Menu

What's new

Find out what's new in these releases of the Samsung Knox:

Knox SDK 3.7 (Knox API level 33)

November 2020

The Knox 3.7 platform introduces these new features:

  • Work profile on company-owned devices
  • Separated apps
  • Lock screen enhancements
  • Deep Settings customization
  • Bug fixes and feature enhancements

As with past releases, new features are offered through either the:

  • Knox Service Plugin (KSP), which provides new features on the day of release to IT admins using UEM solutions supporting KSP, or
  • Knox SDK, to provide more powerful programmatic and integrated control to developers creating app solutions
  • Knox platform, which is factory-installed on Samsung Knox devices

Read on to find out more about how you can benefit from the new features.

Work profile on company-owned devices

As described in Device management modes, Google's Android 11 release:

To migrate to the new work profile on company-owned devices, see:

For personal profile management, the profile owner of a work profile on company-owned devices must first create a parent instance before calling a Knox policy. Use either of the following new API methods:

To call the new API methods:

EnterpriseDeviceManager.getParentInstance(Context);
EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
ApplicationPolicy obj = edm.getApplicationPolicy();
// Call Knox policy for parent

EnterpriseKnoxManager.getParentInstance(Context);
EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
AdvancedRestrictionPolicy obj =  ekm.getAdvancedRestrictionPolicy();
// Call Knox policy for parent         

Note:

  • Only work profiles on company-owned devices can call getParentInstance, otherwise an exception will be thrown.
  • Only allowed Knox APIs for the personal profile can be called, otherwise an exception will be thrown.

Separated apps

There are some limitations with the new work profile on company-owned devices. See a full list of Knox policies that are not allowed in the personal profile.

For example, customers might want:

  • Password reset on the device
  • Mobile Threat Defense solution in user0
  • General visibility and control of DNS filtering, APN, and so on

Enterprises can migrate to a new Samsung-exclusive mode: Separated apps. In this mode, the enterprise continues to have full (device owner) visibility and control over their company-owned devices, with authorized third-party business apps in a securely separate folder. See how to use the Knox Service Plugin to set up Separated apps.

Lock screen enhancements

This release offers several customer-requested enhancements to the lock screen:

Feature Issue Enhancement
Admin lock on Knox license expiry When a license is expires, the device or the profile is immediately admin locked from a security and management point of view.

The users can use the existing device or profile under the policies.

Admin lock on maximum failed passwords The device is admin locked when a user fails 5 times (assuming the maximum failed password count is 5). The profile (PO) will be admin locked or wiped instead of device locked when user fails 5 times.
Face unlock for work profile Lack of face unlock to open a work profile. Face authentication is allowed for the profile owner. To enable or disable this feature, use the existing API method setBiometricAuthenticationEnabled.
Advanced access control for work profile Once a device owner unlocks their work profile, unauthorized users can easily access the data inside the profile at any time. When a non-registered device user (who is not the owner) is detected, the profile is locked automatically base on face authentication. To enable or disable this feature, use the Knox Service Plugin.

Deep Settings customization

This release expands the list of deep settings introduced with Knox 3.4, delivering options to configure the following Settings options through the Knox Service Plugin.

Setting Description
Hardware key remapping

Ruggedized devices such as the XCover Pro expand their key remapping capabilities, supporting:

  • Keys: Xcover, Top, Side, Hook(ear-set) key
  • Events: short, long press, and double press
  • Actions: App launch, Activity launch
Side Key setting The new Side key, which combines the Power and Bixby keys, can be configured for the events: double press and press-and-hold. The Side key can be also enabled or disabled.
APN change disabling The change of the Preferred APN can now be disabled after an IT admin sets the APN settings.
Dual SIM management Devices with dual SIMs can now configure preferred SIM cards for each call, SMS, and data. While the SIM manager is configured through deep settings, the e-sim menu will be disabled automatically.

Each KSP release introduces additional deep settings so you are encouraged to browse the KSP release notes or KSP policy schema for all the latest capabilities.

Bug fixes and feature enhancements

The release fixes the following customer-reported bugs:

Bug Issue Fix
Ownership transfer for DPM In the case of a profile owner, a work profile is removed when an IT admin tries to transfer ownership using the API DPM.transferOwnership API. Ownership migration is now supported
Filter data traffic for tethering using Firewall Samsung devices provide an enhance Knox firewall, but the policy does not affect tethered devices such as laptops and tablets. The Knox firewall policy now includes tethered devices.
Ultra-wideband control UWB was introduced with the Galaxy Note20 but IT admins could not control it. New API methods: allowUWB, isUWBAllowed

Other new APIs

Deprecated APIs

To improve SDK usability and maintainability, we have continued to deprecate APIs that are duplicated in Android Enterprise or not being used as per our API usage analytics.

For a complete list of the API methods that have been deprecated, see Deprecated API methods.

The API Reference also indicates which classes and methods are deprecated with the note, Deprecated in API level 33.

Knox SDK 3.6 (Knox API level 32)

August 2020

The Knox 3.6 platform advances Samsung's commitment to helping you customize and secure mobile devices, by introducing these new features:

Customization

  • Hardware key mapping for the Galaxy XCover series to enable the XCover and Top hardware keys to launch specific apps
  • Additional Deep Settings Customization for granular control over the settings users can and cannot access through the Settings app
  • Samsung Dex foreground app intents to enable an app to customize actions based on whether it is in focus during DeX dual mode
  • Quick Panel control over the Daily Board, to prohibit devices from showing potentially sensitive content such as calendar events and photos while charging

Security

  • advanced Knox VPN capabilities for work profiles in Profile Owner mode, for organizations with PO deployments
  • certificate authentication for USB-tethered laptops using the defense-grade Knox mobile VPN network
  • firewall configurations based on network interfaces such as wlan0 or eth0

As with past releases, new features are offered through either the:

  • Knox Service Plugin (KSP), which provides new features on the day of release to IT admins using UEM solutions supporting KSP, or
  • Knox SDK, to provide more powerful programmatic and integrated control to developers creating app solutions
  • Knox platform, which is factory-installed on Samsung Knox devices

Read on to find out more about how you can benefit from the new Knox 3.6 features.

XCover Pro hardware keys

Get the most out of the new ruggedized Samsung XCover devices by customizing the XCover and Top hardware keys.

The latest version of the Knox Service Plugin lets you:

  • Set up short or long key presses to launch selected device apps
  • Disable hardware key options in a device's Android Settings menu

For more information, see the latest KSP release notes or KSP policy schema.

Deep Settings Customization

This release expands the list of deep settings introduced with Knox 3.4, delivering options to configure the following settings through the Knox Service Plugin.

Setting Description Customize through KSP policy group Options
Wi-Fi Direct Allows two devices to establish a direct, peer-to-peer Wi-Fi connection without requiring a wireless router. Device Restrictions Allow / Do not allow
Keyboard language shortcut Allows virtual keyboard shortcuts to change the keyboard language. Configure values in settings menu On / Off / Use specific value / Allow user to modify setting / Hide setting

Each KSP release introduces additional deep settings so you are encouraged to browse the KSP release notes or KSP policy schema for all the latest capabilities. Coming soon: Deep settings to manage Picture-in-Picture and DeX monitor resolution.

DeX foreground app

Samsung DeX in dual mode increases mobile productivity, letting you use a device while presenting separately on an external display.

You can now check if an app is in the foreground while in dual mode. One use case for this is in a banking scenario, where a banking customer is using a tablet and a bank employee is using the connected monitor to access an internal banking app. An app can now determine if it is currently in focus or not, and customize actions available to the app user.

Use the Knox SDK to check the focus state:

  1. Monitor the focus of an app's package with ApplicationPolicy.addPackagesToFocusMonitoringList().
  2. Inspect the ACTION_APPLICATION_FOCUS_CHANGE intent when a focus change occurs for that package.
  3. Extract the new EXTRA_APPLICATION_FOCUS_DEX_MODE field from the intent. The value is true if the app is in focus.

For more about using the Knox SDK to control DeX features, see Samsung DeX and Knox.

Quick Panel display of Daily Board

Through the Knox SDK, you can control what appears on a device's Quick Panel, which is shown when you swipe down from the top of the screen. With this Knox 3.6 release, you can show or hide the button used to configure the Daily Board, which tablets can use while charging to display the time, weather, calendar events, and photos. For security reasons, you can prevent users from enabling or configuring the Daily Board through the Quick Panel. Use the following API constant:

For more about how to show or hide this button, see SystemManager.setQuickPanelButtons.

Knox VPN in work profiles

The Android VPN Management for Knox Strongswan app extends the capabilities of the built-in Android VPN client, which provides only basic configuration as seen in the Android Settings app. The Knox app enables many more advanced Knox VPN capabilities on Samsung Knox devices.

Previously, the Android VPN Management for Knox Strongswan app supported only Device Owner (DO) mode. Knox 3.6 now supports Profile Owner (PO) mode, enabling the same advanced Knox VPN capabilities from within a work profile. When installed inside a work profile, the new Knox app (v3.0.5) accesses an end-user/CA certificate inside the PO keystore to secure data transmission from within the work profile.

To deploy the new Android VPN Management for Knox Strongswan app in a work profile:

  1. Log in to Knox Partner Portal > Dashboard > Download.
  2. Download the new Android VPN Management for Knox Strongswan APK.
  3. Configure a UEM profile to push and deploy the APK in a work profile.
NOTE — The new Knox app is backwards compatible with devices running earlier, pre-3.6 versions of Knox.

For more info about the:

Certificate-based authentication for USB-tethered laptops

With Knox 3.5, Samsung Knox devices could extend a VPN tunnel to a laptop connected through USB. This provided laptop users with the ability to access internal enterprise resources using our defense-grade mobile VPN network. In addition to providing convenience when laptops do not have network connectivity, this offers company cost savings by removing the need to buy additional VPN licenses for laptops.

Knox 3.6 enhances this feature with better security and control. In terms of security, there is a new app that enables Samsung Knox devices to verify that a laptop is owned by the device user. When the user connects a laptop to a Samsung Knox device via USB, the app validates the user certificate on the laptop with allowed certificates installed by the IT admin on the device.

To deploy the new app to authenticate connected laptops:

  1. Log in to Knox Partner Portal > Dashboard > Download.
  2. Download the new USB Tethering Authentication for VPN APK.
  3. Configure a UEM profile to push and deploy the APK to devices.
  4. Identify the certificates of laptops allowed to connect via USB to each device for VPN access.
NOTE — The APK provided on the Knox Partner Portal supports only Samsung One UI flagship devices such as the Galaxy S/A/J and Tab S/A. We also have One UI Core devices such as the A21, Tab A7, M51, M31s, and A12. To deploy USB-tethered VPNs on a One UI Core device, please contact us to get another APK that uses a different Samsung platform signing key.

The Knox SDK v3.6 provides the following new API methods and constants to configure USB-tethered VPNs:

For additional information about configuring VPN profiles, see About Knox VPNs.

Firewall based on network types

Samsung Knox already provides granular control over firewalls on Samsung Knox devices. You can allow or prevent devices from sending or receiving data using specific IP addresses, port numbers, port locations, app identities, network interfaces (mobile, Wi-Fi), directions, or protocols.

With Knox 3.6, you can now also configure firewalls based on UNIX network interface names, for example, wlan0, wlan+, eth0, eth+. Use the following API methods:

For more information about defining firewalls, see Firewalls.

Deprecated APIs

This release deprecates the following API methods and constants:

See also the complete list of Deprecated API methods.

Knox SDK 3.5 (Knox API level 31)

February 2020

Samsung Knox 3.5 introduces new settings for granular control over areas like user experience, roaming, and certificate management. Most of these features come with the Samsung Knox Service Plugin (KSP), meaning IT Admins can use them immediately upon release.

For developers, Knox 3.5 also includes an improved embedded Secure Element (eSE) applet for Universal Credential Management.

UCM-eSE applet enhancement

Set up credential storage with improved security on embedded secure elements (eSEs). Samsung’s refined, preloaded eSE applet for Universal Credential Management (UCM) supports the latest cipher and signature algorithms like ECDSA/ECDH, HMAC, and CMAC for modern smart card storage.

Knox SDK 3.4.1 (Knox API level 30)

December 2019

Samsung Knox SDK version 3.4.1 extends our device manageability capabilities, optimizes existing features, and further harmonizes Knox with Android Enterprise.

Remote Support Enhancements

With this release, you can now:

  • enable remote support to work inside a work profile, as this restriction has been removed
  • remotely view and control the Samsung DeX screen
  • use the Knox Service Plugin to enable or disable remote support, using AllowRemoteSupport

For more information, see Remote Support Overview, Remote Control for Work Profile, and Remote Control for DeX.

Find My Mobile Unlock

Previously, a device locked by IT policy could be unlocked by the end user using the Find My Mobile unlock function.

For better security, devices that have password policies such as password quality applied by an IT admin cannot be unlocked through Find My Mobile.

Android Enterprise Harmonization

We are continuing to harmonize our Knox Platform for Enterprise (KPE) with Android Enterprise (AE), with this change in Knox 3.4.1:

  • Workspace name replaced with Work—The KPE Workspace container has been harmonized with the AE Work Profile. Accordingly, on the device UI, the Personal and Workspace tabs have been renamed Personal and Work.

Deprecated features

We have deprecated KPE features that are not being used, according to our extensive analytics. This is to streamline our operations and allow us to focus more on delivering newly requested features and less on maintaining low usage features. If you are using any of these features, which are described below, please review your solutions to see if you can remove or replace the features.

Which low-use features are being deprecated?

  • Samsung Single Sign On (Kerberos) — Samsung SSO enables Samsung devices to authenticate users against an Active Directory (AD) infrastructure using the well-known Integrated Windows Authentication (IWA) with Negotiate (using MIT Kerberos V5). Due to low usage, however, we are deprecating this SSO feature. If you are using Samsung SSO, try exploring other SSO solutions like Azure AD.
  • Knox container unlock using AD — With AD Containers, IT admins can enable corporate AD credentials to unlock the Knox Workspace container on a mobile device. Due to very low usage, this feature is also being deprecated.
  • Knox Shared Device — Knox Shared Device enables several enterprise employees to use the same device, without divulging individual settings, accounts, apps, or policies. Currently, you can enable this feature only through Knox Configure. With Google now offering Managed guest session devices, we are deprecating the Knox Shared Device.
  • Knox Cloud SDK — The Knox Cloud SDK enables you to configure Samsung devices through web-based REST API calls. Again, due to very low usage, we are deprecating this feature. Instead, you can use the more powerful, up-to-date, and device-based Knox SDK or Knox Service Plugin.

Also, this feature is not longer available due to security reasons:

  • Install apps — Previously, end users could move an app from the Personal space to the Work space (managed profile), through the Work space settings > Install apps menu option, which is enabled through the API method RCPPolicy.allowMoveAppsToContainer. As customers have raised concerns about the security of unmanaged apps, we have removed the menu option and API. Now, if you need to install apps into the Work space, you need to use either Google Play or the API InstallApplication.

What is the deprecation timeline?

If you have new devices with Android Q (Android 10), you will not be able to use these features anymore.

If you have devices with Android P (Android 9) or earlier, you can still use these features. Details are as follows:

  • Samsung SSO (Kerberos) and AD container—You can still use these features after a Q OS upgrade. But the features will not be available in Android R.
  • Knox Shared Device—Shared Device has been enabled only through Knox Configure (KC). Shared Device will be unavailable from Android Q onwards, and cannot be enabled by Knox Configure. However, if you are already using Shared Device, you can still use it after a Q OS upgrade, but you can use Knox Configure only to disable it. The Knox Configure console will show the supported OS version for Shared Device, and provide Shared Device only for the devices which have supported OS.
  • Knox Cloud SDK—This will not be supported on Android Q devices. Additionally, on:
    • February 26, 2020—We will be ending support for Cloud SDK across all devices. That is to say, users will no longer be able to create or edit existing Cloud SDK profiles after this date. Users will also not be able to assign an existing Cloud SDK profile to a new device.
    • May 27, 2020—Existing Cloud SDK devices that have been factory reset will no longer be able to be enrolled via the Cloud SDK.

Deprecated APIs

To improve SDK usability and maintainability, we have continued to deprecate APIs that are not being used, as per our API usage analytics.

Below are the API classes that have some deprecated APIs. Note though that not all APIs in these classes are deprecated. For a complete list of the API methods that have been deprecated, see Deprecated API methods.

  • Device management—PasswordPolicy, APMPolicy, DeviceInventory
  • Networking—BluetoothSecurePolicy
  • App management—ApplicationPolicy
  • Email management—LDAPAccountPolicy
  • Data protection—DLPManagerPolicy
  • Keystore and certificate management—EnterpriseCertEnrollPolicy
  • Knox workspace—KnoxContainerManager, ContainerConfigurationPolicy, SEAMSPolicy, RCPPolicy
  • Customization—SystemManager, SettingsManager

The API Reference also indicates which classes and methods are deprecated with the note, Deprecated in API level 30.

Other

  • Old SDK namespace no longer supported—As mentioned in our June 13 blog post, new Samsung devices running the Android 10 (Q) operating system no longer support our old SDK namespace. For info about migrating apps from the old to new SDKs and namespaces, see the migration intro.
  • Apps must handle runtime permissions—As mentioned in our May 28 blog post, apps must now handle dangerous permissions in runtime as Android 10 (Q) no longer supports the workaround that we had introduced in Android 6 (M).

Knox SDK 3.4 (Knox API level 29)

August 2019

Samsung Knox SDK version 3.4 extends our leadership in advanced security, innovative usability, and comprehensive device management for our partners, developers, and enterprise customers. Read on for more info about these new features in the 3.4 release.

DualDAR

Knox 3.4 includes enhancements to Dual Data-at-Rest (DualDAR) encryption, which released in Knox 3.3. With this release, DualDAR provides improvements to availability, performance, and security.

  • Zero Day support: IT admins are now empowered to use DualDAR features the moment they're released. Through the Knox Service Plugin (KSP) and Knox Mobile Enrollment (KME), IT admins can now create DualDAR workspace containers and configure policies, before UEM providers include customized DualDAR support through their web consoles. For more, see the Release Notes for KSP and KME.
  • Device Encrypted Storage: To enhance app stabilization, work apps can now write to DE storage by default. DE storage is available both during Direct Boot mode and after the user has unlocked the device. The default value for the configurable parameter DE restriction in the DualDARPolicy class is now set to false. To restrict writes to DE storage, you must create a package allow list and set the value for DE restriction to true.

For additional information on new DualDAR features included in the Knox 3.4 release, go to the UEM integration guide. For information on how to implement a custom solution to leverage control over your security, visit the new ISV integration guide.

Attestation

Samsung is extending its device attestation solution to improve the way we check for devices that are rooted or running unofficial firmware.

With this Knox 3.4 release, we are launching Attestation v3, which provides these features:

  • Better correlation of results: Through the use of the Samsung Attestation Key (SAK), which is unique with every device.
  • Better device status diagnostics: Through enhancements to our server-side validation check logic.

For details, see Attestation (v3), the Tutorial, the new EnhancedAttestationPolicy class, and v3 REST API.

Deep Settings Customization

Samsung already provides extensive Knox SDK APIs to configure a wide range of features on our mobile devices. To enable rapid, zero-day adoption of the new features, you can also use the Knox Service Plugin.

You can customize device settings such as:

  • location tracking
  • Wi-Fi and NFC control
  • status bar notifications
  • biometrics and security

For more information about:

  • how enterprises IT admins can configure new device features using the Knox Service Plugin, see the Admin Guide.
  • how developers can add the Knox Service Plugin to their web consoles, see Managed Configurations.

DeX Management

The Knox 3.4 release includes new DeX customization features made available through the Knox Service Plugin. You can:

  • Hide certain app icons.
  • Customize the DeX Panel.
  • Turn the Suggested Apps on or off.
  • Turn the Mouse Cursor Flow on or off.
  • Turn the Keyboard toolbar and Predictive text on or off.
  • Skip the DeX welcome screen.
  • Hide the Samsung DeX launcher icon from the quick panel.

See how enterprises can customize DeX by browsing the KSP Admin Guide, and how developers can deploy the Knox Service Plugin by browsing the guide. For info about DeX features that can be managed through the Knox SDK, see Samsung DeX and Knox and the DeXManager class.

Custom names for Personal and Workspace tabs

Knox 3.2.1 originally introduced a tab-based UI for Personal and Workspace apps.

With Knox 3.4, IT admins can now customize the names of the Personal and Workspace tabs.

Developers can support this feature using the Knox SDK API setCustomResource(). This displays custom text in the tabbed view in place of the default Personal and Workspace labels. To learn more, see Custom tab names.

APN Mobile Virtual Network Operator

Starting with Android 9.0 (Pie), you must configure the APN Mobile Virtual Network Operator (MVNO) for some carriers and SIM cards.

With Knox 3.4, you can use ApnSettings to configure the MVNO type and value for a device. For devices with Android 9.0 but Knox 3.3 or earlier, you can use reflection to set these values. For details, see Access Point Name.

Deprecated features

Knox VPN SDK

The Knox VPN SDK was designed for VPN service providers, to create apps that can handle requests to set up VPN tunnels through their proprietary infrastructure. The Knox VPN SDK has already been merged into the Knox SDK v3.3, through the package com.samsung.android.knox.net.vpn.serviceprovider. With this Knox SDK v3.4, the Knox VPN SDK is obsolete and all VPN SDK functionality must be accessed through the Knox SDK. This change provides these key benefits:

  • simplifies the development workflow for developers
  • further strengthens the capabilities of the Knox SDK
  • simplifies the licensing flow required to use the VPN APIs. Going forward, all VPN APIs are activated with the same license key as the Knox SDK – the Knox Platform for Enterprise key

If you are using the Knox VPN SDK, you need to update your apps or services to reflect this change. You do not have to update any API packages, classes, or methods, as these remain the same. You do need to import the Knox SDK library and change the old namespace (com.sec.vpn.knox) to the new namespace (com.samsung.android.knox).

For general information about updating an app to use the Knox SDK v3.x, see the migration tutorial. For details related to VPN apps, see VPN namespace changes.

Knox Workspace containers

Starting with Knox 3.0 in Android O, we began harmonizing the Knox Platform for Enterprise (KPE) with Android Enteprise (AE), to simplify your deployment of solutions across all Android devices. With harmonization, you can apply advanced and differentiated KPE features to AE Work Managed Devices and Work Profiles.

To this end, we are now deprecating the Corporate Liable (CL) mode of the Knox Workspace container on the Note 10 and later devices. The Corporate Liable mode will however continue to work on S10 and earlier devices, even if they are upgraded to Knox 3.4.

Instead of the Knox Workspace container, deploy these AE use models:

  • Work Managed Device (as a DO) and Work Profile (as a PO). This replaces the Corporate Liable mode being deprecated with the Note 10 onwards.
  • Work Managed Device (as a DO). This replaces the Container Only Mode (COM) that was deprecated with the S10 onwards.

To apply Knox features to any of these AE use models, activate a KPE license. For details, see the tutorial Apply Knox features to Work Profile.

Knox SDK 3.3 (Knox API level 28)

March 2019

Samsung Knox SDK version 3.3 adds even more APIs and framework features for developers, MDMs, and users. APIs have been added to provide functionality to container encryption, Samsung DeX, and Network Analytics. Knox is built and secured at a hardware level, and with the Knox 3.3 SDK, Samsung Verified Boot now monitors and protects the boot loading.

DualDAR

With single layer of encryption, potential flaws in the implementation may result in a single point of failure. Dual Encryption (DualDAR) secures confidential work data with two layers of encryption, while providing security even when the device is powered off or is in an unauthenticated state. DualDAR enables highly regulated enterprises to ensure their confidential work data is protected by meeting the Commercial Solutions for Classified Program (CSFC) regulation.

For more information on the new Knox 3.3 Dual DAR feature, learn how to configure a DualDAR Workspace.

Container Only Mode (COM) deprecation

Container Only Mode is obsolete as of the Galaxy S10 or later devices.

Note: Samsung Note 9/S9 devices or earlier with COM/ CL containers will be supported throughout the life of the device. For more information, see this bulletin notice.

Knox on DeX

Samsung DeX has new features and APIs to give and restrict access using the Knox platform. For API implementation, see Samsung DeX with Knox and the Knox 3.3 API reference guide.

VPN namespace changes

With the Knox SDK v3.0 release, all apps must use the new Android namespace conventions, as described in IMPORTANT NOTICE: Reminder to transition from old namespaces. The Knox VPN SDK still uses the old namespace conventions. Following the Android Q and Knox SDK 3.4 releases in the later part of 2019 or the early part of 2020, this merge requires VPN clients to update their clients to using the new namespaces. For more information on updating your VPN clients to use the new namespace, see VPN namespace changes. For more information about this change and how it impacts your VPN clients, see (link to blog post TBD).

VPN improvements and enhancements

Knox SDK v3.3 includes several enhancements that improve user experience and performance of VPN clients on the Knox framework. The enhancements include, but are not limited to the following: 

  1. Support multi-app tunnelling: These enhancements improve user experience when using VPN tunnels that impact more than one app at a time. As a result of these enhancements, users can connect with and start using business apps immediately after the VPN tunnel is established.
  2. Synchronize Knox events with Android networking events: These enhancements improve the performance of VPN clients by synchronizing Knox events with Android networking events. This change means that the Knox container recognizes that the VPN client is connected without any delay.
  3. Provide ongoing network flow information for NPA purposes: This new feature improves the performance of EMM-based Network Performance Assessment tools by providing information about network data flow while the connection is ongoing. This feature means admins now have the ability to configure their EMM-based NPA tools to receive network statistics while a network connection is ongoing. This functionality is especially useful in cases where network sessions last for a long time. For more information, see Configure NPA reporting.

Firewall support

Knox SDK 3.3 now supports the interaction between DomainFilter rules and Firewall policies on a specified device by introducing a new API enableDomainFilterOnIptables() that enables this new feature.

Without this feature enabled, Firewall policies can affect allow list rules applied by Domain Filter. After enabling this API, admins can do the following use cases:

  • Use FirewallRule to block all IPs in a specified device.
  • Use the DomainFilterRule() to allow specific domains even if the IPs are blocked using Firewall policies.

To learn more about this new feature, visit the Firewall section of the Knox SDK user guide.

Contact Storage restrictions

Take control over where device contacts are stored. Remove the risk of local contacts which can be lost and become out of sync to your cooperate enterprise. For API implementation, see contacts storage and the Knox 3.3 API reference guide.

Knox SDK 3.2.1 (Knox API level 27)

December 2018

Knox SDK version 3.2.1 release has three major improvements to better improve security and device management. Firstly, new APIs have been developed for this release to allow more functionality in device management. Secondly, Knox Platform for Enterprise is built on the Android operating system, and with Knox v3.2.1 we leverage the Android Pie operating system to provide even more capabilities on a Samsung device. Finally, framework improvements have been added to the SDK to better optimize performance behind the scenes so you can focus on development.

New API overview

Class API methods and variables
BasePasswordPolicy setResetPasswordToken (ComponentName admin, byte[] token)
clearResetPasswordToken (ComponentName admin)
isResetPasswordTokenActive (ComponentName admin)
resetPasswordWithToken (ComponentName admin, String password, byte[] token, int flags)
getTrustAgentConfiguration (ComponentName admin, ComponentName agent)
setTrustAgentConfiguration (ComponentName admin, ComponentName target, PersistableBundle configuration)
EnterpriseDeviceManager getBasePasswordPolicy ()
WifiPolicy SECURITY_TYPE_WPA2_PSK

For more information on Knox APIs see the full set of Knox API references. In addition to new Knox APIs for the Knox SDK v3.2.1 release there were also deprecated APIs. See deprecated API methods for a full list.

Certificate Provisioning

The Knox SDK features the CertificateProvisioning class, which supports IT Admins in managing certificates and keystores. Beginning with Knox 3.2.1, certificate installations with the KEYSTORE_DEFAULT flag will no longer require the user to unlock the device.

For details, see the API installCertificateToKeystore(), which allows the IT admin to silently install a CA certificate into a given keystore. To learn more about certificate provisioning, see About Keystores.

Password

There are two major improvements to the Knox Platform for Enterprise's password class:

  • The following Android APIs now exist on the Knox Platform: setTrustAgentConfiguration and getTrustAgentConfiguration. The addition of these methods preserve the functionality of calling these APIs as device admin.
  • The following APIs have been added as an alternative to resetPassword() to allow programmatic password modification without IT admin interaction: setResetPasswordToken, clearResetPasswordToken, isResetPasswordTokenActive, and resetPasswordWithToken.

For more information on Knox passwords, see the password section of the developer guide.

IME

The Keyboard security framework has received a major usability upgrade while maintaining security between the personal and work profiles. Unlike Android Enterprise, Knox Platform for Enterprise allows users to choose their own IME in the personal space without the risk of leakage into the work space by separating the IMEs. Learn more about this update to the keyboard framework for KPE.

VPN Enhancements

Audit Log

The Knox Generic VPN Framework enables common audit logs for VPN clients and helps non-native VPN clients meet NIAP security requirements.

To learn more about the types of events that are logged, see VPN Audit Logs.

Performance Improvement

The Knox SDK has the GenericVpnPolicy class which allows IT Admins to configure SSL/IPSEC VPN profiles on multiple devices.

This release adds a number of enhancements to VPN, including:

  • Performance optimization to increase the speed of establishing VPN connections for a large number of apps.
  • Synchronization of VPN connection and firewall configuration events. This ensures that VPN connection is established only after firewall has finished preparing for VPN mode.

UI changes

Mini launcher

The Knox SDK Release 3.2.1 removes the mini launcher used to open the Knox Workspace and replaces it with a tabbed UI view. Apps now display in two categories: Personal and Work (Knox Workspace). Users can seamlessly switch between the Personal and Work tabs on the Home page.

To learn more about the tabbed UI view, see Tabbed UI View.

Settings

The Knox SDK Release 3.2.1 includes changes that let users open the Knox Workspace Settings right from the devices's Settings.

To learn more about this change, see Workspace Settings.

Knox SDK 3.2 (Knox API level 26)

August 2018

Knox SDK 3.2 introduces a variety of new features and capabilities for users and developers. This page highlights what's new for developers.

New API overview

Class API Method
DexManager

public int setHomeAlignment(int mode)

public int getHomeAlignment()

addURLShortcut(int x, int y, String title, String url, ComponentName component)

addURLShortcut(int x, int y, String title, String url, String imgName, ComponentName component, ParcelFileDescriptor imgFD)


removeURLShortcut(String url, in ComponentName component);

setForegroundModePackageList(int state, in List<String> pkgList);

List<String> getForegroundModePackageList();

 

ProKioskManager

public int startProKioskMode(String packageName, String passCode)

public int stopProKioskMode(String passCode)

AdvancedRestrictionPolicy

public boolean allowBLE(boolean allow)

public boolean isBLEAllowed()

public boolean allowWifiScanning(boolean allow)

public boolean isWifiScanningAllowed()

PhoneRestrictionPolicy public Bundle getRCSMessage(long id)
NetworkAnalytics public int start(String profileName, Bundle flowTypeBundle)
EnterpriseDeviceManager public static int getUserId(UserHandle handle)
SdpException

public int getErrorCode()

public int getTimeout()

DeX management APIs

DeX management APIs allow you to increase productivity and decrease costs by using your Samsung Device to switch to a PC like environment with ease.

setHomeAlignment – This API allows IT Admins to modify the way apps are aligned in DeX mode. For example, you can align apps in a preferred order. This is perfect for organizations that want to set up numerous identical workstations throughout their organization.

addURLShortcut – This API allows IT Admins to add a browser shortcut with a specific URL on the DeX home screen. This is useful for enterprises that require users to access a URL frequently – for example, an internal Intranet network. A customized icon can also be displayed.

Connection APIs

In many situations, IT Admins may need to completely disable Bluetooth or Wi-Fi, and not just prevent the user from toggling it on or off. This can now be done with: allowBLE() and allowWifiScanning(). This can increase security by preventing any malicious Bluetooth or Wi-Fi attacks from remotely trigging these services usingbackground usage.

  • Turn off Wi-Fi background scanning: Use allowWifiScanning() to completely turn off Wi-Fi and Wi-Fi background scanning.
  • Turn off Bluetooth background scanning: Use allowBLE() to completely turn off Bluetooth and Bluetooth scanning.

These options are shown in the settings screen below.

Enhancement APIs

ProKioskManager

The updated ProKiosk Manager API lets you enable ProKiosk Mode without having to reboot the device. This saves IT Admins time when they have to set-up Prokiosk mode on a large batch of devices.

Class API method
ProKioskManager

public int startProKioskMode(String packageName, String passCode)

public int stopProKioskMode(String passCode)

Rich communication services (RCS) message capture API

RCS messaging is a new messaging protocol which is replaces SMS as the default messaging platform for carriers. It adds much needed features – such as group messages – and allows users to send more types of media. All of this is done over data instead of cellular network, making it very similar to current IM apps that can be downloaded from the Play Store.

Knox 3.2 allows IT Admins to capture and record RCS messages (including attachable multimedia files). For many industries, such as the financial services, the ability to record and audit sent and received messages is required by law.

GetRCSMessage allows IT Admins to:

  • Start RSC capture
  • Stop RSC capture

UCM SDK merged to Knox SDK

As of Knox 3.2, The UCM SDK will be merged into the Knox SDK. New permissions are defined to streamline the license activation flow and make using both products easier. Vendors need to implement their UCM app with these new permissions, but do not have to change any APIs.

Legacy Permissions KNOX_UCM_OTHER_MGMT / KNOX_UCM_PLUGIN_SERVICE / KNOX_UCM_PRIVILEGED_MGMT / KNOX_UCM_ESE_MGMT
New UCM permissions All the UCM features will be granted with this new UCM permission(KNOX_UCM_MGMT)

Knox SDK 3.1 (Knox API level 25)

March 2018

DeX management APIs

Samsung DeX is a revolutionary new technology that allows users to transform their mobile devices into powerful enterprise desktop machines with a simple docking station. As DeX becomes more popular among enterprises, there is growing urgency to provide IT admins with the same degree of granular management policies available for Samsung devices as a whole. For the 3.1 release, the Knox team is providing the following DeX-specific management APIs:

Add or remove app shortcuts

This feature allows enterprises to provide even more distinctly different mobile and desktop home screen differences.

Change the Dex loading screen

Devices play a default animation while launching in DeX mode. Knox 3.1 provides APIs that allow you to add images and other branding assets to replace default Dex loading logo. Create a more customized user experience with this new DeX feature.

Control screen timeout settings

The Knox SDK provides you with the flexibility to balance security concerns with convenience. You can set a screen timeout that ranges from seconds to weeks depending on your enterprise security policies.

Enforce Ethernet data connection

This feature ensures that users are running certain productivity apps using a secure Ethernet connection by preventing them from connecting to mobile data or Wi-Fi while in DeX mode.

Prevent certain apps from running in DeX

Disable personal apps, such as social media and games, while the device is in DeX mode. These APIs don’t affect devices after they’ve been disconnected from the DeX station. For more detailed information regarding these new APIs, including requirements and sample code, see the Knox SDK Developer Guide and Knox SDK API reference.

If you want to prevent DeX mode in an enterprise setting, you also easily disable DeX with the Knox SDK.

App Permission Monitor updates

App Permission Monitor is a feature enabled by default that alerts end users when apps attempt to access a predefined permission while running in the background.

The Knox 3.1 SDK includes two new management features for the App Permission Monitor.

Enable and disable access to App Permission Monitor

By design, enterprise apps may need to constantly access certain sensitive permissions while running in the background. For the peace of mind of your users, you may want to disable App Permission Monitor.

If you want to ensure that users are conscious of apps which may be requesting device permissions while running in the background, you can also enable access to this feature.

Add or Remove specific apps from the App Permission monitor list

For security and compliance purposes, your enterprise apps may request access to permissions such as location while running in the background. For example, your app may include a geofencing feature that prevents users from using the camera while at the office. You may want to remove enterprise apps from the monitor list to distinguish them from potentially harmful third-party apps that are requesting the same types of permissions while running in the background.

Knox SDK 3.0 (Knox API level 24)

January 2018

This Samsung Knox SDK v3.0 release provides significant improvements to the developer experience as well as powerful new features, which are described below.

Samsung Knox SDK

The new Samsung Knox SDK combines, refactors, and enhances these Samsung Knox SDKs:

  • Knox Standard
  • Knox Premium
  • Knox Customization
  • Knox ISV

There is now only Samsung Knox SDK package to download, one JAR library to import, one API Reference to search for API methods, and one Developer Guide describing how to use the SDK features. This new SDK also consolidates the following:

  • Version — As the merged SDKs had different SDK version numbers, the new Knox SDK uses a single 3.0 version number and Knox API level 24. The Knox API level is similar to the Android API level. Each Knox SDK version has been mapped to this Knox API level. To find the API level supported by a device, call the API method EnterpriseDeviceManager.getApiLevel. In the device Settings > Device > Software Info, the Knox version now shows this Knox API level.

  • Namespace — All Samsung Knox SDK packages, intents, and permissions now use this namespace: com.samsung.android.knox. Previously, there were multiple namespaces, including one in the Google domain (android.app.enterprise). Unifying the namespace simplifies coding, troubleshooting, and support, and removes the possibility of future overlaps with Google.
  • Structure — API methods have been re-organized for better discoverability and renamed for consistency. The API methods that were in the generic class called MiscPolicy have been moved into more appropriate classes. Some classes have been renamed. For example, Attestation is now called AttestationPolicy for more consistency with other class names.
  • Deprecation — In the new consolidated Knox SDK, we have removed API methods that were already deprecated in the legacy Knox Standard, Premium, Customization, and ISV SDKs. We’ve also removed API methods that were duplicated across legacy SDKs or not being used as indicated by our analytics. This was to streamline the new Knox SDK and ease usability moving forward. The Knox 3.0 platform installed on devices still supports these deprecated API methods. However, we discourage using these API methods as we will likely remove support for them in the near future. For a list of the deprecated API methods, see the Samsung Knox SDK Migration Guide.

For more about updating namespaces and replacing deprecated API methods for this new consolidated Knox SDK, see the Samsung Knox SDK Migration Guide and Knox SDK Sample Apps.

Knox Platform for Enterprise (KPE) license key

Knox 3.0 uses a Beta version of a new consolidated Knox Platform for Enterprise (KPE) license key, which is designed to replace the following licenses.

  • ELM — Enterprise License Management. This license gives developers access to the enterprise-grade Knox Standard SDK.
  • ISV — Independent Software Vendor. This license gives developers access to basic security features in the Knox ISV SDK.
  • KLM — Knox License Management. This license gives developers access to paid features in the Knox Premium and Knox Customization SDKs.

There 2 types of Samsung License:

  • Development — Gives you access to all features in the Knox SDK, but only on a limited number of devices and for a limited time period. This is meant for testing purposes only. You can get this Development license through the SEAP portal.
  • Commercial — When you are ready to release an app on many devices for a longer time period, you use a Commercial license. If your app uses:
    • only free features (in other words, those that were in the Knox Standard and ISV SDKs) — You can generate a Commercial Knox Platform for Enterprise (KPE) license key from the SEAP Portal.
    • paid features (that were in Knox Premium and Knox Customization SDKs) — An authorized Knox Reseller or EMM Vendor buys Commercial licenses from the Global Samsung Business Network (GSBN). They do so on behalf of each enterprise customer so that license activations can be tracked and billed separately.

Knox 3.0 also introduces Android-style permission declaration. You can optionally declare at a granular level the permissions that your app needs to call API methods in the Knox SDK. This is to tighten security, by limiting what an app can do. To use this new permissions model, update your Android manifest file (AndroidManifest.xml) to include these tags:

  • <meta-data>: to enable Knox selective permissions
    • For example: <meta-data android:name="com.samsung.knoxlicensing.permissions" android:value="true"/>
    • not required for KPE. Optional for ELM & KLM.
  • <uses-permission>: to declare each permission used by the app
    • for example: <uses-permission android:name="com.samsung.android.knox.premission.KNOX_HW_CONTROL"/>

Here is a sample manifest file:

To find out which permission is needed by an API method, see the Knox SDK API Reference. For example, the com.samsung.android.knox.permission.KNOX_CONTAINER permission can be found in createContainer.

See also:

  • License Keys — to generate a license and see what permissions (free or paid) you get with the license
  • Knox licenses — for more about the new Knox Platform for Enterprise (KPE) license key

New Knox Workspace container architecture

We’ve updated the Knox Platform for Enterprise solution with a new Workspace container architecture to enhance user experience.

  • Knox APIs can now control Android Work profiles.
  • Android Work Profiles can easily be upgraded to Knox Workspace without wiping your device.

As part of this change, customers can leverage Knox features and APIs on Android’s Work Profile and Work Managed Device modes. The:

  • Profile Owner can activate a Knox License and leverage Knox features on Android Work Profile
  • Device Owner can activate a Knox License and leverage Knox features on Android Work Managed Device

For an example of how to apply a Knox license to a work profile, see this Tutorial.

Network Platform Analytics

This feature enables the real-time monitoring of a network flow behaviours without granting access to all network data. Using NPA has much better privacy claims than using VPN or proxy technology alternatives to analyse traffic. In addition, NPA can provide more granular data than VPN or web proxy solutions. Management apps, such as MDM clients, can call NPA APIs to register a network analyser to collect metadata about network data flows. Once registered, the analyser then receives flow details that allow the app to analyse network patterns without exposing the analyser to sensitive network data such as plaintext passwords, business documents, or employee communications.

Knox 3.0 introduces these new features:

  • Full IPv6 support
  • DNS lookups are now associated with the app that requested them
  • Parent process hash is now included in the netflow data

For more about network data collection, see EnterpriseKnoxManager.getNetworkAnalytics and KnoxContainerManager.getNetworkAnalytics. For more about the data that can be collected, see NetworkAnalytics and NetworkAnalyticsConstants.

For more about network data collection, see EnterpriseKnoxManager.getNetworkAnalytics and KnoxContainerManager.getNetworkAnalytics. For more about the data that can be collected, see NetworkAnalytics and NetworkAnalyticsConstants.

Device Customization

The Knox SDK lets Systems Integrators develop an Android app that restricts what users can do on a device. You can configure new features as they release on new Samsung devices and Android versions. This is designed for System Integrators who need an extra level of configurability on the Samsung Android platform.

With Version 3.0 of the Knox SDK, you can configure features in the Android 8.0 Oreo release:

  • Hard key remapping (setHardKeyIntentState, getHardKeyIntentState) — Controls whether or not the pressing of a particular hard key (power, volume up, volume down, home, back, menu) broadcasts an intent, which can be handled by the registered broadcast receivers. This feature was previously supported only in ProKiosk mode, through the API package com.samsung.android.knox.custom.ProKioskManager, but is now also available outside of ProKiosk mode, through com.samsung.android.knox.custom.SystemManager.
  • Home screen mode (setHomeScreenMode, getHomeScreenMode) — Selects whether a device supports:
    • Home screen only — The home screen is the only place where you can launch apps, and can't be deleted unless there are no app shortcuts on it.
    • Home screen with separate app launcher screens — The home screen page can be deleted because the app launcher screens also display all app shortcuts that are on the home screen.

Deprecated API Methods

The following API methods have been deprecated in this release:

API Class Deprecated API Method Reason
SettingsManager

set/getBluetoothVisibilityTimeout
setUnknownSourcesState

setWifiNetworkNotificationState
Outdated feature
SystemManager copyAdbLog
set/getBootAnimation
set/getCheckCoverPopupState
set/getShutdownAnimation
set/getWifiConnectedMessageState
Outdated feature

The following API methods will be deprecated from the Knox SDK within a year. Please prepare to stop using these as well.

API Class To be deprecated Reason
AdvancedRestrictionPolicy enableODETrustedBootVerification
isODETrustedBootVerificationEnabled
Overlap with Android APIs
RestrictionPolicy enableWearablePolicy
isWearablePolicyEnabled
Low usage
SettingsManager set/getBackupRestoreState
set/getChargingLEDState
set/getLTESettingState
set/getWifiFrequencyBand
Low usage
SystemManager getToastGravityXOffset
getToastGravityYOffset
sendDtmfTone
set/getInfraredState
set/getToastGravity
set/getToastGravityEnabledState
set/getToastShowPackageNameState
set/getVolumeButtonRotationState
Low usage

Also note the following:

  • Consolidated (One) SDK — API methods were deprecated due to redundancy across SDKs or low usage. For a full list of these API methods, see the Samsung Knox SDK Migration Guide.

  • Unification — API methods were deprecated due to overlap with Android Enterprise.

For more information ...

To learn more about the Knox SDK, check out these resources: