What's new in the Knox SDK

Find out what's new in these releases of the Samsung Knox SDK:

Knox SDK 3.6 (Knox API level 32)

August 2020

Knox 3.6 advances Samsung's commitment to helping you securely customize mobile devices. It introduces additional Deep Settings options, hardware key mapping for the Galaxy XCover series, and new SDK features for firewall settings and Samsung Dex.

Deep Settings Customization

This release expands the list of deep settings introduced with Knox 3.4, delivering options to customize a device's settings menu for:

  • Wi-Fi Direct Share: On/Off, Gray Out, Hide/Show.
  • Picture in Picture: Gray Out, Hide/Show.
  • DeX monitor display resolution: Set resolution, Gray Out, Hide/Show.
  • Keyboard language shortcut: Set shortcut value.

Configure using the Knox Service Plugin (KSP). For more information, see the latest KSP release notes.

XCover Pro hardware key

Get the most out of Samsung XCover devices by customizing the XCover and Top hardware keys. The latest version of the Knox Service Plugin (KSP) lets you select short or long key presses to launch device apps. You can also opt to disable hardware key options in a device's settings menu. For more information, see the latest KSP release notes.

DeX Foreground App

Samsung DeX in dual mode increases mobile productivity, letting you use a device to present on an external display and complete tasks like note-taking at the same time.

You can now check if an app is in the foreground (in the DeX launcher) for dual mode. Use this to monitor and customize actions available to the device user while presenting.

To do this:

  1. Monitor the focus of an app's package with ApplicationPolicy.addPackagesToFocusMonitoringList().
  2. Inspect the ACTION_APPLICATION_FOCUS_CHANGE intent when a focus change occurs for that package.
  3. Extract the new EXTRA_APPLICATION_FOCUS_DEX_MODE field from the intent. The value is true if the app is in the DeX launcher.

Deprecated APIs

This release deprecates the following APIs due to low usage:

See also the complete list of Deprecated API methods.

Knox SDK 3.5 (Knox API level 31)

February 2020

Samsung Knox 3.5 introduces new settings for granular control over areas like user experience, roaming, and certificate management. Most of these features come with the Samsung Knox Service Plugin (KSP), meaning IT Admins can use them immediately upon release.

For developers, Knox 3.5 also includes an improved embedded Secure Element (eSE) applet for Universal Credential Management.

UCM-eSE applet enhancement

Set up credential storage with improved security on embedded secure elements (eSEs). Samsung’s refined, preloaded eSE applet for Universal Credential Management (UCM) supports the latest cipher and signature algorithms like ECDSA/ECDH, HMAC, and CMAC for modern smart card storage.

Knox SDK 3.4.1 (Knox API level 30)

December 2019

Samsung Knox SDK version 3.4.1 extends our device manageability capabilities, optimizes existing features, and further harmonizes Knox with Android Enterprise.

Remote Support Enhancements

With this release, you can now:

  • enable remote support to work inside a work profile, as this restriction has been removed
  • remotely view and control the Samsung DeX screen
  • use the Knox Service Plugin to enable or disable remote support, using AllowRemoteSupport

For more information, see Remote Support Overview, Remote Control for Work Profile, and Remote Control for DeX.

Find My Mobile Unlock

Previously, a device locked by IT policy could be unlocked by the end user using the Find My Mobile unlock function.

For better security, devices that have password policies such as password quality applied by an IT admin cannot be unlocked through Find My Mobile.

Android Enterprise Harmonization

We are continuing to harmonize our Knox Platform for Enterprise (KPE) with Android Enterprise (AE), with this change in Knox 3.4.1:

  • Workspace name replaced with Work—The KPE Workspace container has been harmonized with the AE Work Profile. Accordingly, on the device UI, the Personal and Workspace tabs have been renamed Personal and Work.

Deprecated features

We have deprecated KPE features that are not being used, according to our extensive analytics. This is to streamline our operations and allow us to focus more on delivering newly requested features and less on maintaining low usage features. If you are using any of these features, which are described below, please review your solutions to see if you can remove or replace the features.

Which low-use features are being deprecated?

  • Samsung Single Sign On (Kerberos) — Samsung SSO enables Samsung devices to authenticate users against an Active Directory (AD) infrastructure using the well-known Integrated Windows Authentication (IWA) with Negotiate (using MIT Kerberos V5). Due to low usage, however, we are deprecating this SSO feature. If you are using Samsung SSO, try exploring other SSO solutions like Azure AD.
  • Knox container unlock using AD — With AD Containers, IT admins can enable corporate AD credentials to unlock the Knox Workspace container on a mobile device. Due to very low usage, this feature is also being deprecated.
  • Knox Shared Device — Knox Shared Device enables several enterprise employees to use the same device, without divulging individual settings, accounts, apps, or policies. Currently, you can enable this feature only through Knox Configure. With Google now offering Managed guest session devices, we are deprecating the Knox Shared Device.
  • Knox Cloud SDK — The Knox Cloud SDK enables you to configure Samsung devices through web-based REST API calls. Again, due to very low usage, we are deprecating this feature. Instead, you can use the more powerful, up-to-date, and device-based Knox SDK or Knox Service Plugin.

Also, this feature is not longer available due to security reasons:

  • Install apps — Previously, end users could move an app from the Personal space to the Work space (managed profile), through the Work space settings > Install apps menu option, which is enabled through the API method RCPPolicy.allowMoveAppsToContainer. As customers have raised concerns about the security of unmanaged apps, we have removed the menu option and API. Now, if you need to install apps into the Work space, you need to use either Google Play or the API InstallApplication.

What is the deprecation timeline?

If you have new devices with Android Q (Android 10), you will not be able to use these features anymore.

If you have devices with Android P (Android 9) or earlier, you can still use these features. Details are as follows:

  • Samsung SSO (Kerberos) and AD container—You can still use these features after a Q OS upgrade. But the features will not be available in Android R.
  • Knox Shared Device—Shared Device has been enabled only through Knox Configure (KC). Shared Device will be unavailable from Android Q onwards, and cannot be enabled by Knox Configure. However, if you are already using Shared Device, you can still use it after a Q OS upgrade, but you can use Knox Configure only to disable it. The Knox Configure console will show the supported OS version for Shared Device, and provide Shared Device only for the devices which have supported OS.
  • Knox Cloud SDK—This will not be supported on Android Q devices. Additionally, on:
    • February 26, 2020—We will be ending support for Cloud SDK across all devices. That is to say, users will no longer be able to create or edit existing Cloud SDK profiles after this date. Users will also not be able to assign an existing Cloud SDK profile to a new device.
    • May 27, 2020—Existing Cloud SDK devices that have been factory reset will no longer be able to be enrolled via the Cloud SDK.

Deprecated APIs

To improve SDK usability and maintainability, we have continued to deprecate APIs that are not being used, as per our API usage analytics.

Below are the API classes that have some deprecated APIs. Note though that not all APIs in these classes are deprecated. For a complete list of the API methods that have been deprecated, see Deprecated API methods.

  • Device management—PasswordPolicy, APMPolicy, DeviceInventory
  • Networking—BluetoothSecurePolicy
  • App management—ApplicationPolicy
  • Email management—LDAPAccountPolicy
  • Data protection—DLPManagerPolicy
  • Keystore and certificate management—EnterpriseCertEnrollPolicy
  • Knox workspace—KnoxContainerManager, ContainerConfigurationPolicy, SEAMSPolicy, RCPPolicy
  • Customization—SystemManager, SettingsManager

The API Reference also indicates which classes and methods are deprecated with the note, Deprecated in API level 30.


  • Old SDK namespace no longer supported—As mentioned in our June 13 blog post, new Samsung devices running the Android 10 (Q) operating system no longer support our old SDK namespace. For info about migrating apps from the old to new SDKs and namespaces, see the migration intro.
  • Apps must handle runtime permissions—As mentioned in our May 28 blog post, apps must now handle dangerous permissions in runtime as Android 10 (Q) no longer supports the workaround that we had introduced in Android 6 (M).

Knox SDK 3.4 (Knox API level 29)

August 2019

Samsung Knox SDK version 3.4 extends our leadership in advanced security, innovative usability, and comprehensive device management for our partners, developers, and enterprise customers. Read on for more info about these new features in the 3.4 release.


Knox 3.4 includes enhancements to Dual Data-at-Rest (DualDAR) encryption, which released in Knox 3.3. With this release, DualDAR provides improvements to availability, performance, and security.

  • Zero Day support: IT admins are now empowered to use DualDAR features the moment they're released. Through the Knox Service Plugin (KSP) and Knox Mobile Enrollment (KME), IT admins can now create DualDAR workspace containers and configure policies, before UEM providers include customized DualDAR support through their web consoles. For more, see the Release Notes for KSP and KME.
  • Device Encrypted Storage: To enhance app stabilization, work apps can now write to DE storage by default. DE storage is available both during Direct Boot mode and after the user has unlocked the device. The default value for the configurable parameter DE restriction in the DualDARPolicy class is now set to false. To restrict writes to DE storage, you must create a package whitelist and set the value for DE restriction to true.

For additional information on new DualDAR features included in the Knox 3.4 release, go to the UEM integration guide. For information on how to implement a custom solution to leverage control over your security, visit the new ISV integration guide.


Samsung is extending its device attestation solution to improve the way we check for devices that are rooted or running unofficial firmware.

With this Knox 3.4 release, we are launching Attestation v3, which provides these features:

  • Better correlation of results: Through the use of the Samsung Attestation Key (SAK), which is unique with every device.
  • Better device status diagnostics: Through enhancements to our server-side validation check logic.

For details, see Attestation (v3), the Tutorial, the new EnhancedAttestationPolicy class, and v3 REST API.

Deep Settings Customization

Samsung already provides extensive Knox SDK APIs to configure a wide range of features on our mobile devices. To enable rapid, zero-day adoption of the new features, you can also use the Knox Service Plugin.

You can customize device settings such as:

  • location tracking
  • Wi-Fi and NFC control
  • status bar notifications
  • biometrics and security

For more information about:

  • how enterprises IT admins can configure new device features using the Knox Service Plugin, see the Admin Guide.
  • how developers can add the Knox Service Plugin to their web consoles, see Managed Configurations.

DeX Management

The Knox 3.4 release includes new DeX customization features made available through the Knox Service Plugin. You can:

  • Hide certain app icons.
  • Customize the DeX Panel.
  • Turn the Suggested Apps on or off.
  • Turn the Mouse Cursor Flow on or off.
  • Turn the Keyboard toolbar and Predictive text on or off.
  • Skip the DeX welcome screen.
  • Hide the Samsung DeX launcher icon from the quick panel.

See how enterprises can customize DeX by browsing the KSP Admin Guide, and how developers can deploy the Knox Service Plugin by browsing the guide. For info about DeX features that can be managed through the Knox SDK, see Samsung DeX and Knox and the DeXManager class.

Custom names for Personal and Workspace tabs

Knox 3.2.1 originally introduced a tab-based UI for Personal and Workspace apps.

With Knox 3.4, IT admins can now customize the names of the Personal and Workspace tabs.

Developers can support this feature using the Knox SDK API setCustomResource(). This displays custom text in the tabbed view in place of the default Personal and Workspace labels. To learn more, see Custom tab names.

APN Mobile Virtual Network Operator

Starting with Android 9.0 (Pie), you must configure the APN Mobile Virtual Network Operator (MVNO) for some carriers and SIM cards.

With Knox 3.4, you can use ApnSettings to configure the MVNO type and value for a device. For devices with Android 9.0 but Knox 3.3 or earlier, you can use reflection to set these values. For details, see Access Point Name.

Deprecated features


The Knox VPN SDK was designed for VPN service providers, to create apps that can handle requests to set up VPN tunnels through their proprietary infrastructure. The Knox VPN SDK has already been merged into the Knox SDK v3.3, through the package With this Knox SDK v3.4, the Knox VPN SDK is obsolete and all VPN SDK functionality must be accessed through the Knox SDK. This change provides these key benefits:

  • simplifies the development workflow for developers
  • further strengthens the capabilities of the Knox SDK
  • simplifies the licensing flow required to use the VPN APIs. Going forward, all VPN APIs are activated with the same license key as the Knox SDK – the Knox Platform for Enterprise key

If you are using the Knox VPN SDK, you need to update your apps or services to reflect this change. You do not have to update any API packages, classes, or methods, as these remain the same. You do need to import the Knox SDK library and change the old namespace (com.sec.vpn.knox) to the new namespace (

For general information about updating an app to use the Knox SDK v3.x, see the migration tutorial. For details related to VPN apps, see VPN namespace changes.

Knox Workspace containers

Starting with Knox 3.0 in Android O, we began harmonizing the Knox Platform for Enterprise (KPE) with Android Enteprise (AE), to simplify your deployment of solutions across all Android devices. With harmonization, you can apply advanced and differentiated KPE features to AE Work Managed Devices and Work Profiles.

To this end, we are now deprecating the Corporate Liable (CL) mode of the Knox Workspace container on the Note 10 and later devices. The Corporate Liable mode will however continue to work on S10 and earlier devices, even if they are upgraded to Knox 3.4.

Instead of the Knox Workspace container, deploy these AE use models:

  • Work Managed Device (as a DO) and Work Profile (as a PO). This replaces the Corporate Liable mode being deprecated with the Note 10 onwards.
  • Work Managed Device (as a DO). This replaces the Container Only Mode (COM) that was deprecated with the S10 onwards.

To apply Knox features to any of these AE use models, activate a KPE license. For details, see the tutorial Apply Knox features to Work Profile.

Knox SDK 3.3 (Knox API level 28)

March 2019

Samsung Knox SDK version 3.3 adds even more APIs and framework features for developers, MDMs, and users. APIs have been added to provide functionality to container encryption, Samsung DeX, and Network Analytics. Knox is built and secured at a hardware level, and with the Knox 3.3 SDK, Samsung Verified Boot now monitors and protects the boot loading.


With single layer of encryption, potential flaws in the implementation may result in a single point of failure. Dual Encryption (DualDAR) secures confidential work data with two layers of encryption, while providing security even when the device is powered off or is in an unauthenticated state. DualDAR enables highly regulated enterprises to ensure their confidential work data is protected by meeting the Commercial Solutions for Classified Program (CSFC) regulation.

For more information on the new Knox 3.3 Dual DAR feature, learn how to configure a DualDAR Workspace.

Container Only Mode (COM) deprecation

Container Only Mode is obsolete as of the Galaxy S10 or later devices.

Note: Samsung Note 9/S9 devices or earlier with COM/ CL containers will be supported throughout the life of the device. For more information, see this bulletin notice.

Knox on DeX

Samsung DeX has new features and APIs to give and restrict access using the Knox platform. For API implementation, see Samsung DeX with Knox and the Knox 3.3 API reference guide.

VPN namespace changes

With the Knox SDK v3.0 release, all apps must use the new Android namespace conventions, as described in IMPORTANT NOTICE: Reminder to transition from old namespaces. The Knox VPN SDK still uses the old namespace conventions. Following the Android Q and Knox SDK 3.4 releases in the later part of 2019 or the early part of 2020, this merge requires VPN clients to update their clients to using the new namespaces. For more information on updating your VPN clients to use the new namespace, see VPN namespace changes. For more information about this change and how it impacts your VPN clients, see (link to blog post TBD).

VPN improvements and enhancements

Knox SDK v3.3 includes several enhancements that improve user experience and performance of VPN clients on the Knox framework. The enhancements include, but are not limited to the following: 

  1. Support multi-app tunnelling: These enhancements improve user experience when using VPN tunnels that impact more than one app at a time. As a result of these enhancements, users can connect with and start using business apps immediately after the VPN tunnel is established.
  2. Synchronize Knox events with Android networking events: These enhancements improve the performance of VPN clients by synchronizing Knox events with Android networking events. This change means that the Knox container recognizes that the VPN client is connected without any delay.
  3. Provide ongoing network flow information for NPA purposes: This new feature improves the performance of EMM-based Network Performance Assessment tools by providing information about network data flow while the connection is ongoing. This feature means admins now have the ability to configure their EMM-based NPA tools to receive network statistics while a network connection is ongoing. This functionality is especially useful in cases where network sessions last for a long time. For more information, see Configure NPA reporting.

Firewall support

Knox SDK 3.3 now supports the interaction between DomainFilter rules and Firewall policies on a specified device by introducing a new API enableDomainFilterOnIptables() that enables this new feature.

Without this feature enabled, Firewall policies can affect whitelist rules applied by Domain Filter. After enabling this API, admins can do the following use cases:

  • Use FirewallRule to block all IPs in a specified device.
  • Use the DomainFilterRule() to allow specific domains to be white listed even if the IPs are blocked using Firewall policies.

To learn more about this new feature, visit the Firewall section of the Knox SDK user guide.

Contact Storage restrictions

Take control over where device contacts are stored. Remove the risk of local contacts which can be lost and become out of sync to your cooperate enterprise. For API implementation, see contacts storage and the Knox 3.3 API reference guide.

Knox SDK 3.2.1 (Knox API level 27)

December 2018

Knox SDK version 3.2.1 release has three major improvements to better improve security and device management. Firstly, new APIs have been developed for this release to allow more functionality in device management. Secondly, Knox Platform for Enterprise is built on the Android operating system, and with Knox v3.2.1 we leverage the Android Pie operating system to provide even more capabilities on a Samsung device. Finally, framework improvements have been added to the SDK to better optimize performance behind the scenes so you can focus on development.

New API overview

Class API methods and variables
BasePasswordPolicy setResetPasswordToken (ComponentName admin, byte[] token)
clearResetPasswordToken (ComponentName admin)
isResetPasswordTokenActive (ComponentName admin)
resetPasswordWithToken (ComponentName admin, String password, byte[] token, int flags)
getTrustAgentConfiguration (ComponentName admin, ComponentName agent)
setTrustAgentConfiguration (ComponentName admin, ComponentName target, PersistableBundle configuration)
EnterpriseDeviceManager getBasePasswordPolicy ()

For more information on Knox APIs see the full set of Knox API references. In addition to new Knox APIs for the Knox SDK v3.2.1 release there were also deprecated APIs. See deprecated API methods for a full list.

Certificate Provisioning

The Knox SDK features the CertificateProvisioning class, which supports IT Admins in managing certificates and keystores. Beginning with Knox 3.2.1, certificate installations with the KEYSTORE_DEFAULT flag will no longer require the user to unlock the device.

For details, see the API installCertificateToKeystore(), which allows the IT admin to silently install a CA certificate into a given keystore. To learn more about certificate provisioning, see About Keystores.


There are two major improvements to the Knox Platform for Enterprise's password class:

  • The following Android APIs now exist on the Knox Platform: setTrustAgentConfiguration and getTrustAgentConfiguration. The addition of these methods preserve the functionality of calling these APIs as device admin.
  • The following APIs have been added as an alternative to resetPassword() to allow programmatic password modification without IT admin interaction: setResetPasswordToken, clearResetPasswordToken, isResetPasswordTokenActive, and resetPasswordWithToken.

For more information on Knox passwords, see the password section of the developer guide.


The Keyboard security framework has received a major usability upgrade while maintaining security between the personal and work profiles. Unlike Android Enterprise, Knox Platform for Enterprise allows users to choose their own IME in the personal space without the risk of leakage into the work space by separating the IMEs. Learn more about this update to the keyboard framework for KPE.

VPN Enhancements

Audit Log

The Knox Generic VPN Framework enables common audit logs for VPN clients and helps non-native VPN clients meet NIAP security requirements.

To learn more about the types of events that are logged, see VPN Audit Logs.

Performance Improvement

The Knox SDK has the GenericVpnPolicy class which allows IT Admins to configure SSL/IPSEC VPN profiles on multiple devices.

This release adds a number of enhancements to VPN, including:

  • Performance optimization to increase the speed of establishing VPN connections for a large number of apps.
  • Synchronization of VPN connection and firewall configuration events. This ensures that VPN connection is established only after firewall has finished preparing for VPN mode.

UI changes

Mini launcher

The Knox SDK Release 3.2.1 removes the mini launcher used to open the Knox Workspace and replaces it with a tabbed UI view. Apps now display in two categories: Personal and Work (Knox Workspace). Users can seamlessly switch between the Personal and Work tabs on the Home page.

To learn more about the tabbed UI view, see Tabbed UI View.


The Knox SDK Release 3.2.1 includes changes that let users open the Knox Workspace Settings right from the devices's Settings.

To learn more about this change, see Workspace Settings.

Knox SDK 3.2 (Knox API level 26)

August 2018

Knox SDK 3.2 introduces a variety of new features and capabilities for users and developers. This page highlights what's new for developers.

New API overview

Class API Method

public int setHomeAlignment(int mode)

public int getHomeAlignment()

addURLShortcut(int x, int y, String title, String url, ComponentName component)

addURLShortcut(int x, int y, String title, String url, String imgName, ComponentName component, ParcelFileDescriptor imgFD)

removeURLShortcut(String url, in ComponentName component);

setForegroundModePackageList(int state, in List<String> pkgList);

List<String> getForegroundModePackageList();



public int startProKioskMode(String packageName, String passCode)

public int stopProKioskMode(String passCode)


public boolean allowBLE(boolean allow)

public boolean isBLEAllowed()

public boolean allowWifiScanning(boolean allow)

public boolean isWifiScanningAllowed()

PhoneRestrictionPolicy public Bundle getRCSMessage(long id)
NetworkAnalytics public int start(String profileName, Bundle flowTypeBundle)
EnterpriseDeviceManager public static int getUserId(UserHandle handle)

public int getErrorCode()

public int getTimeout()

DeX management APIs

DeX management APIs allow you to increase productivity and decrease costs by using your Samsung Device to switch to a PC like environment with ease.

setHomeAlignment – This API allows IT Admins to modify the way apps are aligned in DeX mode. For example, you can align apps in a preferred order. This is perfect for organizations that want to set up numerous identical workstations throughout their organization.

addURLShortcut – This API allows IT Admins to add a browser shortcut with a specific URL on the DeX home screen. This is useful for enterprises that require users to access a URL frequently – for example, an internal Intranet network. A customized icon can also be displayed.

Connection APIs

In many situations, IT Admins may need to completely disable Bluetooth or Wi-Fi, and not just prevent the user from toggling it on or off. This can now be done with: allowBLE() and allowWifiScanning(). This can increase security by preventing any malicious Bluetooth or Wi-Fi attacks from remotely trigging these services usingbackground usage.

  • Turn off Wi-Fi background scanning: Use allowWifiScanning() to completely turn off Wi-Fi and Wi-Fi background scanning.
  • Turn off Bluetooth background scanning: Use allowBLE() to completely turn off Bluetooth and Bluetooth scanning.

These options are shown in the settings screen below.

Enhancement APIs


The updated ProKiosk Manager API lets you enable ProKiosk Mode without having to reboot the device. This saves IT Admins time when they have to set-up Prokiosk mode on a large batch of devices.

Class API method

public int startProKioskMode(String packageName, String passCode)

public int stopProKioskMode(String passCode)

Rich communication services (RCS) message capture API

RCS messaging is a new messaging protocol which is replaces SMS as the default messaging platform for carriers. It adds much needed features – such as group messages – and allows users to send more types of media. All of this is done over data instead of cellular network, making it very similar to current IM apps that can be downloaded from the Play Store.

Knox 3.2 allows IT Admins to capture and record RCS messages (including attachable multimedia files). For many industries, such as the financial services, the ability to record and audit sent and received messages is required by law.

GetRCSMessage allows IT Admins to:

  • Start RSC capture
  • Stop RSC capture

UCM SDK merged to Knox SDK

As of Knox 3.2, The UCM SDK will be merged into the Knox SDK. New permissions are defined to streamline the license activation flow and make using both products easier. Vendors need to implement their UCM app with these new permissions, but do not have to change any APIs.

New UCM permissions All the UCM features will be granted with this new UCM permission(KNOX_UCM_MGMT)

Knox SDK 3.1 (Knox API level 25)

March 2018

DeX management APIs

Samsung DeX is a revolutionary new technology that allows users to transform their mobile devices into powerful enterprise desktop machines with a simple docking station. As DeX becomes more popular among enterprises, there is growing urgency to provide IT admins with the same degree of granular management policies available for Samsung devices as a whole. For the 3.1 release, the Knox team is providing the following DeX-specific management APIs:

Add or remove app shortcuts

This feature allows enterprises to provide even more distinctly different mobile and desktop home screen differences.

Change the Dex loading screen

Devices play a default animation while launching in DeX mode. Knox 3.1 provides APIs that allow you to add images and other branding assets to replace default Dex loading logo. Create a more customized user experience with this new DeX feature.

Control screen timeout settings

The Knox SDK provides you with the flexibility to balance security concerns with convenience. You can set a screen timeout that ranges from seconds to weeks depending on your enterprise security policies.

Enforce Ethernet data connection

This feature ensures that users are running certain productivity apps using a secure Ethernet connection by preventing them from connecting to mobile data or Wi-Fi while in DeX mode.

Prevent certain apps from running in DeX

Disable personal apps, such as social media and games, while the device is in DeX mode. These APIs don’t affect devices after they’ve been disconnected from the DeX station. For more detailed information regarding these new APIs, including requirements and sample code, see the Knox SDK Developer Guide and Knox SDK API reference.

If you want to prevent DeX mode in an enterprise setting, you also easily disable DeX with the Knox SDK.

App Permission Monitor updates

App Permission Monitor is a feature enabled by default that alerts end users when apps attempt to access a predefined permission while running in the background.

The Knox 3.1 SDK includes two new management features for the App Permission Monitor.

Enable and disable access to App Permission Monitor

By design, enterprise apps may need to constantly access certain sensitive permissions while running in the background. For the peace of mind of your users, you may want to disable App Permission Monitor.

If you want to ensure that users are conscious of apps which may be requesting device permissions while running in the background, you can also enable access to this feature.

Add or Remove specific apps from the App Permission monitor list

For security and compliance purposes, your enterprise apps may request access to permissions such as location while running in the background. For example, your app may include a geofencing feature that prevents users from using the camera while at the office. You may want to remove enterprise apps from the monitor list to distinguish them from potentially harmful third-party apps that are requesting the same types of permissions while running in the background.

Knox SDK 3.0 (Knox API level 24)

January 2018

This Samsung Knox SDK v3.0 release provides significant improvements to the developer experience as well as powerful new features, which are described below.

Samsung Knox SDK

The new Samsung Knox SDK combines, refactors, and enhances these Samsung Knox SDKs:

  • Knox Standard
  • Knox Premium
  • Knox Customization
  • Knox ISV

There is now only Samsung Knox SDK package to download, one JAR library to import, one API Reference to search for API methods, and one Developer Guide describing how to use the SDK features. This new SDK also consolidates the following:

  • Version — As the merged SDKs had different SDK version numbers, the new Knox SDK uses a single 3.0 version number and Knox API level 24. The Knox API level is similar to the Android API level. Each Knox SDK version has been mapped to this Knox API level. To find the API level supported by a device, call the API method EnterpriseDeviceManager.getApiLevel. In the device Settings > Device > Software Info, the Knox version now shows this Knox API level.

  • Namespace — All Samsung Knox SDK packages, intents, and permissions now use this namespace: Previously, there were multiple namespaces, including one in the Google domain ( Unifying the namespace simplifies coding, troubleshooting, and support, and removes the possibility of future overlaps with Google.
  • Structure — API methods have been re-organized for better discoverability and renamed for consistency. The API methods that were in the generic class called MiscPolicy have been moved into more appropriate classes. Some classes have been renamed. For example, Attestation is now called AttestationPolicy for more consistency with other class names.
  • Deprecation — In the new consolidated Knox SDK, we have removed API methods that were already deprecated in the legacy Knox Standard, Premium, Customization, and ISV SDKs. We’ve also removed API methods that were duplicated across legacy SDKs or not being used as indicated by our analytics. This was to streamline the new Knox SDK and ease usability moving forward. The Knox 3.0 platform installed on devices still supports these deprecated API methods. However, we discourage using these API methods as we will likely remove support for them in the near future. For a list of the deprecated API methods, see the Samsung Knox SDK Migration Guide.

For more about updating namespaces and replacing deprecated API methods for this new consolidated Knox SDK, see the Samsung Knox SDK Migration Guide and Knox SDK Sample Apps.

Knox Platform for Enterprise (KPE) license key

Knox 3.0 uses a Beta version of a new consolidated Knox Platform for Enterprise (KPE) license key, which is designed to replace the following licenses.

  • ELM — Enterprise License Management. This license gives developers access to the enterprise-grade Knox Standard SDK.
  • ISV — Independent Software Vendor. This license gives developers access to basic security features in the Knox ISV SDK.
  • KLM — Knox License Management. This license gives developers access to paid features in the Knox Premium and Knox Customization SDKs.

There 2 types of Samsung License:

  • Development — Gives you access to all features in the Knox SDK, but only on a limited number of devices and for a limited time period. This is meant for testing purposes only. You can get this Development license through the SEAP portal.
  • Commercial — When you are ready to release an app on many devices for a longer time period, you use a Commercial license. If your app uses:
    • only free features (in other words, those that were in the Knox Standard and ISV SDKs) — You can generate a Commercial Knox Platform for Enterprise (KPE) license key from the SEAP Portal.
    • paid features (that were in Knox Premium and Knox Customization SDKs) — An authorized Knox Reseller or EMM Vendor buys Commercial licenses from the Global Samsung Business Network (GSBN). They do so on behalf of each enterprise customer so that license activations can be tracked and billed separately.

Knox 3.0 also introduces Android-style permission declaration. You can optionally declare at a granular level the permissions that your app needs to call API methods in the Knox SDK. This is to tighten security, by limiting what an app can do. To use this new permissions model, update your Android manifest file (AndroidManifest.xml) to include these tags:

  • <meta-data>: to enable Knox selective permissions
    • For example: <meta-data android:name="" android:value="true"/>
    • not required for KPE. Optional for ELM & KLM.
  • <uses-permission>: to declare each permission used by the app
    • for example: <uses-permission android:name=""/>

Here is a sample manifest file:

To find out which permission is needed by an API method, see the Knox SDK API Reference. For example, the permission can be found in createContainer.

See also:

  • License Keys — to generate a license and see what permissions (free or paid) you get with the license
  • Knox licenses — for more about the new Knox Platform for Enterprise (KPE) license key

New Knox Workspace container architecture

We’ve updated the Knox Platform for Enterprise solution with a new Workspace container architecture to enhance user experience.

  • Knox APIs can now control Android Work profiles.
  • Android Work Profiles can easily be upgraded to Knox Workspace without wiping your device.

As part of this change, customers can leverage Knox features and APIs on Android’s Work Profile and Work Managed Device modes. The:

  • Profile Owner can activate a Knox License and leverage Knox features on Android Work Profile
  • Device Owner can activate a Knox License and leverage Knox features on Android Work Managed Device

For an example of how to apply a Knox license to a work profile, see this Tutorial.

Network Platform Analytics

This feature enables the real-time monitoring of a network flow behaviours without granting access to all network data. Using NPA has much better privacy claims than using VPN or proxy technology alternatives to analyse traffic. In addition, NPA can provide more granular data than VPN or web proxy solutions. Management apps, such as MDM clients, can call NPA APIs to register a network analyser to collect metadata about network data flows. Once registered, the analyser then receives flow details that allow the app to analyse network patterns without exposing the analyser to sensitive network data such as plaintext passwords, business documents, or employee communications.

Knox 3.0 introduces these new features:

  • Full IPv6 support
  • DNS lookups are now associated with the app that requested them
  • Parent process hash is now included in the netflow data

For more about network data collection, see EnterpriseKnoxManager.getNetworkAnalytics and KnoxContainerManager.getNetworkAnalytics. For more about the data that can be collected, see NetworkAnalytics and NetworkAnalyticsConstants.

For more about network data collection, see EnterpriseKnoxManager.getNetworkAnalytics and KnoxContainerManager.getNetworkAnalytics. For more about the data that can be collected, see NetworkAnalytics and NetworkAnalyticsConstants.

Device Customization

The Knox SDK lets Systems Integrators develop an Android app that restricts what users can do on a device. You can configure new features as they release on new Samsung devices and Android versions. This is designed for System Integrators who need an extra level of configurability on the Samsung Android platform.

With Version 3.0 of the Knox SDK, you can configure features in the Android 8.0 Oreo release:

  • Hard key remapping (setHardKeyIntentState, getHardKeyIntentState) — Controls whether or not the pressing of a particular hard key (power, volume up, volume down, home, back, menu) broadcasts an intent, which can be handled by the registered broadcast receivers. This feature was previously supported only in ProKiosk mode, through the API package, but is now also available outside of ProKiosk mode, through
  • Home screen mode (setHomeScreenMode, getHomeScreenMode) — Selects whether a device supports:
    • Home screen only — The home screen is the only place where you can launch apps, and can't be deleted unless there are no app shortcuts on it.
    • Home screen with separate app launcher screens — The home screen page can be deleted because the app launcher screens also display all app shortcuts that are on the home screen.

Deprecated API Methods

The following API methods have been deprecated in this release:

API Class Deprecated API Method Reason


Outdated feature
SystemManager copyAdbLog
Outdated feature

The following API methods will be deprecated from the Knox SDK within a year. Please prepare to stop using these as well.

API Class To be deprecated Reason
AdvancedRestrictionPolicy enableODETrustedBootVerification
Overlap with Android APIs
RestrictionPolicy enableWearablePolicy
Low usage
SettingsManager set/getBackupRestoreState
Low usage
SystemManager getToastGravityXOffset
Low usage

Also note the following:

  • Consolidated (One) SDK — API methods were deprecated due to redundancy across SDKs or low usage. For a full list of these API methods, see the Samsung Knox SDK Migration Guide.

  • Unification — API methods were deprecated due to overlap with Android Enterprise.

For more information ...

To learn more about the Knox SDK, check out these resources: