 2.X to Knox 3.0. However, Knox CL/B2B and COM modes will eventually be deprecated in the future.

The following are key changes to existing Workspace CL/B2B and COM modes.

Note – Knox Workspace BYOD mode automatically converts to a managed profile upon upgrade to 3.0.

Workspace icons and app badges

The following screenshots show the original Knox 2.X icon on the home screen and the apps with the original badges inside the Samsung Knox container.

../../../../../../Downloads/Screenshot_20180104-182052.

The following screenshots show the Knox 3.0 workspace icon on the home screen with the new icon and the app icons with the new badge inside the unified workspace.

Screenshot_Workspace_20180112-164454.jpg

Note: The container name changes from Knox to Workspace after updating to Knox 3.0.

User ID

All new Knox Workspace user IDs start from user 10 in Knox 3.0. Existing Workspace users will continue to increment from user 100. Please review and remove any hardcoded values for user ID. User IDs are not static and should not be hardcoded.

Enforcing password

The Knox framework will not enforce a password requirement by default for new Workspaces created under Knox 3.0.

Certain items depend on password being created. For example Android Key Store (AKS) cannot be initialized unless a password is created. Thus EMM agents cannot provision certificates unless user has setup a password. Similarly cert enrollment using SCEP or other mechanism also requires password to be setup.

EMMs must wait until a password is created before proceeding with items that require password. IT admin MUST specify password policy prior to container creation. Following Knox mechanisms to allow specifying password policy:

  1. KnoxConfigurationType
  2. PasswordPolicy

Note: Users are prompted to set password after the Workspace launches Workspace.

After user has changed the device or profile password onPasswordChanged() method is called as a result of receiving ACTION_PASSWORD_CHANGED. EMMs can implement this method to know when password has been set. Following sample code to get the userId of the user that changed the password.

Public void onPasswordChanged(Context context, Intent intent, UserHandle
user){
int containerId =
intent.getExtras().getInt("android.intent.extra.USER_ID”);
}

After receiving notification of password change and determining the user that changed the password EMMs can proceed to configure/provision items that require password. For example after this notification EMMs can start provisioning certificates.

Please see following flows for Knox 2.X vs Knox 3.0.

Knox 2.X

Knox 3.0

In Knox 3.0 password is not enforced during creation. IT admins can set a password policy for the user to set the password after Workspace is launched for the first time.

Note: Starting with Knox 3.0, EMM’s DeviceAdminReceiverfor CL and COM containers, located in user 0, get all the callbacks that a DPC that is running inside the managed profile would get. For example: onPasswordChanged or onEnabled.

Biometric authentication

Management of biometric authentication (Fingerprint and IRIS) is performed separately from the management of new or existing Workspaces. Device users can register biometrics separately for a Workspace and can manage (add/remove/update) Workspace-specific biometric data through the Workspace settings.

Note: Device users who have previously registered biometric data on a device are asked to register biometrics for the Workspace after they migrate to Knox 3.0. However, the device user can postpone the biometric registration.

Work App Shortcuts

In Android O, the shortcut implementation has significantly changed from Android N. Shortcuts in Android O have added new concepts such as: badge count, quick option menu, notification popup, and more. As a result of these changes, Knox work app shortcuts will no longer be present upon upgrading from N to O. End users will need to add the work app shortcuts again.

Quick Access

The Quick Access feature is no longer supported under Knox 3.0. Workspace no longer remains unlocked when a Samsung Gear device is in Bluetooth range. Workspace settings no longer show an option to turn on Quick Access.

Note: Users can take advantage of Smart Lock as an alternative to Quick Access.

Share it: