Knox SDK frequently asked questions — VPN provider

Since the release of the Knox SDK, you need to get Knox Partner Program licenses for both the VPN service and when using mobile device control management policies. In case of device management, a VPN client can control which apps use its VPN tunnels.

This is only possible if you install the VPN client outside of the Knox container. If installed outside, then simply call the addAllPackagesToVPN() and addAllContainerPackages() APIs to add all apps from inside and outside your container to the VPN profile. If your VPN client is installed inside the container, the best you can do is call the addAllPackagesToVPN() API which adds all the apps in the container to the profile.

VPN On-Premise Bypass is a solution that allows MDM vendors to deactivate a VPN connection or block applications when an employee device is connected to its corporate WI-FI. This allows the device to access company data directly and minimizes server load and resources. Once the device leaves the WI-FI area, the VPN connection is re-activated and application blocks are removed.

VPN profiles are defined via the GenericVpnPolicy API methods. Additional information about how to use GenericVpnPolicy can be found in the Samsung Knox SDK Developer Guide.

The Knox framework only stores the data passed under the profile_attribute and the Knox section of the JSON file (the file that contains the VPN profile definition). The rest of the details are not stored by the framework.

Once the VPN connection starts successfully, if a lock icon displays in the notification, it represents the Knox profile. If a key icon displays, it represents the default Android VPN profile. But exceptionally Android VPN Management for Knox using Knox VPN profile is represented by a key icon.

The Knox container is not affected by VPN profiles provisioned outside of the container, no matter what type of VPN profile it is. For VPN On-Premise Bypass to apply to container apps, the profile must be provisioned inside the container.

Apps affected by VPN On-Premise Bypass need to be configured on a “per-app” basis. If “device wide*” behavior is desired, this can be achieved by associating all applications the VPN profile. Container applications need to be separately associated to VPN profiles.

You can use Knox to manage VPN connections, but only for user accounts that you control. This typically includes the default user and any Knox Workspaces that you activate. VPN connections for apps installed in user accounts that you don’t control, such as those created for Android for Work managed profiles, must be managed separately.

The VPN Client should make sure that the tunnel interface is closed when the network goes down, or during a switch to/from a Wi-Fi network.

This use case can be handled by either the VPN client, implementing the auto-retry API or throwing a notification to the user which allows the user to retry the connection. Note that this is applicable only for networking related errors like time out or server not reachable.

If the state of the VPN profile is not maintained correctly by your client app, the connection may never start. As mentioned above, the framework queries the state of the VPN profile before starting the VPN connection. If the state is in the idle or failed state, then the connection can be started by the framework. If the state is stuck in the connecting, disconnecting, or connected state, then the framework won’t attempt to start the connection.

The Knox framework queries the state of the VPN profile. If the state of the VPN profile is either idle or failed, then the framework triggers the start connection. This usually happens after the network comes up.

When the framework triggers the startConnection() API, which your client will handle as part of the knoxvpnservice interface, the VPN Client should prepare for the VPN connection by executing the following APIs present in either Android VPN service or generic VPN service: prepare(), protect(), establish().