Knox SDK 3.0 release notes

Last updated March 6th, 2024

January 2018

This Samsung Knox SDK v3.0 release provides significant improvements to the developer experience as well as powerful new features, which are described below.

Samsung Knox SDK

The new Samsung Knox SDK combines, refactors, and enhances these Samsung Knox SDKs:

Knox Standard
Knox Premium
Knox Customization
Knox ISV

There is now only Samsung Knox SDK package to download, one JAR library to import, one API reference to search for API methods, and one Developer Guide describing how to use the SDK features. This new SDK also consolidates the following:

Version — As the merged SDKs had different SDK version numbers, the new Knox SDK uses a single 3.0 version number and Knox API level 24. The Knox API level is similar to the Android API level. Each Knox SDK version has been mapped to this Knox API level. To find the API level supported by a device, call the API method EnterpriseDeviceManager.getApiLevel. In the device Settings > Device > Software Info, the Knox version now shows this Knox API level.
Namespace — All Samsung Knox SDK packages, intents, and permissions now use this namespace: com.samsung.android.knox. Previously, there were multiple namespaces, including one in the Google domain (android.app.enterprise). Unifying the namespace simplifies coding, troubleshooting, and support, and removes the possibility of future overlaps with Google.
Structure — API methods have been re-organized for better discoverability and renamed for consistency. The API methods that were in the generic class called MiscPolicy have been moved into more appropriate classes. Some classes have been renamed. For example, Attestation is now called AttestationPolicy for more consistency with other class names.
Deprecation — In the new consolidated Knox SDK, we have removed API methods that were already deprecated in the legacy Knox Standard, Premium, Customization, and ISV SDKs. We’ve also removed API methods that were duplicated across legacy SDKs or not being used as indicated by our analytics. This was to streamline the new Knox SDK and ease usability moving forward. The Knox 3.0 platform installed on devices still supports these deprecated API methods. However, we discourage using these API methods as we will likely remove support for them in the near future. For a list of the deprecated API methods, see the Samsung Knox SDK Migration Guide.

For more about updating namespaces and replacing deprecated API methods for this new consolidated Knox SDK, see the Samsung Knox SDK Migration Guide and Knox SDK Sample Apps.

Knox Platform for Enterprise (KPE) license key

Knox 3.0 uses a Beta version of a new consolidated Knox Platform for Enterprise (KPE) license key, which is designed to replace the following licenses.

ELM — Enterprise License Management. This license gives developers access to the enterprise-grade Knox Standard SDK.
ISV — Independent Software Vendor. This license gives developers access to basic security features in the Knox ISV SDK.
KLM — Knox License Management. This license gives developers access to paid features in the Knox Premium and Knox Customization SDKs.

There 2 types of Samsung License:

Development — Gives you access to all features in the Knox SDK, but only on a limited number of devices and for a limited time period. This is meant for testing purposes only. You can get this Development license through the SEAP portal.
Commercial — When you are ready to release an app on many devices for a longer time period, you use a Commercial license. If your app uses:
- only free features (in other words, those that were in the Knox Standard and ISV SDKs) — You can generate a Commercial Knox Platform for Enterprise (KPE) license key from the SEAP Portal.
- paid features (that were in Knox Premium and Knox Customization SDKs) — An authorized Knox Reseller or EMM Vendor buys Commercial licenses from the Global Samsung Business Network (GSBN). They do so on behalf of each enterprise customer so that license activations can be tracked and billed separately.

Knox 3.0 also introduces Android-style permission declaration. You can optionally declare at a granular level the permissions that your app needs to call API methods in the Knox SDK. This is to tighten security, by limiting what an app can do. To use this new permissions model, update your Android manifest file (AndroidManifest.xml) to include these tags:

<meta-data — to enable Knox selective permissions`
- For example — <meta-data android:name="com.samsung.knoxlicensing.permissions" android:value="true"/
- not required for KPE. Optional for ELM & KLM.
<uses-permission — to declare each permission used by the app`
- for example — <uses-permission android:name="com.samsung.android.knox.premission.KNOX_HW_CONTROL"/

Here is a sample manifest file:

To find out which permission is needed by an API method, see the Knox SDK API reference. For example, the com.samsung.android.knox.permission.KNOX_CONTAINER permission can be found in createContainer.

New Knox Workspace container architecture

We’ve updated the Knox Platform for Enterprise solution with a new Workspace container architecture to enhance user experience.

Knox APIs can now control Android Work profiles.
Android Work Profiles can easily be upgraded to Knox Workspace without wiping your device.

As part of this change, customers can leverage Knox features and APIs on Android’s Work Profile and Work Managed Device modes. The:

Profile Owner can activate a Knox License and leverage Knox features on Android Work Profile
Device Owner can activate a Knox License and leverage Knox features on Android Work Managed Device

For an example of how to apply a Knox license to a work profile, see this Tutorial.

Network Platform Analytics

This feature enables the real-time monitoring of a network flow behaviours without granting access to all network data. Using NPA has much better privacy claims than using VPN or proxy technology alternatives to analyse traffic. In addition, NPA can provide more granular data than VPN or web proxy solutions. Management apps, such as MDM clients, can call NPA APIs to register a network analyser to collect metadata about network data flows. Once registered, the analyser then receives flow details that allow the app to analyse network patterns without exposing the analyser to sensitive network data such as plaintext passwords, business documents, or employee communications.

Knox 3.0 introduces these new features:

Full IPv6 support
DNS lookups are now associated with the app that requested them
Parent process hash is now included in the netflow data

For more about network data collection, see EnterpriseKnoxManager.getNetworkAnalytics and KnoxContainerManager.getNetworkAnalytics. For more about the data that can be collected, see NetworkAnalytics and NetworkAnalyticsConstants.

Device Customization

The Knox SDK lets Systems Integrators develop an Android app that restricts what users can do on a device. You can configure new features as they release on new Samsung devices and Android versions. This is designed for System Integrators who need an extra level of configurability on the Samsung Android platform.

With Version 3.0 of the Knox SDK, you can configure features in the Android 8.0 Oreo release:

Hard key remapping (setHardKeyIntentState, getHardKeyIntentState) — Controls whether or not the pressing of a particular hard key (power, volume up, volume down, home, back, menu) broadcasts an intent, which can be handled by the registered broadcast receivers. This feature was previously supported only in ProKiosk mode, through the API package com.samsung.android.knox.custom.ProKioskManager, but is now also available outside of ProKiosk mode, through com.samsung.android.knox.custom.SystemManager.
Home screen mode (setHomeScreenMode, getHomeScreenMode) — Selects whether a device supports:
- Home screen only — The home screen is the only place where you can launch apps, and can’t be deleted unless there are no app shortcuts on it.
- Home screen with separate app launcher screens — The home screen page can be deleted because the app launcher screens also display all app shortcuts that are on the home screen.

Deprecated API Methods

The following API methods have been deprecated in this release:

API Class	Deprecated API Method	Reason
SettingsManager	set/getBluetoothVisibilityTimeout setUnknownSourcesState setWifiNetworkNotificationState	Outdated feature
SystemManager	copyAdbLog set/getBootAnimation set/getCheckCoverPopupState set/getShutdownAnimation set/getWifiConnectedMessageState	Outdated feature

The following API methods will be deprecated from the Knox SDK within a year. Please prepare to stop using these as well.

API Class	To be deprecated	Reason
AdvancedRestrictionPolicy	enableODETrustedBootVerification isODETrustedBootVerificationEnabled	Overlap with Android APIs
RestrictionPolicy	enableWearablePolicy isWearablePolicyEnabled	Low usage
SettingsManager	set/getBackupRestoreState set/getChargingLEDState set/getLTESettingState set/getWifiFrequencyBand	Low usage
SystemManager	getToastGravityXOffset getToastGravityYOffset sendDtmfTone set/getInfraredState set/getToastGravity set/getToastGravityEnabledState set/getToastShowPackageNameState set/getVolumeButtonRotationState	Low usage

Also note the following:

Consolidated (One) SDK — API methods were deprecated due to redundancy across SDKs or low usage. For a full list of these API methods, see the Samsung Knox SDK Migration Guide.
Unification — API methods were deprecated due to overlap with Android Enterprise.

For more information

To learn more about the Knox SDK, check out these resources:

Back to release notes