Knox SDK 3.8 release notes

November 2021

The Knox 3.8 platform introduces these new features:

1. Samsung Knox Developer Forum
2. Peripheral SDK for Knox 3.8
3. API enhancements
4. Deep Settings Customization enhancements
5. Enhanced Attestation V4 improvements
6. Knox SDK for ISV device APIs
7. Optimize SUW for AER for managed devices
8. Separated Apps v2
9. TIMA/CCM keystore deletion
10. VPN platform enhancements — Auto Recreation of profile
11. Android 12 OS changes

As with past releases, new features are offered through either the:

• Knox Service Plugin (KSP), which provides new features on the day of release to IT admins using UEM solutions supporting KSP, or

• Knox SDK, to provide more powerful programmatic and integrated control to developers creating app solutions

• Knox platform, which is factory-installed on Samsung Knox devices

Read on to find out more about how you can benefit from the new features.

Additional Advanced Access Control enhancements

For device users who need security features over and above the standard features of Knox enterprise, this release provides additional Advanced Access Control (AAC) enhancements. These enhancements add additional KPE features and use Continuous Multi-Factor Authentication (CMFA) to automatically log users in to their phone and applications without needing their credentials at each log in.

The framework uses the following factors to test the device’s trust score:

• Face recognition factor that authenticates the user with facial recognition using the front facing camera.

• Device integrity factor that calls the keystore attestation API to obtain integrity information from ICCC TA.

• Touch Dynamics factor that uses commonly used keystroke pattern data to verify that the current user is authorized user of the device and the work profile.

This release focuses on adding the previously mentioned touch dynamics factor. This factor analyzes the digital signatures generated when a human interacts with a device, commonly known as keystroke or typing patterns, to verify that the user typing on the device is the authorized primary user of the device. In cases where the user is determined not to be the primary, authorized user, the Work profile on the device is locked and access to sensitive data is immediately revoked.

For more information on AAC, see Additional Advanced Access Control enhancements.

Peripheral SDK for Knox 3.8

This release provides the partners a new SDK to develop applications for peripheral devices such as barcode scanners. Currently, the SDK supports KOAMTAK USB scanner and BT scanner.

To support the BT scanner, following APIs are provided:

Interfaces

Classes

API enhancements

This release includes the several API enhancements and bug fixes, as well as adds support for additional Knox services. These enhancements are as follows:

• Increase in the security of Wi-Fi protocols — IT admins can now set the Wi-Fi security level as WPA3 type using the Knox setMinimumRequiredSecurity() API. setWifiProfile and setWifiApSetting also support the WPA3 type. Knox will support only SECURITY_TYPE_SAE (WPA3 Personal) spec. There are other WPA3 specs but Knox v3.8 supports WPA3 personal only. Once the IT admin selects WPA3 as the Wi-Fi security type, access is denied for any APIs that support another security type and the device can only connect to WPA3 Wi-Fi type. The IT admin can use getMinimumRequiredSecurity() to check if this policy is applied. Once set, this security type persists even upon device reboot.

Deep Settings Customization enhancements

The Deep Settings Customization (DSC) enhancements made with this release close some UI vulnerabilities of device security controls as follows:

• Block gesture options in Kiosk mode — In some use cases, in spite of IT admins blocking the Home key in Kiosk mode, device users could use the Gesture event to exit the Kiosk mode and potentially access sensitive data. With this release, IT admins can enable Kiosk mode as well as disable the Gesture option in Advanced features. The IT admin can now restrict the device user from using the following gestures to exit the Kiosk mode:

  • Short press the Home button.

  • Swipe down from the center of the bottom edge of the screen.

• Support additional sound settings — IT admin can now use KSP to configure the sound options that were previously set using the following APIs:

  • Enable or disable system sound using setSystemSoundsEnabledState() API

  • Make system sounds silent using setSystemSoundsSilent() API

  • Hide settings menu using setSettingsHiddenState() API

• Disable third-party content menu setting — The in-built Samsung keyboard allowed device users to select the Third-party content menu item on the Samsung keyboard to bypass restrictions on using the Internet on their devices. This release allows IT admins to disable the use of this menu from the Settings > Language and input > On-screen keyboard > Default keyboard > Samsung Keyboard settings > Third-party content option.

  If the third-party app is already installed on the device, blocking this option does not disable the current keyboard deep settings. Users can still continue to access the Internet from this option.

• Disable Wi-Fi proxy settings menu — IT admins can now disable the use of the Wi-Fi proxy settings menu to ensure that a blacklisted domain is never accessible once the blacklisting policy is set.

• Restrict sharing of Wi-Fi profiles using QR codes — IT admins can now use KSP to restrict users from sharing Wi-Fi profiles, including login credentials and passwords, with other devices using QR codes.

• Change password settings — IT admins can now use KSP to hide or disable screen lock type menu item. IT admins can also set the screen lock type to None.

• Hide virtual keyboard when an external keyboard is connected — With this release, IT admins can now hide the virtual keyboard that shows up on the device’s screen even when an external keyboard or input device (such as a scanner) is connected to the device.

Each KSP release introduces additional deep settings so you are encouraged to browse the KSP release notes or KSP policy schema for all the latest capabilities.

Enhanced Attestation V4 improvements

These enhanced attestation (EA) V4 improvements allow the EA server to communicate directly with the device running Knox Works. The changes are as follows:

• CSR attestation — With this release, the new flow of the EA is with server to server communication. The third-party server needs to use a key license and certificate signing request (CSR) to complete the attestation request.

• Support APIs for KM — The following Device APIs for KnoxPush Manager com.samsung.android.knox.kpm.KnoxPushService are now supported:

  • boolean isSupported()

  • int isRegistered(KnoxPushServiceCallback cb);

  • int registerDevice(boolean forceRefresh, KnoxPushServiceCallback cb);

  • int unRegisterDevice(KnoxPushServiceCallback cb);

Knox SDK for ISV device APIs

Knox 3.7.1 introduced support for Independent Software Vendors (ISVs) in response to Google’s DA deprecation as well as to make a foray into the Frontline market at the same time. The Knox SDK focuses on managed devices and horizontal solutions, and did not traditionally suit ISVs interested in a few vertical dedicated APIs. KPE now supports these ISVs by providing Frontline targeted features. Knox SDK for ISV phase 1 APIs included KPE features that cover only a few requirements from the Frontline market. Knox SDK for ISV phase 2 APIs, introduced with this Knox 3.8 release includes new APIs geared towards adding support for ISVs rather than for the traditional MDM vendors. This release includes the following additional feature for on device configuration and device management functionality:

• Customize hardware actions — This new feature focuses on ISV apps running on unmanaged devices. The new feature installs a third-party (ISV) app on unmanaged devices. The API further remaps the XCover keys to perform a different operation from the one specified by the default settings. The remapping can take the form of mapping the keys to open the third-party app instead. The third-party app can then set an action to start a device broadcast whenever the XCover key is pressed.

  The third-party app cannot restrict users from manually changing XCover key settings back to their preferred action.

Optimize SUW for AER for managed devices

Currently, the setup wizard (SUW) for Android Enterprise Recommended (AER) devices includes options that allow device users to consent to collection of marketing and other data. The collection of these items is not recommended or appropriate for managed devices. To close this gap, the SUW should be changed to disallow data collection. To implement this change, the SUW now includes options that allow the user to consent to data collection, but in case of managed devices, data collection is automatically disabled for the device.

For more information on this feature, see Optimized Setup Wizard for AER (Android Enterprise Recommended).

Separated Apps v2

This release adds additional functionality to the features available with Separated Apps V1. Separated Apps V2 features include items that were either not released with V1 or identified as needing enhancements after V1 was released. V2 includes the following features:

• Improve the Separated Apps user experience — The Separated Apps user experience sees the improvements allowing device users to:

  • Change folder names and color for Separated Apps

  • Select multiple Separated Apps for uninstallation

  • Long-press the Separated Apps app icon to bring up a quick option menu, similar to other apps

• Allow use of biometric methods for Separated Apps — For devices where biometric authentication methods are set up in User0 or for other apps, Separated Apps can now use these registered biometric methods as well.

  Currently, biometric settings for Separated Apps are also controlled by the common Device Settings menu.

• Set remote control and screen capture behavior — IT admins can now control the remote control and screen capture features not only for User0 but also for Separated Apps. Depending upon whether the screen capture and remote control features are activated from within User0 or Separated Apps, the resulting image or media is stored in User0 or Separated Apps storage space.

TIMA/CCM keystore deletion

TIMA/CCM keystores are planned for deprecation with this release. The following default Samsung keystores will replace Knox keystores for B2B use cases:

• TIMA keystore
• CCM keystore
• CEPConstants (deprecated at v3.8)

For detailed information on the deprecation, see Deprecation of TIMA/CCM Keystore support.

VPN platform enhancements — Auto Recreation of profile

This release includes VPN enhancements to improve the security of managed devices. For managed devices, the VPN framework tries to recreate the VPN profile configuration and reconnect the VPN connection automatically for any VPN clients installed on managed devices. This automatic reconnection happens in the following two cases:

• A device user clears data intentionally or accidentally

• There is an issue with the VPN client during the create connection process, and the database saving process is not complete, such as during device reboot or VPN client restart

This automatic reconnection feature ensures there is no data leakage for apps that are configured to connect using the VPN profile. In cases where the reconnection effort fails, the VPN framework notifies the EMM client, allowing it to apply security policies such as locking the Work container or the entire device, as well as apply firewall rules and recreate VPN policies.

To read more about this feature, see VPN Platform Enhancement.

Android 12 OS changes

Knox 3.8 is based on the Android 12 OS. The following changes are included in this release:

• Password policy modifications — This release improves the password complexity feature to reduce the risk of users forgetting their passwords and needing to factory reset their devices to reset the password. This feature sets device-wide password requirements in the form of predefined complexity buckets, such as High, Medium, Low, and None. If necessary, IT admins can then set stricter password requirements on the work profile’s security challenge.

• Sensor permission restrictions — The ApplicationPolicy.applyRuntimePermissions API is now removed from use. As a result, IT admins can no longer silently grant the permissions to use the following sensors:

  • Location (ACCESS_BACKGROUND_LOCATION, ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION)

  • Camera (CAMERA)

  • Microphone (RECORD_AUDIO)

  • Body sensor (BODY_SENSORS)

  • Physical activity (ACTIVITY_RECOGNITION)

• Network logging delegation — IT admins were previously able to set and retrieve work profile network logging. With this release, IT admins can now delegate network logging on the work profile to another work application.

  IT admins cannot use network logging to monitor traffic in the personal profile.

• Managed device control enhancements — The following new features are available for company-owned devices:

  • An IT administrator can disable USB, except for charging functions, on company-owned devices. This feature includes the capability to check if this feature is supported on the device and if it is currently enabled.

  • Company-owned devices with a work profile can limit the input methods used in the personal profile to allow only system input methods.

For more information

To learn more about the Knox SDK, check out these resources:

• Samsung Knox SDK landing page
• Samsung Knox SDK FAQs
• Samsung Knox SDK Sample Apps
• Samsung Knox SDK API reference
• Samsung Knox SDK Developer Guides
• Samsung Knox Developer Forum

Back to release notes