Back to top

Always-on VPN using Knox SDK doesn’t start on device

Last updated June 7th, 2024


  • Knox SDK
  • Always-on VPN built with Knox SDK
  • Android Enterprise
  • Devices running Android 7.0 and higher


You might notice that an always-on VPN created with Knox SDK doesn’t automatically start if the DISALLOW_CONFIG_VPN constant is set to true on the device.


The DISALLOW_CONFIG_VPN constant restricts a device user from configuring a VPN. Additionally, this constant restricts VPNs built with Knox SDK from starting.

For devices running Android 7.0 and higher, an always-on VPN created by the device or profile owner can start on device boot even if DISALLOW_CONFIG_VPN is set to true. To prevent a policy conflict, the Knox SDK team prohibits always-on VPNs created with Knox SDK if this constant is set to true.


To resolve the issue, the IT admin must set the DISALLOW_CONFIG_VPN constant to false on your EMM. This procedure for this setting can vary and is dependent on your EMM.

Is this page helpful?