- Welcome
- Basics
- Device apps
- Overview
- SDK Licenses
- Knox SDK
- Overview
- About the SDK
- What's new
- What's new
- Migrations
- Android 11
- Android Enterprise
- Device admin deprecation
- DA deprecation and Samsung
- DA deprecation and VMware
- FAQs
- FAQ Index
- What is DA Deprecation?
- What is being deprecated with device admin?
- What is API level 29, as it relates to DA deprecation?
- What is the impact of DA deprecation to Knox?
- As a Knox partner, what do I need to do?
- What happens to DA apps when upgraded to Android Q?
- When can I safely upgrade to Android Q?
- What if a device already has Android Q?
- Can my DA app coexist with a UEM app running as DO?
- Are there changes to Knox Configure due to DA deprecation?
- Can I use my DA app alongside Knox Configure?
- Does KME still support device enrollment using DA?
- As DA is not in Android Q, can I enroll via KME to Work Profile?
- Get started
- Sample app tutorials
- Features
- Independent Software Vendors
- ML Developers
- Introduction
- Whitepaper
- Model Protection APIs
- Protect ML model
- ML Encryption Tool
- Knox ML Encryption Tool Revision
- FAQs
- Are there any additional steps for Linux to give execute permissions to conversion tool?
- Do I to change my app to run the encrypted model?
- Where are the encrypted files saved?
- Which devices support Knox for Model Protection?
- Which ML file types are supported by Knox for Model Protection?
- Which operating systems (OS) support Knox ML Model Conversion Tool?
- Independent Software Vendors (DA)
- MDM Providers
- System Integrators
- VPN Providers
- Storage Providers
- API Reference
- Tools
- FAQs
- FAQ Index
- General
- What is the Samsung Knox SDK?
- Where can I obtain a white paper for Samsung Knox?
- What versions of Android support the Knox SDK?
- How can I check if my device firmware is an engineering or commercial build?
- How can I access the binaries before they are released?
- What is a deprecated API method?
- Why were the API classes deprecated?
- What are the features by default set to hidden/disabled in ProKiosk mode?
- What are credentials?
- What is Knox TIMA CCM?
- Is Knox supported on other platforms, such as windows?
- Which hardware control features can be managed inside Knox Workspace, using the Knox SDK?
- Why do a few Knox SDK APIs not work on some devices?
- Can Google Play used to deploy Knox apps?
- Can I use managed configurations for Samsung Knox features?
- Can a third-party app use the Knox SDK to get LDAP information?
- How do I enable users to select a 3rd party keyboard?
- How does my device's serial number change with Knox 3.2.1?
- If I don’t use the UCM APIs of the Knox SDK, what are my options for credential storage?
- What are the changes in Samsung Calendar data sharing in Knox SDK 3.8?
- Installation
- How do I use an SDK packaged as an Eclipse IDE add-on with the Android Studio IDE?
- Is it possible to install an app silently on a device using Knox SDK?
- Why am I still able to download an app even though I have added it to blacklist with the method addAppPackageNameToBlackList(), from the Knox SDK?
- How can an app find out which apps are installed in and outside a container, using the Knox SDK?
- How can an app block the installation of a non-trusted app, using the Knox SDK?
- What does "Security policy prevents installation of this application" mean?
- Can I prevent an end user from installing certificates, with the Knox SDK?
- Does API method installApplication(String packageName) download apps from the play store and install them silently?
- Does the API method setApplicationUninstallationDisabled disable the uninstallation of apps inside the container, when using the Knox SDK?
- Why is the installCertificate API method not successfully installing a certificate on my device?
- Licensing
- How do I use license keys?
- What is the KPE Premium license key and why should I use it?
- What is the backwards compatible key?
- When do I need to use the backwards compatible key?
- Do I need to associate my app with a backwards compatible key?
- How have license key names changed?
- Which keys can be used in combination with each other?
- What is automatic license seat release?
- What are license permissions?
- What is the difference between Standard and Premium permissions?
- How do I declare permissions?
- Deprecated licenses
- Operations
- Are the Knox SDK browser policies applicable to Chrome as well?
- How can an enterprise disable roaming access over an enterprise APN, using the Knox SDK?
- Can an app using the Knox SDK clear an email signature?
- Can I add system or pre-installed app packages, using the Knox SDK, to the notification blacklist?
- Can I use Google push notifications inside a Knox Workspace container?
- Can I use SDP for an app that is outside the Knox container?
- Can multi-window mode be disabled through blocklisting, using the Knox SDK?
- Does my launcher app need a special intent to work in Kiosk mode?
- Does the API method enforceMultifactorAuthentication(), in the Knox SDK, come into effect immediately?
- How can I disable GPS on the device using the Knox SDK?
- How can I move an app from the user's personal mode to the Knox container using an API in the Knox SDK?
- How does the Knox API method EmailPolicy.setAllowEmailForwarding work?
- How does the Knox SDK method, setAllowChangeDataSyncPolicy(), sync contacts with the container so they are visible on the personal side?
- How do I disable the USB port except for charging, using the Knox SDK?
- How do I use the Knox SDK to allow or block phone numbers?
- How do I use the SDK to prevent launching the screen saver when an app is running?
- Is an APN validated when I use the Knox SDK to add it to a device?
- Is it possible to block application access to data while roaming, using the Knox SDK?
- Is there a limit to the number of applications that can be blocked or allowed using the Knox SDK?
- Is there any way to create IMAP, POP, or Exchange accounts in the emulator?
- What does the RCPPolicy.NOTIFICATIONS argument do in the API method setAllowChangeDataSyncPolicy?
- What Keystores can I use?
- What kind of phone numbers are allowed after setting setEmergencyCallOnly(true) in the Knox SDK?
- What secure hardware can I use with the UCM APIs to store credentials?
- What should I do if I find API errors?
- Why are app shortcuts not showing up in Kiosk mode for the Knox SDK?
- Why are Knox Customization policies still active on my device even after my app is uninstalled?
- Why can't you enable the camera inside a container when it is blocked in the personal space?
- Why does the allowOTAUpgrade API method, in the Knox SDK, have no effect when allowFirmwareRecovery() is set to false?
- Why does the API method call setEnableApplication(), using the Knox SDK, disable the app?
- Why does the createVpnProfile method, in the Knox SDK, fail when a Profile name has whitespace?
- Why does the SDK return a NullPointerException when I access the SMS/MMS content URI?
- Why is video recording also blocked when I use the Knox SDK to block audio recording?
- Standard features
- Can I force a device to update to the latest firmware?
- Can multi-window mode be disabled through blacklisting, using the Knox SDK?
- Does the API method setApplicationUninstallationDisabled disable the uninstallation of apps inside the container, when using the Knox SDK?
- What is the difference between hideStatusBar() and hideSystemBar() in the Knox SDK?
- What Knox SDK API methods are available to manage device firmware?
- Why do a few Knox SDK APIs not work on some devices?
- Will the legacy ELM and KLM keys still work with the Knox Platform for Enterprise (KPE) key?
- Premium features
- Customization
- Security
- As a developer, how can I access the device root key?
- Can an app prevent access to specific networks, using the Knox SDK?
- Can fingerprint be used as a substitute for other forms of screen unlock methods, when using the Knox SDK?
- Can I use the Knox SDK to disable the "Unlock Via Google" password unlock option?
- Can I use the Knox SDK to encrypt the SD card?
- Can I use the Knox SDK to modify the fingerprint passcode requirements?
- Does a Knox container enforce authentication by default?
- Do the SDP APIs support a security standard?
- How can I ensure that certificates are stored in the TIMA KeyStore, using the Knox SDK?
- How does SDP secure the cryptographic keys used for data encryption?
- How do you programmatically unlock the container after the maximum amount of failed attempts, using the Knox SDK?
- What does "Security policy prevents installation of this application" mean?
- What is the maximum length allowed for a Wi-Fi SSID, when using the Knox SDK?
- What is the scope of the setPasswordVisibilityEnabled() API method, in the Knox SDK?
- When I call the Knox SDK API method setExternalStorageEncryption, why doesn't the device prompt the user to encrypt?
- Why are HTTPS requests bypassing global proxy settings in the Knox SDK?
- Why doesn't the Knox method "isActivePasswordSufficient" check for forbidden strings?
- Why do I see "Cannot safely connect to server" when I create an email account using SSL??
- Why is my timeout of 15 minutes not working for the resetContainerPassword() method, using the Knox SDK?
- Why is the Knox API method setMaximumTimeToLock() not showing the time I configured?
- SDP
- UCM
- VPN
- VPN Provider
- Does the Knox framework store any type of data passed during profile creation?
- Do I need a license to use the Knox VPN SDK?
- How can I verify if the VPN connection that is starting belongs to the Knox profile or the default Android VPN profile?
- How do I add all apps inside AND outside the container to a VPN profile?
- How is the Knox container affected by VPN On-Premise Bypass?
- How should the network state change be handled by the VPN Client Integration?
- If the framework takes the responsibility of starting the VPN connection, and since it is MDM-controlled, how will the user be able to connect to the VPN if a time-out or networking error occurs?
- Under what circumstances does the framework trigger the start connection?
- What API do I use to create a On-Premise Bypass VPN profile?
- What is VPN On-Premise Bypass?
- When should the various Android VPN service APIs be called?
- Workspace
- Samsung DeX
- Containers
- How does an app detect if a container was created using the Knox SDK?
- How do I install the MDM agent inside the Knox container?
- I have created a "container only mode" container and I am locked inside, using the Knox SDK. How do I exit?
- Why do I get error KnoxContainerManager.ERROR_INTERNAL_ERROR(-1014) while creating a container?
- KBAs
- Knox Tizen SDK
- Overview
- About the SDK
- What's new
- Get started
- Tutorials
- API Reference
- Sample Apps
- FAQs
- FAQ Index
- General
- How is Tizen related to Knox?
- Which devices support the Knox Tizen SDK for Wearables?
- What version of the Tizen SDK should I install before installing the Samsung Knox Tizen SDK for Wearables?
- Should I install any extension SDK before installing the Samsung Knox Tizen SDK for Wearables?
- What are the modes in which you can use the Samsung wearable device?
- What are the supported Wi-Fi security types?
- How do I get the attestation blob?
- What is a nonce and why is it valid for a short time period?
- What is ProKiosk mode?
- Licensing
- Samsung India Identity SDK
- Overview
- About the SDK
- What's new
- Get started
- Features
- API Reference
- Sample Apps
- FAQs
- FAQ Index
- General
- Installation
- Licensing
- Usage
- How do I verify if my device supports Samsung India Identity SDK?
- Should I capture the IRIS image of one or both eyes?
- When do I use the UIDAI Staging server and UIDAI Production server?
- What are the URLs that need to be whitelisted for enterprise-managed devices using the Samsung India Identity SDK APIs?
- Who is impacted by the upgrade of the biometric public devices to registered devices?
- Is there any hardware change required to upgrade the public devices to registered devices?
- What are the application (APK) changes required to upgrade the public devices to registered devices?
- Web services
- Managed configurations
- Introduction
- Deploy managed configurations
- FAQs
- FAQ Index
- What are managed configurations?
- Why should I use managed configurations?
- How do managed configurations work?
- Can I use managed configurations for Samsung Knox features?
- What is a managed configurations XML schema file?
- Which Samsung apps support managed configurations?
- How do I deploy managed configurations on an MDM console?
- Where can I get the XML schemas for Samsung apps that support managed configurations?
- Is there sample code showing how an MDM web console can deploy an iframe that renders a managed configurations XML schema?
- What email app is preloaded on Samsung devices?
- Knox Service Plugin
- Samsung Email
About Knox VPNs
Although device users have the option of configuring VPNs through the Android Settings menu, in larger enterprise settings, IT admins use their EMM consoles to configure VPNs for many devices at once. Admins can also create a VPN profile and apply it to groups of users.
In configuring VPNs, admins require a good understanding of the configuration choices available on a given device. The configuration choices are based on factors such as the following:
- Are the apps that need VPN connections inside or outside a container?
- Which apps are required to use VPN connections as determined by the IT admin?
- Which apps can connect to the network directly, bypassing the VPN, as determined by the IT admin?
- Is the device corporate owned or a BYOD?
- Which advanced Knox VPN features should be used?
Since Knox 3.2.1, VPN is optimized for deployment to large numbers of apps.
Advanced Knox VPN features
Here are the advanced VPN features provided by the Knox platform:
- Per-app VPN: The admin can set a policy to make sure that the traffic from a single app, or a set of apps, is routed through VPN.
- User-wide VPN: The admin can set a policy to make sure that the traffic from the entire user is routed through VPN. Starting with Knox 3.2.1, on devices where a User-wide VPN is active, IT admins can add specific apps to a blocklist. Adding apps to the blocklist exempts the specific app from using the VPN tunnel to connect to the network and exchange data. For more information, see Blocked apps.
- Device-wide VPN: The admin can set a policy to make sure that the traffic from the entire device is routed through VPN. To set this policy the admin should be the owner of all the non main-users (Knox users) and the VPN client needs to be installed in either user 0 or main user.
- On-demand connections: The admin can set a policy to start and stop the VPN connection only when the apps added to the VPN profile are launched or closed. The policy is applicable to only per-app use-cases.
- Chaining VPN servers: The admin can set a policy to doubly encrypt the data-traffic from apps added to the VPN profile. The admin should have two different VPN clients supporting the Knox VPN framework. The policy is applicable on the per-app, per-user, or per-device wide use-cases. Both the VPN clients need to be installed in the same user space.
Note: Chaining is currently not supported by Android VPN management for Knox.
The flow is structured as follows: Apps generate traffic which is handled by VPN client 1, then by VPN client 2, then by the Device Physical Network interface [WIFI/Mobile], then by VPN server 2, then by VPN server 1 before heading to the traffic destination - Embedded UID/PIDs: The admin can set a policy to embed the end-point details, such as UID and PID, in IPv4 data packets. Cisco AnyConnect is the only VPN client which currently supports this feature. The policy is applicable on the per-app, per-user, or per-device wide use-cases.
- Static HTTP proxy: This policy is applicable on the per-app, per-user, or per-device use-case.
- No authentication proxy: The admin can set a policy to route the HTTP/HTTPS traffic through a proxy server present behind the VPN server before reaching the actual destination. The proxy server configured by the admin during profile creation has no authentication.
- Basic authentication proxy by admin: The admin can set a policy to route the HTTP/HTTPS traffic through a proxy server present behind the VPN server before reaching the actual destination. The proxy server configured by the admin during profile creation has basic authentication. The authentication details are provided by the admin during profile configuration.
- Basic authentication proxy by end-user: The admin can set a policy to route the HTTP/HTTPS traffic through a proxy server present behind the VPN server before reaching the actual destination. The proxy server configured by the admin during profile creation has basic authentication. The device user enters the login credentials when pesThe authentication details are provided by the end-users when a pop-up is provided by the system.
- PAC HTTP proxy support: This policy is applicable on a per-app, per-user, or per-device wide use-cases.
- No Auth: The admin can set a policy to route the HTTP/HTTPS traffic through a proxy server present behind the VPN server before reaching the actual destination. The selection of proxy server is based on the original destination of the traffic as mentioned in the PAC URL. The proxy server selected has no authentication.
- Basic/NTLM authentication provided by admin: The admin can set a policy to route the HTTP/HTTPS traffic through a proxy server present behind the VPN server before reaching the actual destination. The selection of a proxy server is based on the original destination of the traffic as mentioned in the PAC URL. The framework supports a proxy server which can be authenticated through basic or NTLM authentication. The authentication details are provided by the admin during profile configuration.
- Basic/NTLM authentication provided by end-user: The admin can set a policy to route the HTTP/HTTPS traffic through a proxy server present behind the VPN server before reaching the actual destination. The selection of a proxy server is based on the original destination of the traffic as mentioned in the PAC URL. The framework supports a proxy server which can be authenticated through basic or NTLM authentication. The authentication details are provided by the end-users when a pop-up is provided by the system.
- Traffic blocking: When VPN is down, the Knox VPN framework will block both DNS and data traffic originating from the apps added to the VPN profile. When VPN is up, and if the VPN interface supports only IPv4, IPv6 data traffic originating from the apps added to the VPN profile will be blocked and vice-versa.
- Android Settings-based VPN configuration: Basic VPN configuration through the Settings menu can support Knox VPN features such as on-demand, per-app, device-wide, user-wide, static and PAC Proxy connections.
- IPv4 and IPv6 formats: The Knox VPN framework supports both IPv4 and IPv6 tunnels.
- Both a static proxy server can be represented with an IPv6 address and a domain name can be resolved to an IPv6 address as long as the VPN interface supports the IPv6 address format.
- Both a PAC URL can be represented with an IPv6 address and a domain name can be resolved to an IPv6 address as long as the VPN interface supports the IPv6 address format.
- Both a proxy server mentioned in the PAC URL can be represented with an IPv6 address or a domain name can be resolved to an IPv6 address as long as the VPN interface supports the IPv6 address format.
- Multiple VPN tunnels: Multiple VPN clients can be active at the same time in the same user space. The Knox VPN framework supports VPN clients which support multiple VPN tunnels.
VPN Requirements
- A VPN client integrated with the Knox VPN framework installed on the device.
- See VPN Clients That Implement the Knox VPN Framework for a list of clients from which you can choose.
- See also Optional Knox VPN APIs for Third-Party VPN Clients for a list of APIs which may, or may not be implemented by third-party vendors.
- The vendor-specific parameters for third-party VPN clients that help define the VPN profile.
- A valid Knox license with VPN permission
"com.samsung.android.knox.permission.KNOX_VPN_GENERIC" - It is also possible to control basic VPN configuration through the Android O Settings screen. In this case, the add-on VPN Client APK must be downloaded from Samsung and installed in main user.
App and Device VPN Configuration With a VPN Profile
VPN profiles can control the VPN configuration for a given app and device, depending on the EMM agent's permissions. Once an application is assigned a VPN profile, the app cannot be assigned a second, different profile. The initial profile must be removed and then the new profile can be assigned.
Once a VPN proxy is configured for an app, the proxy also covers mobile data for the device.
The following descriptions explain what types of VPN profiles the Knox VPN framework supports.
A Per-App Profile
A per-app profile lets all the traffic from apps which are added using any of the following API to tunnel through VPN :
A User-Wide Profile
A user-wide profile lets all the traffic from apps which are added using any of the following APIs to tunnel through VPN:
Blocked apps
Starting with Knox 3.2.1, devices running a user-wide VPN profile can have blocked apps, that is, apps that do not connect using VPN. None of the Knox VPN features such as Proxy, chaining, and uid/pid are applicable to such blocked apps. When a user-wide VPN profile is in use, the following is true for all blocked apps, whether the user-wide VPN is running or not.
- Add a list of blocked apps to Enterprise.db.
- Send DNS queries using the physical interface.
- Send and receive data packets using the physical interface.
- Download files using the physical interface for Download Manager operations.
- Stop the framework from sending proxy related information to the apps.
The Knox SDK includes the following APIs to help IT admins manage blocked apps.
The following describes the process that the blocked apps follow when a user-wide VPN profile is in use.
- The device user searches for and tries to download an app through the Playstore app.
- The Download Manager app receives the download request and tries to make a dns query for the download URL.
- Before sending the DNS query, the Download Manager app sends a query to the system_server—including uid of the originator, in this case the Playstore app—through the Unix domain socket to find the network interface used to send the query.
- From its cache, the system_server learns that the Playstore app is exempted from going through VPN and instructs the Download Manager app to send the request to netd through the network interface with the ID 498.
Note: The network interface ID is a pre-defined constant and belongs to the Knox VPN range of 100 to 500.
- The netd app then sends the query through the default physical interface, such as wlan0 or rmnet0.
- For all apps marked with the ID 498, all data requests are sent directly without going through the VPN.
A Profile for Android O VPN management for Knox
A profile which allows the use of basic VPN controls present in the Settings menu supports Knox VPN features such as proxy support, on-demand, per-app, user-wide, or device-wide VPN. See also Requirements for the required APK needed for this type of configuration.
Knox VPN APIs for third-party VPN clients
The following APIs in the Knox SDK GenericVpnPolicy class may, or may not, be implemented by third-party VPN clients. EMMs whose agents make use of the features provided by these APIs must verify that the third-party VPN clients that a given enterprise is using and has implemented these calls.
- setVpnModeOfOperation
- getVpnModeOfOperation
- setUserCertificate
- getUserCertificate
- setCACertificates
- getCACertificate
- setServerCertValidationUserAcceptanceCriteria
- setAutoRetryOnConnectionError
