What's new in the Knox SDK
Find out what's new in these releases of the Samsung Knox SDK:
Knox SDK 3.4 (Knox API level 29)
Samsung Knox SDK version 3.4 extends our leadership in advanced security, innovative usability, and comprehensive device management for our partners, developers, and enterprise customers. Read on for more info about these new features in the 3.4 release.
Knox 3.4 includes enhancements to Dual Data-at-Rest (DualDAR) encryption, which released in Knox 3.3. With this release, DualDAR provides improvements to availability, performance, and security.
- Zero Day support: IT admins are now empowered to use DualDAR features the moment they're released. Through the Knox Service Plugin (KSP) and Knox Mobile Enrollment (KME), IT admins can now create DualDAR workspace containers and configure policies, before UEM providers include customized DualDAR support through their web consoles. For more, see the Release Notes for KSP and KME.
- Device Encrypted Storage: To enhance app stabilization, work apps can now write to DE storage by default. DE storage is available both during Direct Boot mode and after the user has unlocked the device. The default value for the configurable parameter DE restriction in the DualDARPolicy class is now set to
false. To restrict writes to DE storage, you must create a package whitelist and set the value for DE restriction to
For additional information on new DualDAR features included in the Knox 3.4 release, go to the UEM integration guide. For information on how to implement a custom solution to leverage control over your security, visit the new ISV integration guide.
Samsung is extending its device attestation solution to improve the way we check for devices that are rooted or running unofficial firmware.
With this Knox 3.4 release, we are launching Attestation v3, which provides these features:
- Better correlation of results: Through the use of the Samsung Attestation Key (SAK), which is unique with every device.
- Better device status diagnostics: Through enhancements to our server-side validation check logic.
Deep Settings Customization
Samsung already provides extensive Knox SDK APIs to configure a wide range of features on our mobile devices. To enable rapid, zero-day adoption of the new features, you can also use the Knox Service Plugin.
You can customize device settings such as:
- location tracking
- Wi-Fi and NFC control
- status bar notifications
- biometrics and security
For more information about:
- how enterprises IT admins can configure new device features using the Knox Service Plugin, see the Admin Guide.
- how developers can add the Knox Service Plugin to their web consoles, see Managed Configurations.
The Knox 3.4 release includes new DeX customization features made available through the Knox Service Plugin. You can:
- Hide certain app icons.
- Customize the DeX Panel.
- Turn the Suggested Apps on or off.
- Turn the Mouse Cursor Flow on or off.
- Turn the Keyboard toolbar and Predictive text on or off.
- Skip the DeX welcome screen.
- Hide the Samsung DeX launcher icon from the quick panel.
See how enterprises can customize DeX by browsing the KSP Admin Guide, and how developers can deploy the Knox Service Plugin by browsing the guide. For info about DeX features that can be managed through the Knox SDK, see Samsung DeX and Knox and the DeXManager class.
Custom names for Personal and Workspace tabs
Knox 3.2.1 originally introduced a tab-based UI for Personal and Workspace apps.
With Knox 3.4, IT admins can now customize the names of the Personal and Workspace tabs.
Developers can support this feature using the Knox SDK API setCustomResource(). This displays custom text in the tabbed view in place of the default Personal and Workspace labels. To learn more, see Custom tab names.
APN Mobile Virtual Network Operator
Starting with Android 9.0 (Pie), you must configure the APN Mobile Virtual Network Operator (MVNO) for some carriers and SIM cards.
With Knox 3.4, you can use
ApnSettings to configure the MVNO type and value for a device. For devices with Android 9.0 but Knox 3.3 or earlier, you can use reflection to set these values. For details, see Access Point Name.
Knox VPN SDK
The Knox VPN SDK was designed for VPN service providers, to create apps that can handle requests to set up VPN tunnels through their proprietary infrastructure. The Knox VPN SDK has already been merged into the Knox SDK v3.3, through the package com.samsung.android.knox.net.vpn.serviceprovider. With this Knox SDK v3.4, the Knox VPN SDK is obsolete and all VPN SDK functionality must be accessed through the Knox SDK. This change provides these key benefits:
- simplifies the development workflow for developers
- further strengthens the capabilities of the Knox SDK
- simplifies the licensing flow required to use the VPN APIs. Going forward, all VPN APIs are activated with the same license key as the Knox SDK – the Knox Platform for Enterprise key
If you are using the Knox VPN SDK, you need to update your apps or services to reflect this change. You do not have to update any API packages, classes, or methods, as these remain the same. You do need to import the Knox SDK library and change the old namespace (com.sec.vpn.knox) to the new namespace (com.samsung.android.knox).
Knox Workspace containers
Starting with Knox 3.0 in Android O, we began harmonizing the Knox Platform for Enterprise (KPE) with Android Enteprise (AE), to simplify your deployment of solutions across all Android devices. With harmonization, you can apply advanced and differentiated KPE features to AE Work Managed Devices and Work Profiles.
To this end, we are now deprecating the Corporate Liable (CL) mode of the Knox Workspace container on the Note 10 and later devices. The Corporate Liable mode will however continue to work on S10 and earlier devices, even if they are upgraded to Knox 3.4.
Instead of the Knox Workspace container, deploy these AE use models:
- Work Managed Device (as a DO) and Work Profile (as a PO). This replaces the Corporate Liable mode being deprecated with the Note 10 onwards.
- Work Managed Device (as a DO). This replaces the Container Only Mode (COM) that was deprecated with the S10 onwards.
To apply Knox features to any of these AE use models, activate a KPE license. For details, see the tutorial Apply Knox features to Work Profile.
Knox TIMA CCM Keystore
The Knox SDK 3.4.1 release begins the deprecation of the Knox TIMA and Client Certificate Manager (CCM) keystore. In Android Q, a warning message will be displayed in Android Studio’s debugger or APK log viewer upon compiling your app. In Android R onwards, a “Class not found exception” will be displayed. If your app is using the Knox keystore, use the Android keystore instead.
- You must re-install certificates that were in kept in the Knox keystore to the Android keystore.
- Also deprecated are Certificate Signing Requests (CSR), Certificate Enrollment Protocols (CEP), and ExemptList. These are being deprecated not because they are supported in the Android keystore but due to lack of use.
Knox SDK 3.3 (Knox API level 28)
Samsung Knox SDK version 3.3 adds even more APIs and framework features for developers, MDMs, and users. APIs have been added to provide functionality to container encryption, Samsung DeX, and Network Analytics. Knox is built and secured at a hardware level, and with the Knox 3.3 SDK, Samsung Verified Boot now monitors and protects the boot loading.
With single layer of encryption, potential flaws in the implementation may result in a single point of failure. Dual Encryption (DualDAR) secures confidential work data with two layers of encryption, while providing security even when the device is powered off or is in an unauthenticated state. DualDAR enables highly regulated enterprises to ensure their confidential work data is protected by meeting the Commercial Solutions for Classified Program (CSFC) regulation.
For more information on the new Knox 3.3 Dual DAR feature, learn how to configure a DualDAR Workspace.
Container Only Mode (COM) deprecation
Container Only Mode is obsolete as of the Galaxy S10 or later devices.
Note: Samsung Note 9/S9 devices or earlier with COM/ CL containers will be supported throughout the life of the device. For more information, see this bulletin notice.
Knox on DeX
Samsung DeX has new features and APIs to give and restrict access using the Knox platform. For API implementation, see Samsung DeX with Knox and the Knox 3.3 API reference guide.
VPN namespace changes
With the Knox SDK v3.0 release, all apps must use the new Android namespace conventions, as described in IMPORTANT NOTICE: Reminder to transition from old namespaces. The Knox VPN SDK still uses the old namespace conventions. Following the Android Q and Knox SDK 3.4 releases in the later part of 2019 or the early part of 2020, this merge requires VPN clients to update their clients to using the new namespaces. For more information on updating your VPN clients to use the new namespace, see VPN namespace changes.
VPN improvements and enhancements
Knox SDK v3.3 includes several enhancements that improve user experience and performance of VPN clients on the Knox framework. The enhancements include, but are not limited to the following:
- Support multi-app tunnelling: These enhancements improve user experience when using VPN tunnels that impact more than one app at a time. As a result of these enhancements, users can connect with and start using business apps immediately after the VPN tunnel is established.
- Synchronize Knox events with Android networking events: These enhancements improve the performance of VPN clients by synchronizing Knox events with Android networking events. This change means that the Knox container recognizes that the VPN client is connected without any delay.
- Provide ongoing network flow information for NPA purposes: This new feature improves the performance of EMM-based Network Performance Assessment tools by providing information about network data flow while the connection is ongoing. This feature means admins now have the ability to configure their EMM-based NPA tools to receive network statistics while a network connection is ongoing. This functionality is especially useful in cases where network sessions last for a long time. For more information, see Configure NPA reporting.
Without this feature enabled, Firewall policies can affect whitelist rules applied by Domain Filter. After enabling this API, admins can do the following use cases:
- Use FirewallRule to block all IPs in a specified device.
- Use the DomainFilterRule() to allow specific domains to be white listed even if the IPs are blocked using Firewall policies.
To learn more about this new feature, visit the Firewall section of the Knox SDK user guide.
Contact Storage restrictions
Take control over where device contacts are stored. Remove the risk of local contacts which can be lost and become out of sync to your cooperate enterprise. For API implementation, see contacts storage and the Knox 3.3 API reference guide.
Knox SDK 3.2.1 (Knox API level 27)
Knox SDK version 3.2.1 release has three major improvements to better improve security and device management. Firstly, new APIs have been developed for this release to allow more functionality in device management. Secondly, Knox Platform for Enterprise is built on the Android operating system, and with Knox v3.2.1 we leverage the Android Pie operating system to provide even more capabilities on a Samsung device. Finally, framework improvements have been added to the SDK to better optimize performance behind the scenes so you can focus on development.
New API overview
|Class||API methods and variables|
|BasePasswordPolicy||setResetPasswordToken (ComponentName admin, byte token)|
|clearResetPasswordToken (ComponentName admin)|
|isResetPasswordTokenActive (ComponentName admin)|
|resetPasswordWithToken (ComponentName admin, String password, byte token, int flags)|
|getTrustAgentConfiguration (ComponentName admin, ComponentName agent)|
|setTrustAgentConfiguration (ComponentName admin, ComponentName target, PersistableBundle configuration)|
For more information on Knox APIs see the full set of Knox API references. In addition to new Knox APIs for the Knox SDK v3.2.1 release there were also deprecated APIs. See deprecated API methods for a full list.
The Knox SDK features the
CertificateProvisioning class, which supports IT Admins in managing certificates and keystores. Beginning with Knox 3.2.1, certificate installations with the
KEYSTORE_DEFAULT flag will no longer require the user to unlock the device.
For details, see the API
installCertificateToKeystore(), which allows the IT admin to silently install a CA certificate into a given keystore. To learn more about certificate provisioning, see About Keystores.
There are two major improvements to the Knox Platform for Enterprise's password class:
- The following Android APIs now exist on the Knox Platform:
getTrustAgentConfiguration. The addition of these methods preserve the functionality of calling these APIs as device admin.
- The following APIs have been added as an alternative to
resetPassword()to allow programmatic password modification without IT admin interaction:
For more information on Knox passwords, see the password section of the developer guide.
The Keyboard security framework has received a major usability upgrade while maintaining security between the personal and work profiles. Unlike Android Enterprise, Knox Platform for Enterprise allows users to choose their own IME in the personal space without the risk of leakage into the work space by separating the IMEs. Learn more about this update to the keyboard framework for KPE.
The Knox Generic VPN Framework enables common audit logs for VPN clients and helps non-native VPN clients meet NIAP security requirements.
To learn more about the types of events that are logged, see VPN Audit Logs.
The Knox SDK has the
GenericVpnPolicy class which allows IT Admins to configure SSL/IPSEC VPN profiles on multiple devices.
This release adds a number of enhancements to VPN, including:
- Performance optimization to increase the speed of establishing VPN connections for a large number of apps.
- Synchronization of VPN connection and firewall configuration events. This ensures that VPN connection is established only after firewall has finished preparing for VPN mode.
The Knox SDK Release 3.2.1 removes the mini launcher used to open the Knox Workspace and replaces it with a tabbed UI view. Apps now display in two categories: Personal and Work (Knox Workspace). Users can seamlessly switch between the Personal and Work tabs on the Home page.
To learn more about the tabbed UI view, see Tabbed UI View.
The Knox SDK Release 3.2.1 includes changes that let users open the Knox Workspace Settings right from the devices's Settings.
To learn more about this change, see Workspace Settings.
Knox SDK 3.2 (Knox API level 26)
Knox SDK 3.2 introduces a variety of new features and capabilities for users and developers. This page highlights what's new for developers.
New API overview
DeX management APIs
DeX management APIs allow you to increase productivity and decrease costs by using your Samsung Device to switch to a PC like environment with ease.
setHomeAlignment – This API allows IT Admins to modify the way apps are aligned in DeX mode. For example, you can align apps in a preferred order. This is perfect for organizations that want to set up numerous identical workstations throughout their organization.
addURLShortcut – This API allows IT Admins to add a browser shortcut with a specific URL on the DeX home screen. This is useful for enterprises that require users to access a URL frequently – for example, an internal Intranet network. A customized icon can also be displayed.
In many situations, IT Admins may need to completely disable Bluetooth or Wi-Fi, and not just prevent the user from toggling it on or off. This can now be done with: allowBLE() and allowWifiScanning(). This can increase security by preventing any malicious Bluetooth or Wi-Fi attacks from remotely trigging these services usingbackground usage.
- Turn off Wi-Fi background scanning: Use
allowWifiScanning()to completely turn off Wi-Fi and Wi-Fi background scanning.
- Turn off Bluetooth background scanning: Use
allowBLE()to completely turn off Bluetooth and Bluetooth scanning.
These options are shown in the settings screen below.
The updated ProKiosk Manager API lets you enable ProKiosk Mode without having to reboot the device. This saves IT Admins time when they have to set-up Prokiosk mode on a large batch of devices.
Rich communication services (RCS) message capture API
RCS messaging is a new messaging protocol which is replaces SMS as the default messaging platform for carriers. It adds much needed features – such as group messages – and allows users to send more types of media. All of this is done over data instead of cellular network, making it very similar to current IM apps that can be downloaded from the Play Store.
Knox 3.2 allows IT Admins to capture and record RCS messages (including attachable multimedia files). For many industries, such as the financial services, the ability to record and audit sent and received messages is required by law.
GetRCSMessage allows IT Admins to:
- Start RSC capture
- Stop RSC capture
UCM SDK merged to Knox SDK
As of Knox 3.2, The UCM SDK will be merged into the Knox SDK. New permissions are defined to streamline the license activation flow and make using both products easier. Vendors need to implement their UCM app with these new permissions, but do not have to change any APIs.
|Legacy Permissions||KNOX_UCM_OTHER_MGMT / KNOX_UCM_PLUGIN_SERVICE / KNOX_UCM_PRIVILEGED_MGMT / KNOX_UCM_ESE_MGMT|
|New UCM permissions||All the UCM features will be granted with this new UCM permission(KNOX_UCM_MGMT)|
Knox SDK 3.1 (Knox API level 25)
DeX management APIs
Samsung DeX is a revolutionary new technology that allows users to transform their mobile devices into powerful enterprise desktop machines with a simple docking station. As DeX becomes more popular among enterprises, there is growing urgency to provide IT admins with the same degree of granular management policies available for Samsung devices as a whole. For the 3.1 release, the Knox team is providing the following DeX-specific management APIs:
Add or remove app shortcuts
This feature allows enterprises to provide even more distinctly different mobile and desktop home screen differences.
Change the Dex loading screen
Devices play a default animation while launching in DeX mode. Knox 3.1 provides APIs that allow you to add images and other branding assets to replace default Dex loading logo. Create a more customized user experience with this new DeX feature.
Control screen timeout settings
The Knox SDK provides you with the flexibility to balance security concerns with convenience. You can set a screen timeout that ranges from seconds to weeks depending on your enterprise security policies.
Enforce Ethernet data connection
This feature ensures that users are running certain productivity apps using a secure Ethernet connection by preventing them from connecting to mobile data or Wi-Fi while in DeX mode.
Prevent certain apps from running in DeX
Disable personal apps, such as social media and games, while the device is in DeX mode. These APIs don’t affect devices after they’ve been disconnected from the DeX station. For more detailed information regarding these new APIs, including requirements and sample code, see the Knox SDK Developer Guide and Knox SDK API reference.
If you want to prevent DeX mode in an enterprise setting, you also easily disable DeX with the Knox SDK.
App Permission Monitor updates
App Permission Monitor is a feature enabled by default that alerts end users when apps attempt to access a predefined permission while running in the background.
The Knox 3.1 SDK includes two new management features for the App Permission Monitor.
Enable and disable access to App Permission Monitor
By design, enterprise apps may need to constantly access certain sensitive permissions while running in the background. For the peace of mind of your users, you may want to disable App Permission Monitor.
If you want to ensure that users are conscious of apps which may be requesting device permissions while running in the background, you can also enable access to this feature.
Add or Remove specific apps from the App Permission monitor list
For security and compliance purposes, your enterprise apps may request access to permissions such as location while running in the background. For example, your app may include a geofencing feature that prevents users from using the camera while at the office. You may want to remove enterprise apps from the monitor list to distinguish them from potentially harmful third-party apps that are requesting the same types of permissions while running in the background.
Knox SDK 3.0 (Knox API level 24)
This Samsung Knox SDK v3.0 release provides significant improvements to the developer experience as well as powerful new features, which are described below.
Samsung Knox SDK
The new Samsung Knox SDK combines, refactors, and enhances these Samsung Knox SDKs:
- Knox Standard
- Knox Premium
- Knox Customization
- Knox ISV
There is now only Samsung Knox SDK package to download, one JAR library to import, one API Reference to search for API methods, and one Developer Guide describing how to use the SDK features. This new SDK also consolidates the following:
- Version — As the merged SDKs had different SDK version numbers, the new Knox SDK uses a single 3.0 version number and Knox API level 24. The Knox API level is similar to the Android API level. Each Knox SDK version has been mapped to this Knox API level. To find the API level supported by a device, call the API method EnterpriseDeviceManager.getApiLevel. In the device Settings > Device > Software Info, the Knox version now shows this Knox API level.
- Namespace — All Samsung Knox SDK packages, intents, and permissions now use this namespace:
com.samsung.android.knox. Previously, there were multiple namespaces, including one in the Google domain (
android.app.enterprise). Unifying the namespace simplifies coding, troubleshooting, and support, and removes the possibility of future overlaps with Google.
- Structure — API methods have been re-organized for better discoverability and renamed for consistency. The API methods that were in the generic class called
MiscPolicyhave been moved into more appropriate classes. Some classes have been renamed. For example,
Attestationis now called
AttestationPolicyfor more consistency with other class names.
- Deprecation — In the new consolidated Knox SDK, we have removed API methods that were already deprecated in the legacy Knox Standard, Premium, Customization, and ISV SDKs. We’ve also removed API methods that were duplicated across legacy SDKs or not being used as indicated by our analytics. This was to streamline the new Knox SDK and ease usability moving forward. The Knox 3.0 platform installed on devices still supports these deprecated API methods. However, we discourage using these API methods as we will likely remove support for them in the near future. For a list of the deprecated API methods, see the Samsung Knox SDK Migration Guide.
Knox Platform for Enterprise (KPE) license key
Knox 3.0 uses a Beta version of a new consolidated Knox Platform for Enterprise (KPE) license key, which is designed to replace the following licenses.
- ELM — Enterprise License Management. This license gives developers access to the enterprise-grade Knox Standard SDK.
- ISV — Independent Software Vendor. This license gives developers access to basic security features in the Knox ISV SDK.
- KLM — Knox License Management. This license gives developers access to paid features in the Knox Premium and Knox Customization SDKs.
There 2 types of Samsung License:
- Development — Gives you access to all features in the Knox SDK, but only on a limited number of devices and for a limited time period. This is meant for testing purposes only. You can get this Development license through the SEAP portal.
- Commercial — When you are ready to release an app on many devices for a longer time period, you use a Commercial license. If your app uses:
- only free features (in other words, those that were in the Knox Standard and ISV SDKs) — You can generate a Commercial Knox Platform for Enterprise (KPE) license key from the SEAP Portal.
- paid features (that were in Knox Premium and Knox Customization SDKs) — An authorized Knox Reseller or EMM Vendor buys Commercial licenses from the Global Samsung Business Network (GSBN). They do so on behalf of each enterprise customer so that license activations can be tracked and billed separately.
Knox 3.0 also introduces Android-style permission declaration. You can optionally declare at a granular level the permissions that your app needs to call API methods in the Knox SDK. This is to tighten security, by limiting what an app can do. To use this new permissions model, update your Android manifest file
(AndroidManifest.xml) to include these tags:
<meta-data>: to enable Knox selective permissions
- For example:
<meta-data android:name="com.samsung.knoxlicensing.permissions" android:value="true"/>
- not required for KPE. Optional for ELM & KLM.
- For example:
<uses-permission>: to declare each permission used by the app
- for example:
- for example:
Here is a sample manifest file:
To find out which permission is needed by an API method, see the Knox SDK API Reference. For example, the
com.samsung.android.knox.permission.KNOX_CONTAINER permission can be found in
- License Keys — to generate a license and see what permissions (free or paid) you get with the license
- Knox licenses — for more about the new Knox Platform for Enterprise (KPE) license key
New Knox Workspace container architecture
We’ve updated the Knox Platform for Enterprise solution with a new Workspace container architecture to enhance user experience.
- Knox APIs can now control Android Work profiles.
- Android Work Profiles can easily be upgraded to Knox Workspace without wiping your device.
As part of this change, customers can leverage Knox features and APIs on Android’s Work Profile and Work Managed Device modes. The:
- Profile Owner can activate a Knox License and leverage Knox features on Android Work Profile
- Device Owner can activate a Knox License and leverage Knox features on Android Work Managed Device
For an example of how to apply a Knox license to a work profile, see this Tutorial.
Network Platform Analytics
This feature enables the real-time monitoring of a network flow behaviours without granting access to all network data. Using NPA has much better privacy claims than using VPN or proxy technology alternatives to analyse traffic. In addition, NPA can provide more granular data than VPN or web proxy solutions. Management apps, such as MDM clients, can call NPA APIs to register a network analyser to collect metadata about network data flows. Once registered, the analyser then receives flow details that allow the app to analyse network patterns without exposing the analyser to sensitive network data such as plaintext passwords, business documents, or employee communications.
Knox 3.0 introduces these new features:
- Full IPv6 support
- DNS lookups are now associated with the app that requested them
- Parent process hash is now included in the netflow data
For more about network data collection, see EnterpriseKnoxManager.getNetworkAnalytics and KnoxContainerManager.getNetworkAnalytics. For more about the data that can be collected, see NetworkAnalytics and NetworkAnalyticsConstants.
For more about network data collection, see EnterpriseKnoxManager.getNetworkAnalytics and KnoxContainerManager.getNetworkAnalytics. For more about the data that can be collected, see NetworkAnalytics and NetworkAnalyticsConstants.
The Knox SDK lets Systems Integrators develop an Android app that restricts what users can do on a device. You can configure new features as they release on new Samsung devices and Android versions. This is designed for System Integrators who need an extra level of configurability on the Samsung Android platform.
With Version 3.0 of the Knox SDK, you can configure features in the Android 8.0 Oreo release:
- Hard key remapping (setHardKeyIntentState, getHardKeyIntentState) — Controls whether or not the pressing of a particular hard key (power, volume up, volume down, home, back, menu) broadcasts an intent, which can be handled by the registered broadcast receivers. This feature was previously supported only in ProKiosk mode, through the API package
com.samsung.android.knox.custom.ProKioskManager, but is now also available outside of ProKiosk mode, through
- Home screen mode (setHomeScreenMode, getHomeScreenMode) — Selects whether a device supports:
- Home screen only — The home screen is the only place where you can launch apps, and can't be deleted unless there are no app shortcuts on it.
- Home screen with separate app launcher screens — The home screen page can be deleted because the app launcher screens also display all app shortcuts that are on the home screen.
Deprecated API Methods
The following API methods have been deprecated in this release:
|API Class||Deprecated API Method||Reason|
The following API methods will be deprecated from the Knox SDK within a year. Please prepare to stop using these as well.
|API Class||To be deprecated||Reason|
|Overlap with Android APIs|
Also note the following:
Consolidated (One) SDK — API methods were deprecated due to redundancy across SDKs or low usage. For a full list of these API methods, see the Samsung Knox SDK Migration Guide.
Unification — API methods were deprecated due to overlap with Android Enterprise.
For more information ...
To learn more about the Knox SDK, check out these resources: