Knox SDK 3.10 release notes

October 2023

The Knox 3.10 platform introduces these new features:

Improvements to Separated Apps

Separated apps allow you to separate third-party apps from corporate apps on fully-managed devices by putting them in a separate area. Knox 3.10 expands the capabilities of Separated Apps as follows:

• Usability enhancements — Starting with Android 14, the Separated Apps display in full-screen mode which enables more apps to be viewed on the screen compared to the previous folder view. The apps in the separated area have a badge to distinguish them from those outside the container. Any apps not included in the allowlist are uninstalled from the separated apps area.

• Apply policies using Managed Configurations — You can configure the policies using a Managed Configuration agent in addition to KSP. However, if the policies are declared using both Managed Configuration and KSP, KSP policies get overridden by the Managed Configuration agent policies.

Enterprise Certificate Management using ACME protocol

ACME protocol helps validate the devices to issue the enterprise certificates. The IT admin initiates a hardware-bound-key based certificate provisioning process by sending an ACME command to the target device through their EMM. Then, Knox framework handles the ACME certificate provisioning process. It acts as an ACME client by interacting with the enterprise ACME server. The ACME server is connected to enterprise Certificate Authority (CA) server. In the ACME process, Samsung Knox device attestation certificate is used for device validation.

Samsung Knox supports enterprise certificate provisioning using ACME protocol as follows:

1. Enterprise IT sends an ACME certificate provisioning command by providing an ACME profile with key properties, certificate information, client identifier, and ACME server information.
2. EMM agent initiates an ACME process by calling Knox ACME API with the profile.
3. Knox framework sets up an ACME server connection.
4. ACME server requests validation from the device using its attestation certificate.
5. Knox framework generates a hardware bound key pair for ACME certificate request.
6. Knox framework retrieves a Samsung Knox device attestation certificate.
7. The device attestation certificate and a CSR are sent to the ACME server.
8. ACME server validates the device challenge response by verifying the device attestation certificate.
9. ACME server issues an enterprise certificate.
10. Knox framework installs the enterprise certificate to device.

Device settings

Disable online processing for Advanced Intelligence operation

Advanced Intelligence is the latest Samsung AI solution supported by many native apps on Samsung Galaxy devices. It’s prominent features are language interpretation, translation, voice dictation, and contents summary. However, the data is processed online. So, to avoid sending any data from a corporate device to a third-party server for data security, you can disable this feature using the allowIntelligenceOnlineProcessing API.

Ability to set the Standard mode for device settings

Tablets and foldable devices support the standard and multi-view modes for apps. The Settings app opens in the multi-view mode by default. In this multi-view mode, it shows under a single activity name on the device. If a user updates any individual settings within the app, the IT admins are unable to view and track associated individual activity names.

With Knox 3.10 release, IT admins can set the Settings app to launch in the Standard mode on tablets and foldable devices, allowing them to track all activities and control users’ access to individual settings. Refer to the setForceSingleView, and getForceSingleView APIs for details.

Audit log enhancements

Knox 3.10, helps you find useful log information easily. This release provides more legible audit log data by centralizing all audit log messages into a single file. For more details, please refer to AuditEvents.

UCM Keystore and Keyguard enhancements

Samsung’s Universal Credential Management (UCM) provides a future-proof plug-and-play framework to ease the management of credentials across a variety of different possible storage media. In particular, it provides higher mobile security by supporting the storage and management of major certificates and credentials in eSE.

In Knox 3.10, keyguard and keystore functions with the addition of following APIs:

• getKeyguardPinMaximumLength, setKeyguardPinMinimumLength

• getKeyguardPinMinimumLength, setKeyguardPinMinimumLength

• initKeyguardPin

• getKeyguardPinMaximumRetryCount

• changeKeyguardPin

UCM keystore now supports AES, ECDSA (NIST and Brainpool curves), and HMAC cipher and signature algorithms.

Extended device support for DualDAR in DO mode

All DualDAR-compatible devices running Android 14 (Knox 3.10) and higher can now use DualDAR in the Device Owner (DO) mode. For more information on DualDAR integration with your UEM, refer to DualDAR UEM integration.

API deprecation

As part of Samsung’s ongoing upkeep and maintenance of services, we deprecate Knox APIs from time to time. We recommend that you replace newly deprecated APIs before they are removed permanently

The APIs deprecated in Knox 3.10 will work normally for Android 14. You can view the complete list of Deprecated API methods in Knox developer documentation.

Technical support for the deprecated APIs is available for up to one year after the deprecation. The APIs continue to be available in the second year after deprecation, but satisfactory operation is not guaranteed. Please see API deprecation journey for details.

For more information

To learn more about the Knox SDK, check out these resources:

• Samsung Knox SDK landing page
• Samsung Knox SDK FAQs
• Samsung Knox SDK Sample Apps
• Samsung Knox SDK API reference
• Samsung Knox SDK Developer Guides
• Samsung Knox Developer Forum

Back to release notes