Back to top

Knox SDK 3.4 release notes

Last updated March 6th, 2024

August 2019

Samsung Knox SDK version 3.4 extends our leadership in advanced security, innovative usability, and comprehensive device management for our partners, developers, and enterprise customers. Read on for more info about these new features in the 3.4 release.


Knox 3.4 includes enhancements to Dual Data-at-Rest (DualDAR) encryption, which released in Knox 3.3. With this release, DualDAR provides improvements to availability, performance, and security.

  • Zero Day support : IT admins are now empowered to use DualDAR features the moment they’re released. Through the Knox Service Plugin (KSP) and Knox Mobile Enrollment (KME), IT admins can now create DualDAR workspace containers and configure policies, before UEM providers include customized DualDAR support through their web consoles. For more, see the Release Notes for KSP and KME.

  • Device Encrypted Storage : To enhance app stabilization, work apps can now write to DE storage by default. DE storage is available both during Direct Boot mode and after the user has unlocked the device. The default value for the configurable parameter DE restriction in the DualDARPolicy class is now set to false. To restrict writes to DE storage, you must create a package allow list and set the value for DE restriction to true.

For additional information on new DualDAR features included in the Knox 3.4 release, go to the UEM integration guide. For information on how to implement a custom solution to leverage control over your security, visit the new ISV integration guide.


Samsung is extending its device attestation solution to improve the way we check for devices that are rooted or running unofficial firmware.

With this Knox 3.4 release, we are launching Attestation v3, which provides these features:

  • Better correlation of results — Through the use of the Samsung Attestation Key (SAK), which is unique with every device.

  • Better device status diagnostics — Through enhancements to our server-side validation check logic.

For details, see Attestation (v3), the Tutorial, the new EnhancedAttestationPolicy class, and v3 REST API.

Deep Settings Customization

Samsung already provides extensive Knox SDK APIs to configure a wide range of features on our mobile devices. To enable rapid, zero-day adoption of the new features, you can also use the Knox Service Plugin.

You can customize device settings such as:

  • location tracking
  • Wi-Fi and NFC control
  • status bar notifications
  • biometrics and security

For more information about:

  • how enterprises IT admins can configure new device features using the Knox Service Plugin, see the Admin Guide.

  • how developers can add the Knox Service Plugin to their web consoles, see Managed Configurations.

DeX Management

The Knox 3.4 release includes new DeX customization features made available through the Knox Service Plugin. You can:

  • Hide certain app icons.
  • Customize the DeX Panel.
  • Turn the Suggested Apps on or off.
  • Turn the Mouse Cursor Flow on or off.
  • Turn the Keyboard toolbar and Predictive text on or off.
  • Skip the DeX welcome screen.
  • Hide the Samsung DeX launcher icon from the quick panel.

See how enterprises can customize DeX by browsing the KSP Admin Guide, and how developers can deploy the Knox Service Plugin by browsing the guide. For info about DeX features that can be managed through the Knox SDK, see Samsung DeX and Knox and the DeXManager class.

Custom names for Personal and Workspace tabs

Knox 3.2.1 originally introduced a tab-based UI for Personal and Workspace apps.

With Knox 3.4, IT admins can now customize the names of the Personal and Workspace tabs.

Developers can support this feature using the Knox SDK API setCustomResource(). This displays custom text in the tabbed view in place of the default Personal and Workspace labels. To learn more, see Custom tab names.

APN Mobile Virtual Network Operator

Starting with Android 9.0 (Pie), you must configure the APN Mobile Virtual Network Operator (MVNO) for some carriers and SIM cards.

With Knox 3.4, you can use ApnSettings to configure the MVNO type and value for a device. For devices with Android 9.0 but Knox 3.3 or lower, you can use reflection to set these values. For details, see Access Point Name.

Deprecated features


The Knox VPN SDK was designed for VPN service providers, to create apps that can handle requests to set up VPN tunnels through their proprietary infrastructure. The Knox VPN SDK has already been merged into the Knox SDK v3.3, through the package With this Knox SDK v3.4, the Knox VPN SDK is obsolete and all VPN SDK functionality must be accessed through the Knox SDK. This change provides these key benefits:

  • simplifies the development workflow for developers

  • further strengthens the capabilities of the Knox SDK

  • simplifies the licensing flow required to use the VPN APIs. Going forward, all VPN APIs are activated with the same license key as the Knox SDK – the Knox Platform for Enterprise key

If you are using the Knox VPN SDK, you need to update your apps or services to reflect this change. You do not have to update any API packages, classes, or methods, as these remain the same. You do need to import the Knox SDK library and change the old namespace (com.sec.vpn.knox) to the new namespace (

For general information about updating an app to use the Knox SDK v3.x, see the migration tutorial. For details related to VPN apps, see VPN namespace changes.

Knox Workspace containers

Starting with Knox 3.0 in Android O, we began harmonizing the Knox Platform for Enterprise (KPE) with Android Enteprise (AE), to simplify your deployment of solutions across all Android devices. With harmonization, you can apply advanced and differentiated KPE features to AE Work Managed Devices and Work Profiles.

To this end, we are now deprecating the Corporate Liable (CL) mode of the Knox Workspace container on the Note 10 and later devices. The Corporate Liable mode will however continue to work on S10 and earlier devices, even if they are upgraded to Knox 3.4.

Instead of the Knox Workspace container, deploy these AE use models:

  • Work Managed Device (as a DO) and Work Profile (as a PO). This replaces the Corporate Liable mode being deprecated with the Note 10 onwards.

  • Work Managed Device (as a DO). This replaces the Container Only Mode (COM) that was deprecated with the S10 onwards.

To apply Knox features to any of these AE use models, activate a KPE license. For details, see the tutorial Apply Knox features to Work Profile.

For more information

To learn more about the Knox SDK, check out these resources:

Back to release notes

Is this page helpful?